cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Highlighted

Where do I go to look for malware files within a WordPress site?

Hello,

 

I have been told that my site is hacked for malware and GoDaddy has listed the below files for me to remove, but doesn't advise as to WHERE do I actually go to look!

 

Where exactly do I go to find these files? Do I go to phpMyAdmin or is this all done through WordPress admin? If WordPress admin, is there a way to quickly identify them, like a search option within WordPress, or do I have to manually check every page in my site?

 

Regards,

 

Adam

 

 

 

 

 

php.backdoor.file_get_contents.005 - html/blog/hnwuc.php

 

php.backdoor.uploader.239 - html/knolhdui.php

 

php.backdoor.file_get_contents.005 - html/site/rozzg6y.php

 

image.php_code.001 - html/wp-content/languages/plugins/.054d244d.ico

 

image.php_code.001 - html/wp-content/mu-plugins/.ff790af6.ico

 

image.php_code.001 - html/wp-content/plugins/.093d9294.ico

 

image.php_code.001 - html/wp-content/plugins/contact-form-7/.6787d381.ico

 

php.malware.GLOBALS.007 - html/wp-content/plugins/contact-form-7/admin/includes/admin-functions.php

 

php.malware.GLOBALS.007 - html/wp-content/plugins/contact-form-7/admin/includes/editor.php

 

php.backdoor.eval_POST.093 - html/wp-content/plugins/contact-form-7/includes/kwfnlzur.php

 

php.malware.GLOBALS.007 - html/wp-content/plugins/contact-form-7/includes/pipe.php

 

php.malware.GLOBALS.007 - html/wp-content/plugins/contact-form-7/includes/rest-api.php

 

php.malware.GLOBALS.007 - html/wp-content/plugins/contact-form-7/modules/acceptance.php

 

php.backdoor.eval_POST.093 - html/wp-content/plugins/contact-form-7/srmdculh.php

 

php.backdoor.eval_POST.093 - html/wp-content/plugins/godaddy-email-marketing-sign-up-forms/languages/opzcwnev.php

 

php.backdoor.uploader.239 - html/wp-content/themes/dzgtpsnx.php

 

image.php_code.001 - html/wp-content/themes/squareboxRes/.b2163d2e.ico

 

php.malware.GLOBALS.007 - html/wp-content/themes/squareboxRes/tpl-blog.php

 

image.php_code.001 - html/wp-content/themes/twentyfifteen/.c5724f21.ico

 

image.php_code.001 - html/wp-content/themes/twentyfifteen/.ea94979f.ico

 

image.php_code.001 - html/wp-content/themes/twentyfourteen/.cfba50d8.ico

 

php.malware.GLOBALS.007 - html/wp-content/themes/twentyfourteen/comments.php

 

php.backdoor.eval_POST.093 - html/wp-content/themes/twentyfourteen/genericons/abxxjdfq.php

 

php.malware.obfuscated.016 - html/wp-content/themes/twentyfourteen/images/mcgvnchl.php

 

php.backdoor.eval_POST.093 - html/wp-content/themes/twentyfourteen/images/rswzxgep.php

 

php.backdoor.eval_POST.093 - html/wp-content/themes/twentysixteen/inc/pphnbviy.php

 

image.php_code.001 - html/wp-content/uploads/.d105dced.ico

 

image.php_code.001 - html/wp-content/uploads/2016/.dca80c4b.ico

 

image.php_code.001 - html/wp-content/uploads/2017/.2d8f8670.ico

 

php.backdoor.eval_POST.093 - html/wp-content/uploads/2017/10/dzwzbowb.php

 

php.backdoor.eval_POST.093 - html/wp-content/uploads/2017/11/jyvciouv.php

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Super User II
Super User II
Solution

Re: Where do I go to look for malware files within a WordPress site?

Hey there @adamsimpson,

 

So, based on what you listed, these are all found in the public_html folder and the subfolders inside of it. You can access these files by using the File Manager or FTP into your server. It looks like it's probably a SQL injection virus which uses Base64 coding to take over different aspects of your website.

 

I will say that it's highly inadvisable to attempt to clear these files out manually as there is most likely a back door that will allow the site to be immediately reinfected if you don't clean it properly. I would advise purchasing Website Security, getting the offending files cleaned up, and reading this article I wrote for the Garage a while back for more info.

 

Hope that helps!



I am a GoDaddy End User - Just Like You
* Please note that I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. If you contact me via PM for help, I will give you a price quote for my personal services. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community


View solution in original post

4 REPLIES 4
Highlighted
Super User II
Super User II
Solution

Re: Where do I go to look for malware files within a WordPress site?

Hey there @adamsimpson,

 

So, based on what you listed, these are all found in the public_html folder and the subfolders inside of it. You can access these files by using the File Manager or FTP into your server. It looks like it's probably a SQL injection virus which uses Base64 coding to take over different aspects of your website.

 

I will say that it's highly inadvisable to attempt to clear these files out manually as there is most likely a back door that will allow the site to be immediately reinfected if you don't clean it properly. I would advise purchasing Website Security, getting the offending files cleaned up, and reading this article I wrote for the Garage a while back for more info.

 

Hope that helps!



I am a GoDaddy End User - Just Like You
* Please note that I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. If you contact me via PM for help, I will give you a price quote for my personal services. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community


View solution in original post

Highlighted

Re: Where do I go to look for malware files within a WordPress site?

Hello MrVapour,

 

Thank you for the information. I read that article previously.

 

If I struggle to sort our my site manually, then I'll have no option but to purchase a security package.

 

To be honest, I think that GoDaddy should just include security, by default, with their hosting packages, and if they have to charge more, then that's what they should do, but to deliberately allow people to get hacked, when they know these things happen, is a bit irritating. They should just increase the price of hosting to include security and say this is what needs to be done nowadays, for your own protection!

 

Kind regards,

 

Adam

Highlighted
Super User II
Super User II

Re: Where do I go to look for malware files within a WordPress site?

Hey @adamsimpson,

 

I absolutely understand the frustration about the security needs of a website. There are a few reasons that GoDaddy can't do this, however:

  1. It would force too many limitations on customers building their sites. Some sites and site building software have very specific security needs, so it isn't a one size fits all type of solution.
  2. The cost to provide individual website protection is just too high and not everyone needs it. GoDaddy already employs several security measures on the server level. You're talking about around a 200-300% increase in your hosting cost.
  3. Ultimately, the security of your site is up to you. 

GoDaddy goes to great lengths to promote awareness that you need security on your websites. I would invite you to check out their blog to stay up to date on industry standards. It's really good. 

I know that isn't the answer you want but there are good reasons behind the way GoDaddy operates.



I am a GoDaddy End User - Just Like You
* Please note that I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. If you contact me via PM for help, I will give you a price quote for my personal services. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community


Highlighted

Re: Where do I go to look for malware files within a WordPress site?

Hello MrVapour,

 

Thank you for explaining the reasons why security solutions aren't so straight forward, and why GoDaddy has to remain flexible with its options.

 

I am following an article from developers.google.com on how to step by step remove malicious files and scripts, so I want to try and do this myself, even if I still need to take a security measure at the end to stop reinfection. I feel as though I will learn a lot about WordPress in the process.

 

Kind Regards,

 

Adam