1. Welcome to DNTrade. If you want to find out about the latest domain name industry news or talk, share, learn, buy, sell, trade or develop domain names - then you've come to the right place. It's a diverse and active community, with domain investors, web developers and online marketers - and it's free! Click here to join now.
    Dismiss Notice

wordpress cloaked hack files

Discussion in 'Web Development' started by findtim, Jun 16, 2015.

  1. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,341
    Likes Received:
    1,509
    auDA Member:
    Yes
    i've got a site thats a problem, keeps getting files linking to "nike" chinese sites, i've wordfenced and all clear, i've sucuri and all clear.
    but when i try to back it up and download it to search for problems my computer says " F off, i'm not downloading that "
    finally got all the files to download and to my surprise there are files at the root that are NOT visible in ftp or cpanel filemanager.
    i'm surprised sucuri didn't pick them up but they appear to " not be there " ????
    so thus i can't delete them !!!!!!!
    i think they are using them as gateways to keep injecting hacks.
    has anyone else had this experience ?
    the reason i found them was by comparing files form other sites i have with the same "file trees" + they are using ASP files on a php server so it makes it easier to spot.
    i haven't been able to find anything on the net to help me.
    any advice appreciated
    tim
     
  2. helloworld

    helloworld Membership: VIP

    Joined:
    Apr 21, 2012
    Messages:
    1,115
    Likes Received:
    164
    Have you downloaded your sql from phpmyadmin?
    It's probably a plugin though
     
  3. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,251
    Likes Received:
    820
    auDA Member:
    Yes
    Hi Tim, what do you mean by this bit? If you go into File Manager, do you have the option to view hidden files?
     
  4. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,341
    Likes Received:
    1,509
    auDA Member:
    Yes
    no, i can't see anywhere to select that option, an i just got a reply from HG which basically is a standard reply which said " tough, pay for sitelock "
    they deleted 3 files and listed them to me, they however didn't delete the other 15+ files i discovered and also the cloaked files i discovered.
    i uploaded a blank .php file named the same as what i think is causing the damage and it showed up, i didn't get a " do you want to overwrite the existing file" which i felt was weird, and then i deleted the blank file.
    so at this moment i can't see it but if i download it downloads, HG are ignoring me and deleting other files, the site is online and working and we are getting orders but google hates me and of course they are not replying to me.
    sucuri doesn't pick it up, wordfence doesn't pick it up but i can bloody see it !
    frustrated tim
     
  5. petermeadit

    petermeadit Membership: VIP

    Joined:
    Jul 13, 2012
    Messages:
    893
    Likes Received:
    153
    auDA Member:
    Yes
    Sounds like your box is owned. I would revoke all access privileges, change all passwords and then watch the log files.