Malware Infected Processes Recreating Corrupted Files
I have a huge problem which appears identical to this one and this one neither of which appear to have been truly solved. I have not contacted my hosting company because I use an unmanaged VPS, so they will just say that fixing the problem falls outside the scope of that service. I posted a question on the Wordpress forum and their moderator believes as do I that the problem is outside of Wordpress at the cPanel user account level. I have tried manually deleting files in file manager, enacting all security measures recommended by WP Toolkit, reinstalling WordPress Core via WP Toolkit, and of course changing passwords none of which seems to work because a process keeps recreating the corrupted files and changing their permissions.
To make matters worse I am unable to kill all processes for the user account infected by this malware. The infection appears limited to just one cPanel account with every site under it but the main domain infected (public_html is fine but public_html/example.com etc. are all infected). Other sites run by other cPanel accounts are just fine.
When I go to Home/System Health/Process Manager in WHM, select the user impacted, and click the kill button I receive the following error message:
“An error occurred processing your request:1”
I’ve tried killing individual processes one at a time but new ones just keep being created. There are often two processes that appear identical running at once (ex: php-fpm pool example.com). Is there a way to ban that user from creating new processes before suspending and unsuspending the account so that the user won’t have any processes?
I tried suspending the account but that keeps me from being able to delete anything from the file system for that account at all due to WHM lacking a GUI for file management. I’m not too CLI savvy, so ideally this should be a simple issue of clicking a button in WHM but as everyone eventually learns that is rarely enough.
Also relevant is this article which like everything else I’ve found about the subject stops short of actually telling people how to fix the problem.
The people at Wordpress gave me a couple links in a generic response neither of which helped. I can’t use any of the security plugins recommended because the corrupted files keep me from accessing /wp-admin. I tried the remote scanners both of which found nothing. I also installed and ran ClamAV which didn’t find anything either which I found odd since it comes with cPanel for the purpose of detecting malicious files.
I already changed my passwords and secret keys. The problem according to the links I provided and other things I’ve read online is that a process keeps recreating files, so if you re-install WordPress and delete other files the malware creates it doesn’t matter because the process undoes all of that. This is why I would like to find a way to kill all processes for that cPanel user but as I said, I get an error every time I try that and killing individual processes is a waste of time due to them restarting.
Fortunately, the malware seems unable to access or edit my wp-config files which had their permissions set by WP-Toolkit to 600 a while ago. Unfortunately, if you delete a corrupt file with 644 permissions the new one is given 444 permissions, so they have to be manually changed back before WP-Toolkit can overwrite it.
This is the only thing on my server which seems to acknowledge the problem. It is the result of opening WP-Toolkit, selecting a site, clicking “check WordPress integrity” and running checksums.
WordPress core files failed to match the reference checksums from wordpress.org.
Warning: File doesn't verify against checksum: index.php
Warning: File should not exist: wp-includes/php-compat/.htaccess
Warning: File should not exist: wp-includes/images/media/.htaccess
Warning: File should not exist: wp-includes/images/smilies/.htaccess
Warning: File should not exist: wp-includes/images/crystal/.htaccess
Warning: File should not exist: wp-includes/images/.htaccess
Warning: File should not exist: wp-includes/block-supports/.htaccess
Warning: File should not exist: wp-includes/theme-compat/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Decode/HTML/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Decode/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Parse/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Content/Type/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Content/.htaccess
Warning: File should not exist: wp-includes/SimplePie/XML/Declaration/.htaccess
Warning: File should not exist: wp-includes/SimplePie/XML/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Cache/.htaccess
Warning: File should not exist: wp-includes/SimplePie/Net/.htaccess
Warning: File should not exist: wp-includes/SimplePie/HTTP/.htaccess
Warning: File should not exist: wp-includes/SimplePie/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Transport/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Cookie/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Exception/Transport/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Exception/Http/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Exception/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Utility/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Response/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Auth/.htaccess
Warning: File should not exist: wp-includes/Requests/src/Proxy/.htaccess
Warning: File should not exist: wp-includes/Requests/src/.htaccess
Warning: File should not exist: wp-includes/Requests/library/.htaccess
Warning: File should not exist: wp-includes/Requests/.htaccess
Warning: File should not exist: wp-includes/css/dist/edit-widgets/.htaccess
Warning: File should not exist: wp-includes/css/dist/block-directory/.htaccess
Warning: File should not exist: wp-includes/css/dist/edit-site/.htaccess
Warning: File should not exist: wp-includes/css/dist/block-library/.htaccess
Warning: File should not exist: wp-includes/css/dist/format-library/.htaccess
Warning: File should not exist: wp-includes/css/dist/edit-post/.htaccess
Warning: File should not exist: wp-includes/css/dist/widgets/.htaccess
Warning: File should not exist: wp-includes/css/dist/customize-widgets/.htaccess
Warning: File should not exist: wp-includes/css/dist/reusable-blocks/.htaccess
Warning: File should not exist: wp-includes/css/dist/editor/.htaccess
Warning: File should not exist: wp-includes/css/dist/nux/.htaccess
Warning: File should not exist: wp-includes/css/dist/list-reusable-blocks/.htaccess
Warning: File should not exist: wp-includes/css/dist/components/.htaccess
Warning: File should not exist: wp-includes/css/dist/block-editor/.htaccess
Warning: File should not exist: wp-includes/css/dist/commands/.htaccess
Warning: File should not exist: wp-includes/css/dist/patterns/.htaccess
Warning: File should not exist: wp-includes/css/dist/.htaccess
Warning: File should not exist: wp-includes/css/.htaccess
Warning: File should not exist: wp-includes/Text/Diff/Renderer/.htaccess
Warning: File should not exist: wp-includes/Text/Diff/Engine/.htaccess
Warning: File should not exist: wp-includes/Text/Diff/.htaccess
Warning: File should not exist: wp-includes/Text/.htaccess
Warning: File should not exist: wp-includes/assets/.htaccess
Warning: File should not exist: wp-includes/html-api/.htaccess
Warning: File should not exist: wp-includes/certificates/.htaccess
Warning: File should not exist: wp-includes/ID3/.htaccess
Warning: File should not exist: wp-includes/blocks/navigation/.htaccess
Warning: File should not exist: wp-includes/blocks/post-content/.htaccess
Warning: File should not exist: wp-includes/blocks/comments/.htaccess
Warning: File should not exist: wp-includes/blocks/query-pagination-numbers/.htaccess
Warning: File should not exist: wp-includes/blocks/gallery/.htaccess
Warning: File should not exist: wp-includes/blocks/shortcode/.htaccess
Warning: File should not exist: wp-includes/blocks/calendar/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-content/.htaccess
Warning: File should not exist: wp-includes/blocks/template-part/.htaccess
Warning: File should not exist: wp-includes/blocks/post-navigation-link/.htaccess
Warning: File should not exist: wp-includes/blocks/columns/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-reply-link/.htaccess
Warning: File should not exist: wp-includes/blocks/post-author-name/.htaccess
Warning: File should not exist: wp-includes/blocks/term-description/.htaccess
Warning: File should not exist: wp-includes/blocks/code/.htaccess
Warning: File should not exist: wp-includes/blocks/loginout/.htaccess
Warning: File should not exist: wp-includes/blocks/avatar/.htaccess
Warning: File should not exist: wp-includes/blocks/button/.htaccess
Warning: File should not exist: wp-includes/blocks/comments-title/.htaccess
Warning: File should not exist: wp-includes/blocks/post-author-biography/.htaccess
Warning: File should not exist: wp-includes/blocks/categories/.htaccess
Warning: File should not exist: wp-includes/blocks/social-link/.htaccess
Warning: File should not exist: wp-includes/blocks/separator/.htaccess
Warning: File should not exist: wp-includes/blocks/html/.htaccess
Warning: File should not exist: wp-includes/blocks/page-list/.htaccess
Warning: File should not exist: wp-includes/blocks/home-link/.htaccess
Warning: File should not exist: wp-includes/blocks/pattern/.htaccess
Warning: File should not exist: wp-includes/blocks/query-pagination-previous/.htaccess
Warning: File should not exist: wp-includes/blocks/widget-group/.htaccess
Warning: File should not exist: wp-includes/blocks/freeform/.htaccess
Warning: File should not exist: wp-includes/blocks/audio/.htaccess
Warning: File should not exist: wp-includes/blocks/query/.htaccess
Warning: File should not exist: wp-includes/blocks/site-tagline/.htaccess
Warning: File should not exist: wp-includes/blocks/verse/.htaccess
Warning: File should not exist: wp-includes/blocks/site-logo/.htaccess
Warning: File should not exist: wp-includes/blocks/site-title/.htaccess
Warning: File should not exist: wp-includes/blocks/query-no-results/.htaccess
Warning: File should not exist: wp-includes/blocks/heading/.htaccess
Warning: File should not exist: wp-includes/blocks/pullquote/.htaccess
Warning: File should not exist: wp-includes/blocks/buttons/.htaccess
Warning: File should not exist: wp-includes/blocks/nextpage/.htaccess
Warning: File should not exist: wp-includes/blocks/paragraph/.htaccess
Warning: File should not exist: wp-includes/blocks/navigation-submenu/.htaccess
Warning: File should not exist: wp-includes/blocks/archives/.htaccess
Warning: File should not exist: wp-includes/blocks/post-template/.htaccess
Warning: File should not exist: wp-includes/blocks/query-pagination/.htaccess
Warning: File should not exist: wp-includes/blocks/embed/.htaccess
Warning: File should not exist: wp-includes/blocks/block/.htaccess
Warning: File should not exist: wp-includes/blocks/post-featured-image/.htaccess
Warning: File should not exist: wp-includes/blocks/media-text/.htaccess
Warning: File should not exist: wp-includes/blocks/page-list-item/.htaccess
Warning: File should not exist: wp-includes/blocks/column/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-edit-link/.htaccess
Warning: File should not exist: wp-includes/blocks/rss/.htaccess
Warning: File should not exist: wp-includes/blocks/comments-pagination/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-date/.htaccess
Warning: File should not exist: wp-includes/blocks/query-title/.htaccess
Warning: File should not exist: wp-includes/blocks/quote/.htaccess
Warning: File should not exist: wp-includes/blocks/more/.htaccess
Warning: File should not exist: wp-includes/blocks/read-more/.htaccess
Warning: File should not exist: wp-includes/blocks/post-date/.htaccess
Warning: File should not exist: wp-includes/blocks/tag-cloud/.htaccess
Warning: File should not exist: wp-includes/blocks/missing/.htaccess
Warning: File should not exist: wp-includes/blocks/post-title/.htaccess
Warning: File should not exist: wp-includes/blocks/social-links/.htaccess
Warning: File should not exist: wp-includes/blocks/post-excerpt/.htaccess
Warning: File should not exist: wp-includes/blocks/preformatted/.htaccess
Warning: File should not exist: wp-includes/blocks/latest-comments/.htaccess
Warning: File should not exist: wp-includes/blocks/comments-pagination-previous/.htaccess
Warning: File should not exist: wp-includes/blocks/comments-pagination-next/.htaccess
Warning: File should not exist: wp-includes/blocks/search/.htaccess
Warning: File should not exist: wp-includes/blocks/list-item/.htaccess
Warning: File should not exist: wp-includes/blocks/navigation-link/.htaccess
Warning: File should not exist: wp-includes/blocks/latest-posts/.htaccess
Warning: File should not exist: wp-includes/blocks/post-comments-form/.htaccess
Warning: File should not exist: wp-includes/blocks/group/.htaccess
Warning: File should not exist: wp-includes/blocks/post-terms/.htaccess
Warning: File should not exist: wp-includes/blocks/table/.htaccess
Warning: File should not exist: wp-includes/blocks/list/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-author-name/.htaccess
Warning: File should not exist: wp-includes/blocks/comments-pagination-numbers/.htaccess
Warning: File should not exist: wp-includes/blocks/query-pagination-next/.htaccess
Warning: File should not exist: wp-includes/blocks/file/.htaccess
Warning: File should not exist: wp-includes/blocks/image/.htaccess
Warning: File should not exist: wp-includes/blocks/text-columns/.htaccess
Warning: File should not exist: wp-includes/blocks/comment-template/.htaccess
Warning: File should not exist: wp-includes/blocks/video/.htaccess
Warning: File should not exist: wp-includes/blocks/cover/.htaccess
Warning: File should not exist: wp-includes/blocks/post-author/.htaccess
Warning: File should not exist: wp-includes/blocks/legacy-widget/.htaccess
Warning: File should not exist: wp-includes/blocks/spacer/.htaccess
Warning: File should not exist: wp-includes/blocks/details/.htaccess
Warning: File should not exist: wp-includes/blocks/footnotes/.htaccess
Warning: File should not exist: wp-includes/blocks/.htaccess
Warning: File should not exist: wp-includes/pomo/.htaccess
Warning: File should not exist: wp-includes/customize/.htaccess
Warning: File should not exist: wp-includes/widgets/.htaccess
Warning: File should not exist: wp-includes/PHPMailer/.htaccess
Warning: File should not exist: wp-includes/fonts/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/SecretStream/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/Poly1305/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/ChaCha20/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/Curve25519/Ge/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/Curve25519/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core32/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/PHP52/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/Base64/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/SecretStream/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/Poly1305/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/ChaCha20/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/Curve25519/Ge/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/Curve25519/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/Core/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/src/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/Core/Poly1305/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/Core/ChaCha20/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/Core/Curve25519/Ge/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/Core/Curve25519/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/Core/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/namespaced/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/lib/.htaccess
Warning: File should not exist: wp-includes/sodium_compat/.htaccess
Warning: File should not exist: wp-includes/sitemaps/providers/.htaccess
Warning: File should not exist: wp-includes/sitemaps/.htaccess
Warning: File should not exist: wp-includes/rest-api/endpoints/.htaccess
Warning: File should not exist: wp-includes/rest-api/search/.htaccess
Warning: File should not exist: wp-includes/rest-api/fields/.htaccess
Warning: File should not exist: wp-includes/rest-api/.htaccess
Warning: File should not exist: wp-includes/IXR/.htaccess
Warning: File should not exist: wp-includes/block-patterns/.htaccess
Warning: File should not exist: wp-includes/js/dist/vendor/.htaccess
Warning: File should not exist: wp-includes/js/dist/development/.htaccess
Warning: File should not exist: wp-includes/js/dist/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/langs/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/wordpress/images/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/wordpress/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/lightgray/img/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/lightgray/fonts/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/lightgray/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/skins/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/themes/inlite/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/themes/modern/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/themes/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/fullscreen/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wplink/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpemoji/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/media/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wptextpattern/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpdialogs/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpview/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wordpress/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpautoresize/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/paste/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/colorpicker/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/hr/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/lists/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/tabfocus/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/compat3x/css/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/compat3x/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpeditimage/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/link/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/directionality/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/textcolor/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/wpgallery/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/image/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/charmap/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/plugins/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/utils/.htaccess
Warning: File should not exist: wp-includes/js/tinymce/.htaccess
Warning: File should not exist: wp-includes/js/imgareaselect/.htaccess
Warning: File should not exist: wp-includes/js/jquery/ui/.htaccess
Warning: File should not exist: wp-includes/js/jquery/.htaccess
Warning: File should not exist: wp-includes/js/crop/.htaccess
Warning: File should not exist: wp-includes/js/thickbox/.htaccess
Warning: File should not exist: wp-includes/js/mediaelement/renderers/.htaccess
Warning: File should not exist: wp-includes/js/mediaelement/.htaccess
Warning: File should not exist: wp-includes/js/swfupload/.htaccess
Warning: File should not exist: wp-includes/js/codemirror/.htaccess
Warning: File should not exist: wp-includes/js/plupload/.htaccess
Warning: File should not exist: wp-includes/js/jcrop/.htaccess
Warning: File should not exist: wp-includes/js/.htaccess
Warning: File should not exist: wp-includes/style-engine/.htaccess
Warning: File should not exist: wp-includes/.htaccess
Warning: File should not exist: wp-admin/images/a439a79eb419be5dda635034f722ec41
Warning: File should not exist: wp-admin/images/resize-6x.png
Warning: File should not exist: wp-admin/images/resize-8x.png
Warning: File should not exist: wp-admin/images/.htaccess
Warning: File should not exist: wp-admin/images/columbiamedicalclinic.com.shedit.set
Warning: File should not exist: wp-admin/images/53d1d6d1b566d9955bb9840f0c5e5f65
Warning: File should not exist: wp-admin/css/colors/sunrise/.htaccess
Warning: File should not exist: wp-admin/css/colors/ocean/.htaccess
Warning: File should not exist: wp-admin/css/colors/ectoplasm/.htaccess
Warning: File should not exist: wp-admin/css/colors/blue/.htaccess
Warning: File should not exist: wp-admin/css/colors/light/.htaccess
Warning: File should not exist: wp-admin/css/colors/midnight/.htaccess
Warning: File should not exist: wp-admin/css/colors/coffee/.htaccess
Warning: File should not exist: wp-admin/css/colors/modern/.htaccess
Warning: File should not exist: wp-admin/css/colors/.htaccess
Warning: File should not exist: wp-admin/css/.htaccess
Warning: File should not exist: wp-admin/user/.htaccess
Warning: File should not exist: wp-admin/includes/.htaccess
Warning: File should not exist: wp-admin/maint/.htaccess
Warning: File should not exist: wp-admin/network/.htaccess
Warning: File should not exist: wp-admin/js/widgets/.htaccess
Warning: File should not exist: wp-admin/js/.htaccess
Warning: File should not exist: wp-include.php
Warning: File should not exist: wp-admin.php
Warning: File should not exist: wp-logln.php
Warning: File should not exist: wp-ver.php
Warning: File should not exist: wp-corn-sample.php
Warning: File should not exist: wp-comment.php
-
I've never had days go by with no comments on this forum whatsoever. I can't imagine a justification on cPanel's part for ignoring a problem this bad.
0 -
This likely isn't a problem that cPanel is responsible for. If you can't determine what is going on, you need to hire an admin/company to look into it further for you. And even they may not be able to fix it and may end up telling you that you need to have a new VPS provisioned and migrate your accounts over.
0 -
ChinaVirus - I don't know why I didn't see this thread earlier - sorry about the delay! This issue wouldn't be related to cPanel and likely needs the attention of a professional admin.
0
Please sign in to leave a comment.
Comments
3 comments