I’m helping my friend, with his new website.
As victims of daily bruteforce, (before we had Cloudflare firewalls rules), his WP credentials were breached. Our wordpress was up-to-date but our PHP was not at the time.
The bot created new ‘pages’ that cannot be seen in the WordPress dashboard.
I accidentally ran across it via Googling: site:hypelist.ca
**Check now and you will see it’s littered with Italian spam redirects from pages show as 404 errors (according to https://sitecheck.sucuri.net/)
Disregard the ‘other’ malware (rogueads.unwanted.ads) They’re scripts from an ad network.
I’ve located some of the malware. In my root directory, I have a folder
called: postnew (last modified 1969-12-31 lol)
postnew contains:
1. idlogs.txt
2. index.php
3. moban.html
When I delete this file, it appears again after a few minutes.
.htaccess: Our .htcaccess file appears compromised as well because of the Rewrite rules that are directed to postnew/index.php
Once again, when I delete the rewrite rules related to the above, it appears again.
I’ve even deleted the .htaccess file and create a new one via wordpress dashboard, no luck.
XML-RPC seems normal, but is it supposed to include: http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html near the top?
I’ve deleted a few plugin I thought could be an issue. Persists.
I’ve searched wp-includes, but would take forever to potentially find anything.
****When I deleted the postnew folder, My wp-admin page broke. Looks like this
When I use /wp-login.php I looks fine, upon successful login, it leads to the broken /wp-admin page.
I know some may suggest backup and reinstall WordPress. I’ve heard other online still had the issue after a clean install.
My friend attracted the malware, but I played around and broke the site even further.
Any help would be appreciated.
*note I do not have access to WordPress dashboard. Only Cpanel, FTP & Cloudflare.
I will try to respond ASAP to move this along quickly.
Thanks in advance and for your time.
