DN&P The index.php file is infected and cannot be deleted or edited. This is a concerning issue.

[Innisola]

Hello everyone,

I require assistance with an issue I am experiencing. My website was hacked and all the files were deleted. Fortunately, I was able to restore the website using my backups. However, there is an infected file that remains, which I identified through a Wordfence Scan. The file in question is index.php, and I am unable to delete, edit or replace it. Every time I attempt to do so, the file reappears with the same infected text. I am unsure how to proceed from here. Any suggestions would be greatly appreciated. :<

 

[WireKrool]

If the infection reoccurs, it indicates that it is still present. Attempt to disable all other plugins and switch to the default theme. If the issue continues to reappear, it suggests that your database is also infected. It would be advisable to save your texts and start fresh by deleting everything, including the database.

 

[Sionerpo]

It is probable that there is an infected file located in a different folder, which is responsible for recreating the index.php file. As a first step, delete your plugins folder. If you have cPanel or root access, you should be able to log in and remove the file. There is likely a folder or script file situated within your public_html directory that is executing and needs to be deleted, along with any sub-files it generates.

I strongly recommend changing both your database password and WordPress admin passwords for added security.

 

[ThedevilNath]

If the issue continues to reoccur, it is highly likely that the hacker has alternative access through a backdoor. I recommend taking backups of your databases and completely cleaning your webspace. Additionally, change all passwords, including those for FTP, databases, cPanel, hosting, and any other relevant accounts. Afterward, you can import the website again.

If the problem persists even after these steps, it may be necessary to consider changing your web host, as their servers could have been compromised by hackers.

 

[Baneadl]

The presence of a backdoor persists. It is essential to thoroughly investigate and identify the backdoor, as it continues to provide the hacker with access.

 

[Sleyouot]

As reiterated by others, if the issue keeps recurring, it indicates that something is still present. You have two options: perform a comprehensive and thorough cleansing of all components, preserving only the essential elements, or embark on a meticulous search to identify and remove the infected elements.

 

[Wishiter]

I have already updated the database username and password, as well as the WordPress username and passwords.

To locate the files that are recreating the index.php file, I need to find a way to bypass the virus scanner. Although the scanner detects the presence of the infected index.php file with unusual code, editing and saving the file does not permanently remove the issue. When the file is reopened, the problematic text reappears.

I am managing five websites on a cPanel, and all of them are experiencing the same issue with the recurring index.php file. This problem has been ongoing since August 15, 2019.