Need to clean up my website it was infected

I need help with cleaning up my website, it was infected. I got google alert, that there is a web shell. I scanned my website with Defender Pro and the report shows many suspicious files.

  • Nithin Ramdas
    • Support Wizard

    Hi Henry ,

    Have cleaned up the WP root folders and it’s core flies. However, there is a directory called “dbbak12342344x” inside the root directory.

    Since it seems to have a lot of structured files inside the above directory, wasn’t sure whether it’s created by you or your developer? If not, please do remove that directory as it isn’t part of the WordPress core files.

    Other than that, the files were cleaned up, and re-ran a new Defender scan and could notice the WooCommerce plugin has been infected.

    I have temporarily disabled WooCommerce plugin and manually replaced the infected file in WooCommerce. However, as a safe side would highly recommend you to re-install WooCommerce and also upload a fresh copy of your theme to ensure there aren’t any lying low.

    Rest of the files listed in Defender Pro scan looks fine. Please do check and let us know if you have any further query.

    Regards,
    Nithin

  • Henry
    • New Recruit

    Hi, Nithin,
    thank you so much for your help.

    I try activate the woocommerce, but seems I still missed a lot of page and products sku.
    Should I uninstall the woocomerce and re-install the woocommerce again ?

    Willl I lose the setting data of woocommerce ?

    Is there any way to preserve the wocommerce data and settings in a seprate file ?

    As I re-run the defender scan again, I found new suspicious code again.
    My aliyun server reminded me there is a CMS Bug in the system called “empirebak帝国备份王”.

    Do you think this bug is still there ? and cause the same proble occur again ?

    I try find -name ’empire’
    ps aux | grep empire.

    didn’t get a thing.

    Anyway, I have run a defender scan, seems the affected files increased again.
    Please see if you have other suggestions.
    Thank you very much.
    Henry

  • Nithin Ramdas
    • Support Wizard

    Hi Henry ,

    Sorry for the delay in getting back to you. We reply to tickets based on oldest to newest based on time stamps and hence a delay with the response.

    Please do note that what we help is with cleaning up the malware via the Defender Pro plugin and with any further anomalies noticed due to that. Did you re-upload a fresh copy of the theme as mentioned before?

    I could notice that the WooCommerce has been re-installed via chat. On re-checking the Defender scan, I could notice the root files and the uploads folder got affected again.

    I manually uploaded a fresh copy of WP core files and folders and removed any traces of malware found., and now the site looks clean.

    The next step would be to please make sure a fresh copy of your current theme is what’s being used. You’ll have to overwrite the theme folder by uploading a fresh copy of the theme under /wp-content/themes/ directory to ensure the settings would be intact after upload.

    To ensure the malware doesn’t occur again, please make sure to enable all the Security Tweaks under Defender Pro > Security Tweaks and also

    If you keep the security tweaks enabled the chances of malware to occur would be more. Please do let us know if you have any further query.

    Regards,
    Nithin

  • Nithin Ramdas
    • Support Wizard

    Hi Henry ,

    Sorry to hear that the site got infected again. Just to be sure I could notice an admin account on your WordPress dashboard called “[email protected]”, is that created by you?

    Since the issue occurred the 2nd time after clean up, and since we weren’t able to notice any other files infected in the Root Directory this has to do with the Malware present outside the Root Directory.

    On checking the directory outside the root directory, we could notice the folder /tuanuang.com infected
    [attachments are only viewable by logged-in members]

    /riarui.com directory and other directories outside the root folder are also infected. I’m afraid the server is infected, and the server as a whole needs cleanup. As cleaning up one website doesn’t help as it gets infected again after a while due to the presence of malware on other part of server.

    I’m afraid, this is something which requires hosting providers attention to help remove such malware from the server as cleaning up the tiaria.id website alone won’t help.

    Would recommend you to bring this into your Hosting Providers attention and check whether they could help with removing the malware outside the root directory so that we could help with cleaning up the WordPress installation again.

    Regards,
    Nithin