3

Recently my wordpress site got hacked and i solved it by reinstalling the backup version of wp-content folder and also running and repairing wordfence plugin in the site. But my website is showing an error with 500 and when i found the problem was with aws-autoloader.php file. This aws-autoloader.php is replaced with aws-autoloader.php suspected file because of which the site is not loading:

/var/www/html/wp-content/plugins/amazon-web-services/vendor/aws/aws-autoloader.php

The file is getting renamed to aws-autoloader.php.suspected.

Any suggestions or opinions to fix this issue?

Sergey Kovalev
  • 9,110
  • 2
  • 28
  • 32
Zammuuz
  • 708
  • 4
  • 18
  • 43
  • How about rename the file from "/var/www/html/wp-content/plugins/amazon-web-services/vendor/aws/aws-autoloader.php.suspected" to "/var/www/html/wp-content/plugins/amazon-web-services/vendor/aws/aws-autoloader.php" ? – floverdevel Apr 24 '18 at 11:13
  • 1
    Have you opened the file to check the contents ? Compare the contents of both the files and see what you get. – Varun Chandak Apr 24 '18 at 11:18
  • @floverdevel: Hi that is the solution which i am doing but it keeps changing the filename after some hours or days. I need a permanent fix for this. do you know any idea? – Zammuuz Apr 25 '18 at 02:29
  • @kintuparantu: I didn't checked that but i deleted the renamed file and uploaded a copy from a new fresh plugin. But somehow that also keep changing. – Zammuuz Apr 25 '18 at 02:31
  • @Zammuuz how about comparing the file which you are uploading ? Maybe that is already infected ? – Varun Chandak Apr 25 '18 at 06:09
  • @kintuparantu: I downloaded the plugin again from wordpress and extracted and uploaded to my website. Again the same file got renamed. – Zammuuz Apr 25 '18 at 06:33

1 Answers1

0

I think this is the result of someone running a vigilante malware cleaner on your web site.

I'd look for a web shell somewhere in your WordPress installation. I wish there was a simple way to look for web shells, but there's not. If you have access to Apache's access_log files, see what URLs are invoked about the time of the file name change. Look at those files with a text editor to see if some stray PHP exists. The malware malware cleaner I got would also mark most web shell installations as ".suspected", so they may be installed in unique ways.