Need help cleaning up a hacked WP sites

Hi guys

I have some sites installed on a domain and sub-domains on my server with Liquid Web and the support guys there have run a malware scan and sent me the results but I'm not a techie as you know lol...Is it OK to post their findings here to get your take on the situation?

Cheers
Neil

  • Abdul Wajed

    Hi Neil,

    Hope you're doing well today. :slight_smile:

    Yes, you can post your findings here and we will try to assist you with cleaning it yourself but remember we don't offer "clean up" services.

    You can also check some of the guides here to help you get started with this:
    https://codex.wordpress.org/FAQ_My_site_was_hacked
    http://www.wpbeginner.com/beginners-guide/beginners-step-step-guide-fixing-hacked-wordpress-site/

    Best regards,
    Wajed

  • Neil

    Hi Wajad

    Cool...so here's the message I received fro the guys at Liquid Web:

    Hello,

    Below are the full results of the scan on the "wpmobidi", unfortunately it looks like the hack extends beyond just the "members" subdomain and into the main domain and the dev subdomain. Please review this list and let me know which files you'd like removed. I also wanted to ask, do you have a developer that can inspect any of these files and/or the sites to clean up the files that need to still be in place for the site to run?

    /home/wpmobidi/public_html/dev/index.php
    /home/wpmobidi/public_html/members/wp-content/plugins/hello.php
    /home/wpmobidi/public_html/members/wp-admin/..
    /home/wpmobidi/public_html/members/wp-admin/M.php
    /home/wpmobidi/public_html/members/wp-admin/dum.php
    /home/wpmobidi/public_html/members/wp-content/uploads/2014/01/idca.php
    /home/wpmobidi/public_html/members/wp-content/uploads/optpress/images_comingsoon/123.php
    /home/wpmobidi/public_html/members/wp-content/uploads/optpress/images_comingsoon/2013122822-13-45widget.php
    /home/wpmobidi/public_html/members/wp-content/uploads/optpress/images_comingsoon/index.php
    /home/wpmobidi/public_html/members/wp-content/uploads/optpress/images_comingsoon/maho.php
    /home/wpmobidi/public_html/mirror/members/wp-admin/media-upload.php
    /home/wpmobidi/public_html/mirror/members/wp-admin/dum.php
    /home/wpmobidi/public_html/mirror/wp-admin/..
    /home/wpmobidi/public_html/wp-content/index.php
    /home/wpmobidi/public_html/index.php
    /home/wpmobidi/public_html/wp-includes/load.php
    /home/wpmobidi/public_html/wp-admin/..
    /home/wpmobidi/public_html/wp-admin/maint/f58e/13be
    /home/wpmobidi/public_html/wp-includes/index.php
    /home/wpmobidi/public_html/wp-includes/wp-MqeLs_.php
    /home/wpmobidi/public_html/members/wp-admin/M.php
    /home/wpmobidi/public_html/members/wp-content/uploads/optpress/images_comingsoon/2013122822-13-45widget.php
    Regards,
    Ryan Smith
    Linux Support Technician

    Can any of these files be deleted?

    Any recommendations will be very helpful guys.

    Cheers
    Neil

  • Abdul Wajed

    Hi Neil,

    Hope you're doing well today. :slight_smile:

    Thanks for sharing the details. It seems that there are lots of Unknown file in WordPress Core. So my recommendation is to restore the site using a clean backup if you have or ask your host if they can help you.

    And if you don't have a backup and want to clean it manually then my recommendation is to perform a full scan using Wordfence Security. Make sure you checked and save those 4 (See the attached screenshot) options from options before the scan.

    And scan will give you details result which files has been modified and which files are not part of the core and then you can take action accordingly. Thanks

    Hope this helps! Please let me know if you need any further assistance. :relaxed:

    Have a nice day.

    Best regards,
    Wajed