Hello,

I had an issue with my hosting account because it was infiltrated by a backdoor shell that overwrote all the .htaccess files on my website. Now, when mobile devices try to access my website, they're redirected to third-party sites. Although I've tried to overwrite the files with rights 644, they keep getting overwritten within 30 minutes, and I'm not sure when the infiltration happened. Have you ever experienced this, and do you know what to do?

I found a solution online that entails replacing the code by connecting via SSH, but I'm not sure if it will resolve the issue or cause more harm. The code is find ./ -type f -exec sed -i 's/eval(base64_decode(\"DQplcn[^;]*;//g' {} \;
During testing, I found out that WordPress-powered websites (not the latest version) only load the main page, and switching to other pages results in a 404 error. In addition, there seems to be a problem with a custom plugin for user authorization, as I can't even access the admin panel on one of my sites. Aibolit has identified potential problems with plugins such as Evanto WordPress toolkit and Safeguard Pro, which are standard for this theme. Even though I removed them from one of my sites, there weren't any improvements.

Fortunately, with the help of Aibolit, I was able to find and remove the infection, as well as clean up the remaining issues based on recommendations from @xaja and @Mike. However, I'm now wondering how I can protect myself from future attacks and close the loophole. Would updating the WordPress engine to the latest version and installing plugins like AntiVirus suffice to prevent backdoor shells?

It appears that you've located the correct "find" command, but it's not foolproof since a significant amount of hacker software utilizes this encryption and launch method.

Hacking can be achieved through a simple line of code like "if(isset($_GET['A'])) eval($_GET['A'])", enabling hackers to log in and execute arbitrary code.

Since .htaccess files are being tampered with specifically for mobile devices, it's probable that an automated worm is delivering viruses to these devices. The frequent alteration of files indicates that one of your .php files has been infected.

One option is to make a copy of the entire site and search for the word "eval," although some CMS programs use it as well. Preg_replace statements are frequently used to launch encrypted code.

The worm code is often obfuscated and encrypted, making it tough to read. You can scan PHP files to locate these segments as well.

While adjusting the file change date might help, skilled hackers will usually restore it after modifying it.

Unfortunately, none of these methods guarantee that you'll discover all of the hacker's bookmarks and completely eradicate them. Furthermore, there's no certainty that your site won't be infected again once it's been hacked.

If you're using a standard engine and haven't modified any of the .php files, the safest approach is to create an archive of the current site, including the database, and then reinstall the engine. The config file from the previous site may be transferred, but make sure it doesn't contain any "eval" or "preg_replace" lines.

However, even after taking these precautions, there's no guarantee that your site won't be vulnerable to future hacks. You can look up your engine and plugins online using the word "exploit" to see if there are any known vulnerabilities. It's also a good idea to save the database from the previous site, search for the word "eval," and install the latest version of the engine and required plugins, double-checking their security information online.

Finally, there's a slim chance that your site was hacked due to vulnerabilities in your hosting. You can test this by attempting to access other site directories.

In addition to these measures, it's also important to be cautious when browsing the internet and downloading files, as well as keeping your passwords strong and updated regularly.

To address the issue, it's necessary to search for third-party files in the folders where your hosting sites are located. Look for any new or suspicious files and remove them immediately. Then, check the logs for any security vulnerabilities in your sites.

Hackers often insert a code snippet in index.php or another uploaded file that responds to the presence of a specific GET or POST parameter. In certain cases, attackers only need access to one resource on the hosting to gain access to all resources, as the security of 20% of hosts is poorly established. This implies that there can be no guarantee that the entry point is via your own site.

To resolve the issue, I followed the steps below:
1) I used FTP to download my website's files to a local computer.
2) I scanned them with an antivirus program (using a free utility from DrWeb) and received a list of infected files. I ensured that the list only included expendable files and that no essential files were tagged as "infected".
3) I deleted the corrupt files on the server, which successfully resolved the issue.

Unfortunately, I was unable to locate the origin of the malware.

While scanning your website is an essential task, there are also preventative measures you can take to reduce the risk of future infections. Keep in mind that prevention is always preferable to having to deal with the consequences of a malware infection. You may want to consider installing security plugins, regularly updating your website and plugins to the latest versions, and backing up your website frequently. It's also important to be cautious when browsing the internet and downloading files.

To protect your website from future attacks and close any loopholes, here are a few steps you can take:

1. Update WordPress: Keeping your WordPress installation up to date is crucial for security. Updates often include patches and fixes for known vulnerabilities.

2. Update plugins and themes: Similar to updating WordPress, make sure to regularly update all your plugins and themes to their latest versions. Outdated plugins can be a common target for attackers.

3. Remove unused plugins and themes: If you have any plugins or themes that you're not actively using, it's best to delete them. Unused plugins can also pose security risks if they contain vulnerabilities.

4. Use strong, unique passwords: Ensure that you're using strong, unique passwords for all your accounts related to your hosting account, CMS, and databases. Weak passwords can make it easier for attackers to gain unauthorized access.

5. Install a security plugin: Consider using a reputable security plugin like Wordfence or Sucuri. These plugins offer features such as firewall protection, malware scanning, and login brute force prevention.

6. Regular backups: Regularly back up your website files and databases. In the event of an attack, having recent backups will allow you to quickly restore your website.

7. Monitor file changes: Implement a system that alerts you whenever there are unexpected changes to your website files or directories. This can help you detect malicious activities early on.

few additional measures you can take to enhance the security of your website:

1. Secure your hosting environment: Make sure your hosting provider has robust security measures in place and follows best practices for server security. This includes regular updates, monitoring, and secure configurations.

2. Limit access privileges: Only provide access privileges to individuals who truly need them. Be cautious with granting administrative access to plugins or themes and consider using separate accounts for different users.

3. Enable two-factor authentication (2FA): Implementing 2FA adds an extra layer of security by requiring users to provide a second form of authentication, such as a code sent to their mobile device, in addition to their password.

4. Use a trusted security service: Consider using a third-party security service that specializes in website protection and monitoring. These services often provide advanced security features like behavioral analysis, reputation monitoring, and DDoS protection.

5. Regularly scan for vulnerabilities: Utilize security plugins or online vulnerability scanners to regularly scan your website for potential vulnerabilities and issues. This can help you identify and address security weaknesses proactively.

6. Keep software up to date: Apart from the WordPress core, make sure all other software on your server is up to date as well. This includes your operating system, web server software (such as Apache or Nginx), and any other applications you're using.

7. Educate yourself and your team: Stay informed about the latest security threats and best practices. Regularly educate yourself and your team about common attack vectors, phishing attempts, and social engineering techniques to help prevent successful attacks.