0

First of all, I might be on the total wrong place to post this, but my researches lead to here and I've found "similar" questions being asked here. But still since I lack knowledge in this subject, I could be wrong. Just let me know if it doesn't belong here and I'll delete it !

Here's my story :

I've been working for a client on his website (wordpress website), and on the 30th of june, during the night, the website got hacked and started being labelled as "dangerous" by google. I installed wordfence and started scanning the website to find out more than 100 files were compromised or malicious. I deleted / edited all of them using wordfence tools, but in the end 2 remained.

  1. the index.php which now has a suspicious header with suspicious coding. (Wordfence cannot edit it because he lacks authorizations)
  2. Another index.php located in another directory who I cannot delete (permission denied 550 on filezilla). Weirdly enough, wordfence detected it as a malware for a few scans (backdoor file), and now doesn't detect it at all when scanning, but the file is still here.

I've read a lot, tried a lot of things, such as downloading the first one and removing the suspicious code but everytime I did, the file edited itself to bring back said code.

Concerning the second file, I tried editing the permissions of the file, but I am not allowed to do it as well.

Ask any questions you need and I'll provide you with informations, keeping in mind that I'm a total newbie when it comes to this, so I might struggle figuring out what you're asking for :(

Once again, I might be totally offtopic and sorry for that, but if I'm in the right place and you guys could think of anything to help me get throught this, that would be awesome.

JVol
  • 1
  • 1
  • The concept of "just delete some evidence of the compromise from inside the compromised application" does not really work out. Back up files and database, then decide carefully what of that you are going to introduce in a newly setup from scratch environment. – anx Jul 09 '22 at 14:59
  • To be honest, I might have put too much faith in wordfence, could this mean that he might not find everything the hack did ? Could there be hidden threats as well ? I've thought about restarting from scratch, but if my scan fails in detecting all the threats, how can I know what to import and what to leave behind ? The subject you linked previsouly seems to be of a bigger scale than mine, since right now my website is inactive, i'm working on it to turn it into an online sales website. Should I really consider rebuilding over anything else ? – JVol Jul 09 '22 at 15:04
  • 2
    Yes, you should. Chances are that something remains behind, regardless how much you delete. Just set it up again and restore your backups (you do have backups, right?). – Gerald Schneider Jul 09 '22 at 15:06
  • Hm, quite akward but as I mentioned it. I'm a total beginner and didn't know anything about website security before this, so...no backups. I took over the website as someone else was working on it before me, I will contact him and see if he got any. If not, this is a small website, and I won't mind recreating from scratches. I'll be more careful on this second website for sure. Thank you for your time and answers! – JVol Jul 09 '22 at 15:11

0 Answers0