virus – Got warning from Bluehost that the WordPress site is infected with malware
I got a notification from Bluehost that they will suspend the account in 24 hours if I don’t clean the site. The site was left and it was unused for more than 2 years. When we started adding content, about a few days ago, we got this notification from Bluehost.
I suspect that Bluehost is pressuring us to purchase their security services and that this malware infection is somehow under the eyes of Bluehost. I have backups of the sire content for more than two years and a few weeks back. I did compare and noticed some differences, but, I cannot come to a conclusion as to why the site was infected. I can generate a compare result report using BeyondCompare and you can tell me if there are new files that should be there. For example, the following files are new compared to a 2-year old backup:
- template-config.php
- functions.php
- content-link-page.php
See below the scan report from Bluehost.
/home2/fahamonl/public_html/500.php: SL-PHP-EVAL_REQUEST-axof.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/500.php: SL-PHP-EVAL_REQUEST-axof.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/plugins/cherry-plugin/admin/import-export/upload.php.suspected.1527055159: SL-PHP-UPLOADER-1-md5-njh.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentyfourteen/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentyfourteen/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentytwelve/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentytwelve/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentythirteen/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/twentythirteen/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/theme50603/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/theme50603/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/CherryFramework/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/pilot/wp-content/themes/CherryFramework/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/theme50603/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/theme50603/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/theme50603/content-link-page.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/CherryFramework/template-config-php-old2: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/CherryFramework/functions.php: SL-PHP-FILEHACKER-iu.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/CherryFramework/template-config-php-old1: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/CherryFramework/1template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
/home2/fahamonl/public_html/wp-content/themes/twentynineteen/template-config.php: SL-PHP-FILEHACKER-wm.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 2182593
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 2357
Scanned files: 14631
Infected files: 21
Data scanned: 338.69 MB
Data read: 600.90 MB (ratio 0.56:1)
Time: 572.253 sec (9 m 32 s)
----------- SCAN SUMMARY -----------
Known viruses: 2182593
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.003 sec (0 m 6 s)
----------- SCAN SUMMARY -----------
Known viruses: 2182593
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.657 sec (0 m 6 s)
Any idea how I can validate the issue? Any recommendation how to clean the website using free tools?
Thanks,
Tarek
Leave an answer