wordpress may have virus

I noticed a many new .php files on my shared linux server that I did not create
Some php files had eval command.
I would want to delete this domain but I dont want to ruin the wordpress installation that is already there.

Which files/folders do not belong in a wordpress that has been installed in past year.

wordpress.
LVL 1
rgb192Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
There are two many files to guess about with WordPress.

First step I use when cleaning a site I suspect of being hacked is to run a script I wrote which simply...

1) Checks the existing installed WordPress version.

2) Downloads a pristine copy of WordPress which matches the installed version.

3) Diffs all files + quarantines (copies) core files which have been modified. Since no core file should ever be modified, any modified file has been hacked.

4) Then quarantine any file in a WordPress core directory which does not exist in the pristine copy. There should be no additional files in any core directory.

5) Then (and this is complex), look at a repository of all themes + plugins on site + do the exact same. Quarantine any changed files.

This last step can be tricky if you've let your repository of installed themes + plugins get outdated.

Another tricky point is looking at all quarantined files, as some plugins may build config files or other files as part of their installation process, so these generated files won't exist in the original zip file, so you'll have to move these back into place.

Big Tip: Sites get hacked one of two ways.

1) You've let your WordPress core or theme or plugins get out of date. This you can fix. After you clean your site, keep all your code updated.

2) Your code is all up to date, so your hosting company has dropped the ball + is likely running outdated code which is easily hacked.

So... if you were keeping your WordPress code up to date + you've been hacked because of your hosting company...

Your first step is to change hosting immediately, because if you got hacked once due to hosting, you will likely be hacked again.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Terry WoodsIT GuruCommented:
My primary job is managing WordPress sites and their technical issues. Given your screenshot, I'm about 99.99% sure you've got malware there, as some of those files shouldn't be there and look very dodgy.

You may like to consider the site cleaning service offered by Wordfence.com - pricing is demand based so it varies, but starts at about US$179. It will take you some time to work through the steps with them, but they do a very professional job of cleaning up the site and telling you how it got hacked.
1
Terry WoodsIT GuruCommented:
The only file in your root WordPress folder that you should need to keep (given your screenshot) is the wp-config.php file, unless you've got non standard customisations to the site. You should be able to delete the wp-admin and wp-includes folders (these are the "core" folders David mentioned) and reinstall them from a fresh copy of WordPress.

Cleaning a site isn't easy. You'll very likely have infected files in your plugins, and as David mentioned it's quite a process to remove and reinstall them. On top of that, you'll need to:
* reset all admin user passwords in the database, and probably editor and author user passwords too (and maybe more depending on the site)
* change the database user password on the server and in the wp-config.php file
* change the "authentication unique keys and salts" in the wp-config.php file (there's a note in the file on how to do that)

To be completely thorough, the above should be done offline and without opening WordPress, to avoid reinfection part way through. There may also be other things in the WordPress database that are compromised and open the site up for reinfection. I've found that generally I can clean a site manually without being completely thorough, but it does take quite some time.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Terry WoodsIT GuruCommented:
If you have a .htaccess or .php.ini file in there (hidden files), you probably don't want to delete those.
0
Alicia St RoseOwner & Principle Developer/DesignerCommented:
Those who are suggesting hiring a company to clean this up are spot on. I tried to clean up a site once, but there was a script somewhere generating devious files as soon as I deleted them. Check our Sucuri or WordFence.

w5v7....php is definitely suspect! But, there could be files hidden deep in some of those folders.
0
NerdsOfTechTechnology ScientistCommented:
Just to add to the great advice above, once you are ready to reinstall the clean copy of WordPress/quarantine the bad files, or use a service to clean the server, make sure your folders are immediately CHMODed correctly (then CHMOD key files after the install) per WordPress instructions; as it sounds like the attacker uploaded an attack script and is generating files from the attack script.
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Hiring a cleaning service may or may not be useful.

If your hosting company is running downlevel Linux Kernel code or PHP, then soon as you clean your site, you'll be hacked again.

I probably should have said your first step is to ensure your hosting environment is running all latest stable LAMP code + if not, change hosting.

No use investing masses of time + money into cleaning a site that will just get hacked again.
0
rgb192Author Commented:
Thanks. I have a related question about comment of
Terry Woods.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.