Black Friday Sale! Get $20 off GP Premium, $40 off our new Lifetime license, and 45% off license renewals/extensions! Learn more

[Resolved] Hostgator finding malware on GP Premium

Home Forums Support Hostgator finding malware on GP Premium

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #404476
    Tom

    I have three WordPress-based sites using GP Premium. Everything has been working just fine, thank you.

    All of a sudden, my server company (shared server) finds the same malware on two of my sites and locks them down, directing me to their marketing partner, sitelock. All sitelock wants to do is sell me a service. I removed reported malware and Hostgator released my sites.

    Now the next day, they report malware at

    8879 /home3/rsc/public_html/wp-content/plugins/gp-premium/backgrounds/vzwghdss.php

    Same thing … go to sitelock for paid help.

    My sense is that they are running a scam, but I do not know enough to be sure.

    Question: is /vzwghdss.php part of your program. looking at the date it was last edited (November 28, 2016), I think it is not a new attack.

    #404523
    Tom

    Also, I see “DISALLOW_FILE_EDIT is defined. You should also disallow PHP execution in GP Hooks” on my control panel. Is there something I need to do for security?

    #404557
    Tom
    Lead Developer
    Lead Developer

    Hi Tom,

    It’s possible that your server is hacked, meaning someone can upload malicious files into your themes and plugins (and elsewhere).

    That filename looks like a typically hack: vzwghdss.php

    Things you need to do:

    1. Get all malicious files removed from your server – they’re likely in a few different places. Hacks can include added into existing files as well, like your .htaccess and wp-config.php file.

    2. Change all of your passwords – WordPress, hosting etc..

    3. Make sure all of your plugins and themes are up to date – as well as WordPress itself.

    If you continue to have issues with people hacking your site, it may be a server issue in itself. Sometimes on shared servers, it could be another user on the server with poor security, which allows the hacker into the entire server (your site included).

    That message means you have file editing turned off in your WordPress install, which is an added security layer to WordPress. It basically makes so if someone logs in as you (so already has access to your site), they can’t execute PHP in the theme editor to gain access to your server.

    GP Hooks has an option where you can execute PHP, so you can turn that off as well with this code snippet: https://docs.generatepress.com/article/disallow-php-execution/

    However, that only becomes a problem if your site is already compromised.

    Hope this helps get you started a bit – let me know if you have more questions.

    #405217
    Tom

    Thanks. I will remove the file. I will be using Sucuri once the website is released by Hostgator.

    #405295
    Tom
    Lead Developer
    Lead Developer

    Awesome – be sure to get scanned for other bad files as well.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.