Wordpress index.php always gets deleted

[vekou]

Good day! I need some help.
Recently, I keep noticing that my website's Wordpress index.php gets deleted. I try to restore it, then suddenly it's deleted after a few hours. It seems it gets automatically deleted, exposing my website's directory structure. Is there a log or something on when or how it was deleted? I'm quite puzzled by this.

Website: aitenshiproject.com
User: vekou


Thanks.

 

[bdistler]

is the file larger then 10 MiB ?

x10hosting has Bots on all 7 of its free-hosting servers - that deletes any user files 10 MiB (or larger) in size - that have been on the server (in any folder) for more than about 4 hours - from non-upgraded free-hosting accounts only
###

as for

exposing my website's directory structure

-
add this code near the top of your [ .htaccess ] file --> [ Options -Indexes ]
###

 

[vekou]

The file is just around 500 bytes, and is the default index.php of Wordpress. I don't understand how it gets deleted though.

EDIT: I found out that even the non-Wordpress directories has got the index files deleted. Is there any log file which I can check on when the files got deleted? I cannot access the R1Soft Backups, it says that I am using an invalid Control Panel ID to login.

 

[caftpx10]

It sounds that either someone has access to your (FTP) account or your WordPress installation is compromised (maybe out-of-date or the plugins used). Might want to have a look into that.

 

[vekou]

I've copied new Wordpress files to my site, earlier, worked fine, then the index.php got deleted again. I copied the index.php again for the meantime, and the site is working as of now. I've disabled most of the plugins (not all) and will check if the file will get deleted again later..

P.S. Also changed my account password so that my FTP login will also change.

 

[vekou]

After around a week, my index.php has been deleted again. Has a bot wrongfully deletes my index.php? I can't even restore my backup since I can't open R1Soft... Please help, thanks.

 

[lylex10h]

You can restore your backups using FTP or the File Manager and restore your database using phpMyAdmin.

 

[vekou]

Yes, thank you. But what I really want to know, is how my index.php gets deleted.

 

[vekou]

Anyone? Thanks.

 

[Anna]

@Livewire is this something you are able to look into?

 

[lylex10h]

Try doing a clean install of WordPress to a subdirectory and see if the same thing happens. Also check your crons.

 

[Livewire]

It's not something I've seen before and don't know where the logs are for the auto-delete stuff; I'll take a peek in 5 and see what I can find.

 

[Livewire]

Well that was way easier to find than expected:

[Fri, 25 Aug 2017 05:53:45 -0400] 599ff3a97ab6a M /home/vekou/public_html/_vti_txt/index.php Infected file found: Known exploit = [                                    Fingerprint Match] [PHP Injection Attack [P1261]]

That's not the only hit I'm seeing in the logs either; all the Wordpress files I can find in the logs have compromised PHP code present that allows arbitrary code execution. Given that, it's a very safe bet your Wordpress install is heavily compromised, but there's an un-captured exploit in one of the files that isn't known to our scanners so it's not auto-nuking the file.

Possible sources I found:

• wpblog/index.php (compromised)
• wp_blog/index.php (same)
• any one of the files in wp-includes/SimplePie/cache0936f6beea6df5b13115c3c1dca9fac and cachebc9ac149f91ffb1270cf063451754c44 (which are both non-standard folders, and contain code that has been ran through an obfuscation system to prevent reading them)
• wp-mailchamp.php (which is a copy of the default "Hello Dolly" plugin, but not inside the plugins folder and was likely a hacker doing experiments)
• files/index.php (compromised, modify date from 11/23/16 which means it's been there for almost a year).

This having been said, there's probably more. Your best bet is going to be (to quote Aliens) "to take off and nuke the site from orbit." Take a current backup so you have one, and then clear out your public_html, and reinstall everything from fresh, vendor supplied files. If you do need to restore a file from the backups, check it first and look for anything unusual - a good one is a random comment such as "/*344a9*/" where the numbers/letters can be any combination, which is a dead-giveaway of a particular Wordpress compromise. Others might involve weird code such as eval(base64_decode("unreadable garbage here")). I'll be blunt, it's going to suck a bit having to reinstall it, but that's going to be the best bet to ensure there aren't any remaining compromised files; if any comp'd ones remain, they can be used to launch a re-compromise of the account and cause your install to continue acting weird.

 

[vekou]

That's very helpful, I'll nuke it right away!

 

[vekou]

Hi, it may be a little late, but I backed up my files before deleting all of them to install a fresh copy of Wordpress, sadly, it seems some files weren't copied from the server like the images from the posts. I didn't notice on my FTP client, since Filezilla didn't raise a Failed Transfer. My only hope is getting a copy from R1 Soft Backup, but it seems that xo2 R1Soft is still down. Anything I can do to get a hold on the backups? Thanks again.

 

[KatAqua]

I'm pretty sure you don't actually have access to the R1Soft on a free hosting account.

Hi, it may be a little late, but I backed up my files before deleting all of them to install a fresh copy of Wordpress, sadly, it seems some files weren't copied from the server like the images from the posts. I didn't notice on my FTP client, since Filezilla didn't raise a Failed Transfer. My only hope is getting a copy from R1 Soft Backup, but it seems that xo2 R1Soft is still down. Anything I can do to get a hold on the backups? Thanks again.

 

[vekou]

I'm pretty sure you don't actually have access to the R1Soft on a free hosting account.

Thanks for the reply, but I used to remember accessing my backups from R1Soft months before this incident. Other free hosting accounts from a different server claims that they can access theirs just fine.