My Websites hosted on different servers being hacked again and again with same base64 malware codes. When I decoded the base64 code I got the link to mbrowserstats.com/statH/stat.php.
Please note: My websites with core php and also wordpress are being hacked. They are placing base64 malware codes in following files – index.php, main.php, footer.php, template files of wordpress (index.php, main.php, footer.php), index.php files in wp-admin, plugins, themes folders etc.
I have already tried below things but all websites are being hacked again and again.
-
Changed all ftp passwords
-
Changed ftp client fileZilla to winSCP
-
Removed all malware codes and re-upload all files to server
-
Uploaded old backup files without malware codes
-
Disabled magic_quotes_gpc, register_globals, also exec & shell_exec functions
-
Used index files to prevent direct folder access
-
Used mysql_real_escape_string function to sanitize data for insert queries in php websites
-
Updated WordPress and also all Plugins to latest version
-
Installed malwarebytes anti-malware and scanned my computer for malwares (Full Scan)
-
Confirmed that my websites are not using timthumb.php file
-
Changed file permissions (755 for folders & 644 for files). Now only image upload folders have 777 permission.
When I checked the websites’ visitor details I found some IPs like 150.70.172.111 / 150.70.172.202, Hostname:150-70-172-111.trendmicro.com, Country – Japan. They accessed websites in close times to the time that of modified files (malware injected files).
Additional Information: I’m using Trend Micro antivirus from last 1 year. I’m wondering that the IPs with hostname ‘trendmicro.com’ have any relation with hacking or in stealing my ftp passwords.
I suspect that they are using ftp access to insert malware codes. Also the time between file modifications is very low. They have updated all files within seconds. So I think they are using a program for that. Manually they cannot edit all files within seconds as I have so many files in different folders of same website.
Please help me to resolve this issue. I have tried many things but it happens again. Thanks
It’s tricky to handle this. One of the common ways this happens is that on a shared server a malicious user can use another account and insert a file in your upload directory (which is often world writeable on shared servers) by going down and back up the filesystem. It’s not really an issue of passwords being cracked. Things you can do:
For hosting I highly recommend using something such as http://WPEngine.com as you will not only get a private experience but they will also be more top of security scans than standard hosting companies.
Also if your site has been hacked you must be very very careful to remove all backdoors – I recommend doing a clean install which is obviously tough since you have to put your theme back and that can contain backdoors as well. Malicious users will create multiple backdoors in case one gets taken down. There are a few scripts online that will scan for these but none that is perfect. Making a cleab install, then backing it up offline in case of a hack is a good option.