So I've been fighting with this problem for months now and decided that it's beyond my limited (if at all) server skills, and that I need help from the pros.
I have a VPS (with root access) which hosts several different PHP websites, some of which are WordPress-based. One of the site got infected with the a malware as a result of the MailPoet vulnerability. I cleaned the infected sites, completely removed MailPoet and related stuff, but the malware keeps resurrecting once in a while. Below is what I can describe about them:
- There are two signatures (sorry if I'm using the wrong term) of malware, both are injected at the very top of PHP pages. Once looks like this
<?php $ozufdqjmhx = '7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x782vg}...with the variable$ozufdqjmhxchanges from time to time, the other begins with<?php if(!isset($GLOBALS[\'\a\e\0... etc etc - The malware comes back after random intervals. Sometimes it comes back a day after cleaning, sometimes a week, or several weeks.
- Only previously infected files/directories get infected again. New directories, or old unaffected ones, are always clean. New files in old infected directories though, get infected.
- maldet (using ClamAV I believe) can't detect any malware. PHP Shell Detector can, but it cannot fix due to being a detector only.
Can you guys help, or give a direction I should be heading to? A million thanks in advance!
(Also I'm sorry if this question doesn't fit the site's regulations. When I'm a daily user of StackOverflow, this is my first time on this Security subsite).
Aucun commentaire:
Enregistrer un commentaire