I cleaned my Wordpress site but the malware came back!

Malware and trojans return after cleaning Wordpress site!

While remediating an appliance distributor's (who shall remain nameless) websites from the SoakSoak exploit, the site owner complained about malware "coming back" after being cleaned over-and-over by the former service provider. I logged into their InMotion Hosting control panel where I was greeted with a warning that there was a potential man-in-the-middle attack due to an expired certificate! Then I got another warning that their version of MySQL was obsolete and needed to be upgraded. Digging deeper, I found a variety of user accounts in both the application and the database that had the signature of a hacker - not totally random, but cryptic and/or occasionally named to sound official, like "system account" and such. I'm not sure how InMotion Hosting's certificates were invalid, but once I saw warnings about the host themselves and the back-door, system-wide user accounts I figured it was time to get the hell out of there.


Subscribe to RSS - Certificates