WordPress sites being filled with random PHP files

First steps:

  • Take the server offline, if you can access it directly. – The chance of your server being part of a larger scheme at this point is pretty high.
  • If you can’t take it offline, check your authorized_keys files in ~/.ssh/authorized_keys and remove entries that don’t belong to you. (Repeat this step for every user, where ~ is their home-directory. Changing the port only is not sufficient at all – would prob. only take seconds to find the new one.

Recommended:

  • Nuke the server completely and restore a backup from before this occured
  • Check for available updates on the server + the wordpress installation and make sure you’re not using deprecated addons/php-code.
  • Have a look at linux-hardening and especially your wordpress installation.
  • Check the authorized_keys files as well as other ssh-configuration files (f.e. /etc/ssh/sshd_config on some systems like debian).

Without finding the root cause for this, it’s very likely to happen again in the future, so make sure to secure it, monitor ssh connections/only allow from your IP, etc.

Without further information, there is not much more detail to provide. – Feel free to leave OS information/software information if you need further assistance.

EDIT: Disable root login via password if activated and use in general a non-root user for setup. Sudo is way better in those regards.

Related Posts:

  1. WordPress can’t find temporary folder, but folder it’s looking at has correct permissions
  2. What permissions should my website files/folders have on a Linux webserver?
  3. Chmod 777 to a folder and all contents [duplicate]
  4. Where can I find php.ini?
  5. How to change permissions for a folder and its subfolders/files in one step
  6. How to change permissions for a folder and its subfolders/files in one step
  7. Explanation of polkitd Unregistered Authentication Agent
  8. PHP and mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
  9. cd into directory without having permission
  10. Definitive wordpress directory ownership and permissions on linux
  11. Cannot execute php files in wp-content
  12. WordPress Update – This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php
  13. How to remove all plugins, posts, pages, and inactive themes in one line with wp-cli? WordPress bloatware removal
  14. Folder Permissions + Security Concerns
  15. Why is “chmod -R 777 /” destructive?
  16. Is it normal to get hundreds of break-in attempts per day?
  17. How to handle security updates within Docker containers?
  18. How to check if an RSA public / private key pair match
  19. REJECT vs DROP when using iptables
  20. Why does sudo command take long to execute?
  21. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  22. Tips for Securing a LAMP Server
  23. How to add a security group to a running EC2 Instance?
  24. Heartbleed: how to reliably and portably check the OpenSSL version?
  25. What’s wrong with always being root?
  26. memcache vs memcached?
  27. What is the difference between /sbin/nologin and /bin/false?
  28. Amazon Linux: apt-get: command not found
  29. How do I find all files containing specific text on Linux?
  30. “Couldn’t find a file descriptor referring to the console” on Ubuntu bash on Windows
  31. gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now
  32. Linux: ‘Username’ is not in the sudoers file. This incident will be reported
  33. “E: Unable to locate package python-pip” on Ubuntu 18.04 [duplicate]
  34. How can I exclude directories from grep -R?
  35. How to exclude a directory in find . command
  36. Explaining the ‘find -mtime’ command
  37. Creating a new directory in C
  38. Extract file basename without path and extension in bash
  39. mv: cannot stat error : No such file or directory error
  40. Linux error while loading shared libraries: cannot open shared object file: No such file or directory
  41. Pseudo-terminal will not be allocated because stdin is not a terminal
  42. screen Cannot open your terminal ‘/dev/pts/0’ – please check
  43. ./configure : /bin/sh^M : bad interpreter
  44. TCP congestion control version: HTCP module vs highspeed module in linux kernel
  45. How to use regex with find command?
  46. Are PDO prepared statements sufficient to prevent SQL injection?
  47. What is the difference between /etc/rc.local and ~/.bashrc?
  48. Snort Message – WARNING: No preprocessors configured for policy 0
  49. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  50. How to make rpm auto install dependencies
  51. How do I install chkconfig on Ubuntu?
  52. “find: paths must precede expression:” How do I specify a recursive search that also finds files in the current directory?
  53. Apache server keeps crashing, “caught SIGTERM, shutting down”
  54. List all mounts in Linux
  55. How to use sed to extract substring
  56. Wait for user input in C?
  57. Restarting cron after changing crontab file?
  58. tar: Error is not recoverable: exiting now
  59. python-dev installation error: ImportError: No module named apt_pkg
  60. How to enable Bash in Windows 10 developer preview?
  61. Is it unsafe to put php in the /wp-content/uploads directory?
  62. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  63. Is this code malidcous
  64. Admin username and password
  65. Evaluations of two wordpress security plans against php code injection attack
  66. Correct folder permissions?
  67. PHP Warning: chmod(): Operation not permitted in class-wp-filesystem-direct.php on line 173
  68. Image rotation and editing stopped working in WordPress after upgrading Ubuntu from 16.04 to 18.04
  69. custom user role wordpress – grant guest access to edit.php without insert/update/delete
  70. How to change permissions of WordPress and/or apache on macOS securely?
  71. Correct and safe way to include php content in my page
  72. How to add API security keys into JS of wordpress securely
  73. Hardening uploads folder in IIS breaks images
  74. Updating From Mobile App – Exposing Site to Hacking
  75. WordPress cloning issue
  76. How to edit content in WordPress and the Polylang – plugin? – with demosite
  77. How to quickly/easily make an analysis (reverse engineering) of WordPress?
  78. Default installation permissions for wp-config.php
  79. Two sites one PC
  80. WordPress directories not writable after PHP version upgrade
  81. Anyone else experiencing high rates of Linux server crashes during a leap second day?
  82. Can I nohup/screen an already-started process?
  83. In my /etc/hosts/ file on Linux/OSX, how do I do a wildcard subdomain?
  84. Shell command to monitor changes in a file
  85. Difference in sites-available vs sites-enabled vs conf.d directories (Nginx)?
  86. Disk full, du tells different. How to further investigate?
  87. Filename length limits on linux?
  88. best way to clear all iptables rules
  89. How can I rename a Unix user?
  90. How to re-order windows, change the scroll shortcut, and modify the status bar contents in GNU Screen?
  91. How to prevent a user from login in, but allow “su – user” in Linux?
  92. I have a keypair. How do I determine the key length?
  93. How to do the port forwarding from one ip to another ip in same network?
  94. Why drop caches in Linux?
  95. Linux – Is there a way to prevent/protect a file from being deleted even by root?
  96. swap partition vs file for performance?
  97. Best way to disable swap in Linux
  98. How to remove invalid characters from filenames?
  99. How can I zip/compress a symlink?
  100. How to find the physical volume(s) that hold a logical volume in LVM