Keep getting infected? Look for wp-strongs.php & wp-stream.php

Last updated: April 21 2021

If your site keeps getting infected with dontkinhooot.tw malware after a recent cleanup, follow these instructions:

1. Follow this cleanup guide, and:
https://guides.magefix.com/2021/02/clean-chr-malware-dontkinhooot-tw/

2. Make sure ALL your plugins are up to date, including:
Elementor Pro, 3.1.1 – 23 Feb 2021 – https://elementor.com/pro/changelog/
The Plus Addons for Elementor Page Builder, 4.1.7 – 09 Mar 2021 – https://theplusaddons.com/changelog/

3. Manually set ‘siteurl’ and ‘home’ via wp-config.php

define( 'WP_HOME', 'http://example.com' );
define( 'WP_SITEURL', 'http://example.com' );

4. Disable unauthorized users with administrator privileges.
Look for “wordpressai” and [email protected]

5. Look for wp-strongs.php & wp-stream.php files.
Also make sure index.php files are clean. Monitor wp_options table, notice if ‘siteurl’ value changes.

Malicious URLs:
store.dontkinhooot.tw/stat.js
hxxps://for.dontkinhooot[.]tw/det.php?pit=151&sid=2&yuid=2352&
hxxps://ftp.lovegreenpencils[.]ga/mwrxvz?se_referrer=null&source=

Malicious plugins or files found:
/wp-content/plugins/wp-strongs/wp-strongs.php

Malicious users:
[email protected]

Attacker IPs noted:
195.242.110.144, 67.211.223.164, 129.226.116.80.