Today I encountered a rather powerful virus that automatically infects files such as index.php and .htaccess in the website directory. After infection, the website becomes inaccessible. The other impacts are unclear. Here, I will document the virus analysis and solution.
Details of the virus:First, a large string of encrypted code is inserted into the index.php file:
Then, the .htaccess file is continuously modified to look like the following:
Order allow,deny
Deny from all
Order allow,deny
Allow from all
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
This virus-infected website was using cPanel Shared Hosting. Strangely, even after I deleted all files in the root directory and refreshed, the virus files were still automatically generated. The reason is unknown, so I directly switched to a newly installed server, and everything returned to normal. According to information found on the official WordPress forums, this virus started appearing several months ago, but there is no clear solution. Fortunately, this virus does not infect the database, so reinstalling WordPress can eliminate it (it may also require reinstalling the server OS or changing servers). Additionally, there is an online method I haven't tested: first stop the PHP process, then delete the infected files, and then re-enable PHP. You can give it a try.
Comments are closed
The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.