Shenannigans in the wp-content folder

hello tights-wearers!

ok - so i'm having particular fun trying to stop a bunch of websites that got hacked on cpanel level, cleaned. so wpmudev defender thinks they're pure and stoic, but they still generate a error_log file at random places, and i ftp'd up the wp-admin and wp-includes folders from a fresh de-zipped folder on my machine, only to find that some of the files had "recreated" themselves even through the folders themselves were deleted.

so i kinda suspect that there really is SOMETHING there...

i found gotmls.net, which claims to clean from public_html level, and it identified a bunch of .js scripts that are "potentially" harmful. now - considering that i think there's SOMETHING there... i need to find a place to start... naturally, they all live in the wp-content folder.

so - short from restoring from backup, how do i figure out if those are clean or dubious?

i'm now running the final cleanup with every single tool i could find, and then i'm going to bring the backups down to run on WAMP, overwrite everything i possibly can and scan again, and then take the brave plunge of publishing up to my new server... as we say in Afrikaans - hang on to my drink for me, and watch THIS move....

boxer-shorts wearer.

    Jude

    Ha ha Symi .. that post just killed all my Monday Blues !!

    Im sure the infection is still there, just that it is not in the public_html / WP folders itself ( which is what WP Defender scans ) . Its likely at a another layer or outside of your cPanel itself.

    I suggest you first recreate a working site from backups locally before trying to zero in on the infection on the live site. If all else fails simply do a DB dump, scan it for malicious content and import it into a fresh site. Also here is a great read on the subject

    https://blog.sucuri.net/2016/03/how-sucuri-cleans-hacked-sites.html

    Cheers
    Jude

    Symi

    you SEE jude, that is what i was thinking last night in the middle of the night when the rest of the house was snoring away. Also, I suspect that that infection, is somewhere in the bowels of my shared reseller server, and it's NOT ME!!! Darnit.

    see, my theory goes that if i created a brand spanking new folder / virtual host in wamp, and brought in wp core, and in the plugins dir popped all the site's real plugins, and bring in the MEDIA that had been uploaded into the relevant file structure... i could just play SQL to it like a tune, and it would start dancing... bringing up the pages, and the theme as it stands, right? RIGHT?

    so - that's what i'm creating now.
    Pure, new, vanilla virtual host folders, with wp core, soon to be fitted with new not-yet-jaded plugins.

    now - the gospel according to me is that the SQL is clean, because i've scanned it with everything I could find...

    What would you suggest as a scanning tool? My round veiny eyeball?
    The way my round veiny eyeball sees the SQL DB, is that every plugin just chucks in whatever table makes it work. So theoretically, if i make me a blank database, with all the plugins in the right place, and fire up w/p, it will create them tables? right? them blank ones? so i can see if there are extra ones that are gatecrashing? in my online database?

    my round veiny eyeball is going all bloodshot.
    I have like 70 domains.
    after this i'm opening up a detox your wordpress site.

    Now- the big question.....
    Once I found a gatecrasher table... how do I rip it out without mortally wounding my SQL DB for the site? do i just surgically remove that table from the DB? can i mortar & pestle it a little bit for schadenfreude?

    i'm glad I got rid of your blues.
    i look forward to hearing back from you.

    Jude

    Hi again Symi

    Sorry about the delay on this one, a bit swamped here cause of the sales spurt.

    now - the gospel according to me is that the SQL is clean, because i've scanned it with everything I could find...

    As you're sure about this, go ahead and import this back into the fresh site you recreated.

    What would you suggest as a scanning tool? My round veiny eyeball?

    Yup round veiny eyeball is a good starting point .. take a look at this for some tips
    http://wordpress.stackexchange.com/questions/6261/scanning-database-for-malicious-data

    Make sure you specifically check for strings of types

    eval(base64_decode{'sdfjnsof932423jnsf'));

    Once I found a gatecrasher table... how do I rip it out without mortally wounding my SQL DB for the site? do i just surgically remove that table from the DB? can i mortar & pestle it a little bit for schadenfreude?

    Just get rid of the entries completely. Don't bother with the mortar and pestling.

    Also here is a tip from the developer of the plugin who went through this post. He suggests you download the entire folder from your host and use a good Anti Virus program and scan it. Will give you a fair idea on the culprit.

    Cheers
    Jude

    Symi

    hey Jude,
    *not sure if we're close enough yet to pause here for effect.... so just typing on*

    Thanks for the eval base64 code - i know it also lives in some real plugins. so i may get false positives, right?

    i've run the antivirus on the zipped downloaders, and the wordpress backups seem to be clean, i find a pile of trojans and things in a full cpanel backup.
    so it looks like the files are in public_html but not part of wordpress itself, if that makes sense?

    i'm moving the data to the new server today, as my final cleanups and backups ran last night, and I'm busy moving DNS over as i complete the new site restore.

    sucuri's plugin has the option to force the re-download of plugins (only free ones, not premium ones). So I'm thinking i'm going to make sure that i do that manually - upload the plugins and NOT restore that folder itself.

    lastly, i've loaded clamAV on my new server, and i'm going to be scanning the CLEAN files, as they come up on the server.

    Thanks so much for your help, and the moral support, and for making my sad song a happy one.

    I'm not afraid. *wink*

    Jude

    Hi again Symi

    Thanks for the eval base64 code - i know it also lives in some real plugins. so i may get false positives, right?

    Id say no plugin worth its salt would do this, and in the rare cases that they do, I'd say please check those strings against manually by decoding them.

    i've run the antivirus on the zipped downloaders, and the wordpress backups seem to be clean, i find a pile of trojans and things in a full cpanel backup.
    so it looks like the files are in public_html but not part of wordpress itself, if that makes sense?

    Yup makes sense, somthing is infecting the WP folders but is not part of WP itself. I too suspect your hunch is right about someone outside your cPanel infecting the files

    Also happy to make a song better, and all the best with this and hopefully you get rid of the infection and get the site back up and running.

    Cheers
    Jude