Today I needed to upload some files (use SFTP + Filezilla) and had this:
Clearly it was infected, creation of several files, external calls and change of header.php with codes before the opening of the file. That’s what I could find. Visually and in the code generated for those who visit, nothing was changed (I made sure all caches were deleted).
I did a check, and could not find any breakthrough: I do not use admin, only I have administrative access to the WP control panel, I use iThemes with almost all active modules: Brute Force Protection, System and WordPress Tweaks and others. The database also does not have the wp_ prefix. And I always install plugins and repository themes (very few) or at most purchased from TeslaThemes.
On this server I have about 10 sites, all small businesses that receive a maximum of 50 visits / day. Everyone is infected the same way. In some, even in the .well-known folder there was an infected file (Kaspersky does not even let it open). And in all of them, the same security measures are taken.
Based on this, I thought that maybe the contamination had come from the server (I only access by SSH [putty.org] with password) and only from a machine, which I’m sure was not infected.
And I found the following infections:
chkrootkit
Searching for rootkit RH-Sharpe's default files... Possible RH-Sharpe r ootkit installed:
/usr/bin/wp
and
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
rkhunter:
Rootkit checks...
[12:55:40] Rootkits checked : 307
[12:55:40] Possible rootkits: 1
[12:55:40] Rootkit names : RH-Sharpe's Rootkit
Found in wp archive
[12:54:52] Checking for RH-Sharpe's Rootkit...
[12:54:52] Checking for file '/bin/lps' [ Not found ]
[12:54:52] Checking for file '/usr/bin/lpstree' [ Not found ]
[12:54:52] Checking for file '/usr/bin/ltop' [ Not found ]
[12:54:52] Checking for file '/usr/bin/lkillall' [ Not found ]
[12:54:52] Checking for file '/usr/bin/ldu' [ Not found ]
[12:54:52] Checking for file '/usr/bin/lnetstat' [ Not found ]
[12:54:52] Checking for file '/usr/bin/wp' [ Found ]
[12:54:52] Checking for file '/usr/bin/shad' [ Not found ]
[12:54:52] Checking for file '/usr/bin/vadim' [ Not found ]
[12:54:52] Checking for file '/usr/bin/slice' [ Not found ]
[12:54:52] Checking for file '/usr/bin/cleaner' [ Not found ]
[12:54:52] Checking for file '/usr/include/rpcsvc/du' [ Not found ]
[12:54:52] Warning: RH-Sharpe's Rootkit [ Warning ]
[12:54:52] File '/usr/bin/wp' found
Based on all this, can anyone help me? Are these server files really infected or is it false-positive? Is there a way to delete these files? How can I find out how all this originated?