If you discover newly uploaded PHP files on your website, it is likely a sign of unauthorized access or a security breach. Here are the steps you should take immediately to investigate and address the issue:
MAGEFIX SecurityMalware cleanup & protectionTry our free site check.
A malware analyst will provide a security report for your website.
Secure your website(s)
- Take the website offline or put it in maintenance mode to prevent further damage or misuse.
- Perform a cleanup or restore the website from a clean backup that predates the unauthorized changes.
Consult with professionals
- If you are unable to determine the root cause or restore the website, consult a professional or your hosting provider for assistance.
- Our Platinum plan covers protection & security cleanup services.
Malicious logs:
2602:fb54:4d9:: - - [04/Dec/2024:18:46:04 +0000] "GET /moon.php HTTP/2" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)" 2602:fb54:4d9:: - - [04/Dec/2024:18:46:05 +0000] "GET /wp-content/plugins/pwnd/pwnd.php HTTP/2" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)" 2602:fb54:4d9:: - - [04/Dec/2024:18:46:06 +0000] "GET /about.php HTTP/2" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)" 2602:fb54:4d9:: - - [04/Dec/2024:18:46:03 +0000] "GET /radio.php HTTP/2" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)"
Other malicious files linked with this attack: about.php, gecko.php, moon.php, radio.php, inputs.php, admin.php
Malicious plugins:
/wp-content/plugins/fix/up.php
/wp-content/plugins/pwnd/pwnd.php
/wp-content/plugins/init-help/init.php
Malicious URLs
https://51la.zvo2.xyz/a2.txt
http://us321-v312.amazondns39.com
Note: index.php file injected with redirect code, pointing visitors to amazondns39.com.
Domains
1. amazondns39.com
Registration date: 2024-06-14
Nameservers: pablo.ns.cloudflare.com, aron.ns.cloudflare.com.
If any of these files were recently uploaded, most likely your website is hacked, and we can help.
Our skilled malware analysts are available 24/7 to secure WordPress websites and clean up malware – reach out to us if you need help.
Hacked website? Try our free site check.
A security analyst will perform a free thorough external site check within the next minutes.