A new malware contamination campaign was identified by Sal Aguilar. Since malware returns after automatic scans, a thorough manual cleanup is recommended followed by a firewall setup.
Try our Free site check.
- Backup the site before running any tools, including web files and database;
- Check to see if there are any other sites hosted on the same server;
- For each site, review the core folder, plugins and themes;
- Make sure the core files and all the site components are re-installed and up to date;
- Check admin users list, FTP accounts and Cron jobs;
Malicious files and folders:
Other files detected: admin-ajax.php ( in the root folder ), css.php, qb.js.php.
Look at your logs for requests against:
Top 3 IPs looking for these are:
— Sal Aguilar (@riper81) September 21, 2023
220.127.116.11 – – [22/Sep/2023:07:40:54 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://.net/wp-admin/post.php?post=3704&action=edit&app=uxbuilder&type=media” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/18.104.22.168 Safari/537.36”
22.214.171.124 – – [25/Sep/2023:05:29:54 +0000] “GET /wp-content/plugins/WordPressCore/include.php HTTP/1.1” 200 217 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.96.36.199 Safari/537.36”
Identifying whether a WordPress plugin is malicious can be challenging, but there are several steps you can take to assess a plugin’s trustworthiness – check the folder’s date, review the plugin code, run a malware scanner and check the plugins list from a previous backup.
Ask for a site check.