File: /home/ukqcurpj/.bash_history
echo "=== INDEX.PHP FILE SIZES ==="
ls -lh ~/public_html/index.php ~/innovativegenerations.org/index.php ~/gmexperts.org/index.php
# Find files with eval(base64_decode) - CRITICAL MALWARE
echo ""
echo "=== SEARCHING FOR MALWARE SIGNATURES ==="
echo "1. Files with eval(base64_decode):"
echo "2. Files that write to index.php (REINFECTION SOURCE):"
grep -r "eval.*base64_decode" ~/public_html ~/innovativegenerations.org --include="*.php" -l 2>/dev/null | head -30
echo ""
grep -r "file_put_contents.*index\.php" ~/public_html ~/innovativegenerations.org --include="*.php" -l 2>/dev/null
echo ""
echo "3. Files with eval(\$_POST or \$_GET):"
grep -r "eval.*\$_\(POST\|GET\)" ~/public_html ~/innovativegenerations.org --include="*.php" -l 2>/dev/null | head -20
echo "4. Recently modified PHP files (last 7 days):"
echo ""
find ~/public_html ~/innovativegenerations.org -name "*.php" -mtime -7 -type f 2>/dev/null | head -30
clear
rm -f ~/innovativegenerations.org/wp-content/plugins/kirki/assets/assets/cache.php
rm -f ~/innovativegenerations.org/wp-includes/js/jquery/jquery/cache.php
rm -f ~/innovativegenerations.org/wp-admin/css/colors/light/light/cache.php
rm -rf ~/innovativegenerations.org/images/images
rm -rf ~/innovativegenerations.org/cgi-bin/cgi-bin
rm -rf ~/innovativegenerations.org/cpanel_official
find ~/innovativegenerations.org -name "cache.php" -type f 2>/dev/null
chmod 644 ~/public_html/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
EOF
chmod 644 ~/innovativegenerations.org/index.php
cp ~/public_html/index.php ~/innovativegenerations.org/index.php
clear
ls -lh ~/public_html/index.php ~/innovativegenerations.org/index.php ~/gmexperts.org/index.php
clear
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
EOF
cp ~/public_html/index.php ~/innovativegenerations.org/index.php
clear
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
EOF
clear
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
EOF
cp ~/public_html/index.php ~/innovativegenerations.org/index.php
cp ~/public_html/index.php ~/gmexperts.org/index.php
cp ~/public_html/index.php ~/innovativegenerations.org/index.php
clear
ls -lh ~/public_html/index.php ~/innovativegenerations.org/index.php ~/gmexperts.org/index.php
clear
ps auxf | grep php | grep -v grep
clear
pkill -f "lsphp:/home/ukqcurpj/gmexperts.org/index.php"
pkill -f "lsphp:/home/ukqcurpj/innovativegenerations.org/index.php"
pkill -f "lsphp:/home/ukqcurpj/public_html/index.php"
pkill -f "lsphp:qcurpj/innovativegenerations.org/wp-cron.php"
ps auxf | grep "lsphp.*index.php" | grep -v grep
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/public_html/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
head -50 ~/innovativegenerations.org/wp-cron.php
clear
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
ps auxf | grep "lsphp.*index.php" | grep -v grep
clear
pkill -9 -f "lsphp.*index.php"
pkill -9 -f "lsphp.*wp-cron.php
pkill -9 -f "lsphp.*wp-cron.php"
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat > ~/public_html/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
clear
cat > ~/public_html/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
clear
cat > ~/gmexperts.org/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
clear
ps auxf | grep "lsphp.*index.php" | grep -v grep
clear
crontab -l
clear
find ~ -name ".user.ini" -o -name "php.ini" 2>/dev/null -exec echo "=== {} ===" \; -exec cat {} \;
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name ".htaccess" -exec echo "=== {} ===" \; -exec head -30 {} \; 2>/dev/null
clear
tail -100 ~/access-logs/* 2>/dev/null | grep "index.php" | tail -20
ps -o ppid,pid,cmd -C lsphp | grep "index.php" | head -10
grep "DB_NAME\|DB_USER\|DB_PASSWORD\|DB_HOST" ~/public_html/wp-config.php | grep -v "//"
clear
ps -f -p 3289750
ps auxf | grep -A 10 -B 2 "3289750"
ps auxf | grep "lsphp$" | grep -v grep
lsof -p 3289750 2>/dev/null | grep "\.php"
ps auxf | grep "^\S*\s*\S*\s*\S*\s*\S*\s*\S*\s*\S*\s*\S*\s*\S*\s*lsphp$"
clear
lsof -p 3289750 2>/dev/null | head -30
ls -la /proc/3289750/cwd 2>/dev/null
cat /proc/3289750/cmdline 2>/dev/null | tr '\0' ' ' && echo
lsof -p 3289750 -i 2>/dev/null
grep -r "auto_prepend\|auto_append" ~/public_html ~/gmexperts.org ~/innovativegenerations.org --include=".htaccess" --include=".user.ini" 2>/dev/null
tail -50 ~/access-logs/* 2>/dev/null | grep -E "GET|POST" | tail -20
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name ".user.ini" -exec echo "=== {} ===" \; -exec cat {} \;
ls -la ~/logs/ 2>/dev/null
clear
ls -la ~/logs/ 2>/dev/null
ls -la /usr/local/apache/domlogs/ 2>/dev/null | grep ukqc
head -100 ~/public_html/index.php
clear
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php && mv ~/public_html/index.php ~/public_html/index.php.INFECTED && mv ~/gmexperts.org/index.php ~/gmexperts.org/index.php.INFECTED &&
mv ~/innovativegenerations.org/index.php ~/innovativegenerations.org/index.php.INFECTED && pkill -9 -f "lsphp.*index.php" && cat > ~/public_html/index.php << 'ENDOFFILE'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
cat > ~/gmexperts.org/index.php << 'ENDOFFILE'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
cat > ~/innovativegenerations.org/index.php << 'ENDOFFILE'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
ENDOFFILE
clear
ps auxf | grep "lsphp.*index.php" | grep -v grep
pkill -9 -f "lsphp"
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
ls -lh ~/public_html/index.php.INFECTED ~/gmexperts.org/index.php.INFECTED ~/innovativegenerations.org/index.php.INFECTED
stat ~/gmexperts.org/index.php
rm -f ~/public_html/index.php.INFECTED ~/gmexperts.org/index.php.INFECTED ~/innovativegenerations.org/index.php.INFECTED
rm -f ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
pkill -9 -f "lsphp"
rm -f /home/ukqcurpj/innovativegenerations.org/wp-content/plugins/kirki/assets/assets/cache.php
rm -f /home/ukqcurpj/innovativegenerations.org/wp-includes/js/jquery/jquery/cache.php
rm -f /home/ukqcurpj/innovativegenerations.org/wp-admin/css/colors/light/light/cache.php
rm -f /home/ukqcurpj/innovativegenerations.org/images/images/images/images/cache.php
rm -f /home/ukqcurpj/innovativegenerations.org/cgi-bin/cgi-bin/cgi-bin/cache.php
rm -f /home/ukqcurpj/innovativegenerations.org/cpanel_official/cpanel_official/cpanel_official/cache.php
clear
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "cache.php" -type f -exec rm -f {} \;
clear
cat > ~/public_html/index.php << 'ENDOFFILE'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
cat > ~/gmexperts.org/index.php << 'ENDOFFILE'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
clear
grep -r "file_put_contents.*index\.php" ~/public_html ~/gmexperts.org ~/innovativegenerations.org --include="*.php" -l 2>/dev/null
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -exec grep -l "eval.*base64_decode\|eval.*gzinflate\|eval.*str_rot13" {} \; 2>/dev/null
clear
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -exec grep -l "eval.*base64_decode\|eval.*gzinflate\|eval.*str_rot13" {} \; 2>/dev/null
clear
free -mh
pkill -9 -f "lsphp"
clear
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -exec grep -l "eval.*base64_decode\|eval.*gzinflate\|eval.*str_rot13" {} \; 2>/dev/null
clear
grep -l "eval.*base64" ~/public_html/wp-load.php ~/public_html/wp-config.php ~/public_html/wp-settings.php 2>/dev/nul
grep -l "eval.*base64" ~/public_html/wp-load.php ~/public_html/wp-config.php ~/public_html/wp-settings.php 2>/dev/null
grep -l "eval.*base64" ~/gmexperts.org/wp-load.php ~/gmexperts.org/wp-config.php ~/gmexperts.org/wp-settings.php 2>/dev/null
grep -l "eval.*base64" ~/innovativegenerations.org/wp-load.php ~/innovativegenerations.org/wp-config.php ~/innovativegenerations.org/wp-settings.php 2>/dev/null
find ~/public_html/wp-content -maxdepth 1 -name "*.php" -type f 2>/dev/null
find ~/gmexperts.org/wp-content -maxdepth 1 -name "*.php" -type f 2>/dev/null
find ~/innovativegenerations.org/wp-content -maxdepth 1 -name "*.php" -type f 2>/dev/null
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -mmin -120 -ls 2>/dev/null
ls -la /home/ukqcurpj/innovativegenerations.org/wp-content/plugins/kirki/assets/assets/cache.php 2>/dev/null
ls -la /home/ukqcurpj/innovativegenerations.org/wp-includes/js/jquery/jquery/cache.php 2>/dev/null
lsof -u ukqcurpj -c lsphp 2>/dev/null | grep "\.php" | awk '{print $NF}' | sort -u | head -30
clear
cat ~/public_html/wp-admin/css/colors/ocean/.cache_m/judges.php
cat ~/public_html/wp-content/advanced-headers.php
cat ~/public_html/wp-content/advanced-cache.php
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -type d -name ".cache_m" -o -name ".*cache*" 2>/dev/null
ls -laR ~/public_html/wp-admin/css/colors/ocean/.cache_m/
clear
cat ~/public_html/wp-admin/css/colors/ocean/.cache_m/loading.php
cat ~/public_html/wp-admin/css/colors/ocean/.cache_m/format.php | head -50
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -type d -name ".*" ! -name ".well-known" 2>/dev/null
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -mtime -7 2>/dev/null | wc -l
rm -rf ~/public_html/wp-admin/css/colors/ocean/.cache_m/
ls -la ~/public_html/wp-admin/css/colors/ocean/.cache_m/
clear
ls -la ~/public_html/.tmb/
ls -la ~/innovativegenerations.org/.tmb/
find ~/public_html/.tmb ~/innovativegenerations.org/.tmb -name "*.php" -type f 2>/dev/null
pkill -9 -f "lsphp"
ps auxf | grep "lsphp.*index.php" | grep -v grep
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null
clear
grep -r "file_put_contents.*index\.php" ~/public_html ~/gmexperts.org ~/innovativegenerations.org --include="*.php" -l 2>/dev/null | head -20
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name ".*.php" -type f 2>/dev/null
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f 2>/dev/null | grep -v "wp-content/themes" | grep -v "wp-content/plugins" | grep -v "wp-admin" | grep -v "wp-includes" | head -30
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -amin -5 2>/dev/null
ls -la ~/public_html/*.php | grep -v "index.php\|wp-"
ls -la ~/gmexperts.org/*.php | grep -v "index.php\|wp-"
ls -la ~/innovativegenerations.org/*.php | grep -v "index.php\|wp-"
clear
head -50 ~/public_html/phpblob/upload.php
head -50 ~/public_html/uploadimagefile/data.php
cat ~/public_html/.well-known/pki-validation/sending.php
ls -lad ~/public_html/phpblob ~/public_html/uploadimagefile
find ~/public_html/phpblob ~/public_html/uploadimagefile -type f -ls
clear
file ~/public_html/phpblob/phpblob/phpblob/mkv_6979a5ecefed9.zip
head -20 ~/public_html/phpblob/phpblob/index.php
cat ~/public_html/uploadimagefile/img/img/index.php
cat ~/public_html/phpblob/phpblob/phpblob/phpblob/phpblob/index.php
cat ~/public_html/phpblob/phpblob/.htaccess
clear
rm -rf ~/public_html/phpblob
rm -rf ~/public_html/uploadimagefile
rm -rf ~/public_html/.well-known/pki-validation/sending.php
ls -la ~/public_html/phpblob 2>/dev/null
ls -la ~/public_html/uploadimagefile 2>/dev/null
pkill -9 -f "lsphp"
sleep 10 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null
clear
date
ps auxf | grep "lsphp.*index.php" | grep -v grep
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
rm -f ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat > ~/public_html/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
cat > ~/gmexperts.org/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
cat > ~/innovativegenerations.org/index.php << 'ENDOFFILE'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
ENDOFFILE
clear
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
sleep 30 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
clear
strings ~/public_html/index.php | grep -o "^[a-zA-Z0-9]\{50,100\}$" | head -1
grep -r "shell_exec\|exec\|passthru\|system\|popen\|proc_open" ~/public_html ~/gmexperts.org ~/innovativegenerations.org --include="*.php" -l 2>/dev/null | grep -v "wp-content/plugins" | grep -v "wp-content/themes" | head -20
tail -50 ~/public_html/wp-config.php
tail -50 ~/gmexperts.org/wp-config.php
tail -50 ~/innovativegenerations.org/wp-config.php
tail -30 ~/public_html/wp-load.php
tail -30 ~/gmexperts.org/wp-load.php
tail -30 ~/innovativegenerations.org/wp-load.php
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -mmin -10 2>/dev/null | grep -v "wp-content"
clear
cat > ~/public_html/.htaccess << 'ENDOFFILE'
# Temporary maintenance mode
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
ENDOFFILE
CLEAR
chmod 644 ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess 2>/dev/null
clear
chmod 644 ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess 2>/dev/null
cat > ~/public_html/.htaccess << 'EOF'
# Temporary maintenance mode
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
# Temporary maintenance mode
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
# Temporary maintenance mode
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
pkill -9 -f "lsphp"
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
rm -f ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
sleep 30 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
clear
ps auxf | grep "lsphp.*index.php" | grep -v grep
find ~/innovativegenerations.org -name "cache.php" -type f 2>/dev/null -exec rm -f {} \;
find ~/public_html ~/gmexperts.org -name "cache.php" -type f 2>/dev/null
find ~/public_html ~/gmexperts.org ~/innovativegenerations.org -name "*.php" -type f -mtime -1 -size +20k 2>/dev/null | grep -v "wp-content" | head -10
mv ~/public_html/.htaccess ~/public_html/.htaccess.maintenance 2>/dev/null
mv ~/gmexperts.org/.htaccess ~/gmexperts.org/.htaccess.maintenance 2>/dev/null
mv ~/innovativegenerations.org/.htaccess ~/innovativegenerations.org/.htaccess.maintenance 2>/dev/null
ls -la ~/public_html/.htaccess* ~/gmexperts.org/.htaccess* ~/innovativegenerations.org/.htaccess* 2>/dev/null
watch -n 5 'ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php'
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
clear
cat ~/public_html/.htaccess 2>/dev/null || echo "HTACCESS MISSING!"
cat > ~/public_html/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
crontab -l
ls -la /etc/cron.d/ 2>/dev/null
pkill -9 -f "lsphp"
chmod 644 ~/public_html/index.php
rm -f ~/public_html/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
ls -lh ~/public_html/index.php ~/public_html/.htaccess
lsof -u ukqcurpj 2>/dev/null | grep "\.php" | grep REG | head -20
clear
watch -n 2 'echo "=== HTACCESS ==="; ls -lh ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess 2>/dev/null; echo ""; echo "=== INDEX.PHP ==="; ls -lh ~/public_html/index.php
~/gmexperts.org/index.php ~/innovativegenerations.org/index.php'
cleear
clear
ls -lh ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
ls -lh ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess 2>/dev/null
sleep 30 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
ps auxf | grep "lsphp" | grep -v grep | head -10
clear
cat > ~/gmexperts.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
ls -lh ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess
sleep 60 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat ~/innovativegenerations.org/.htaccess.bk | head -20
clear
cat > ~/public_html/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
ls -lh ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess
echo "Monitoring for 2 minutes..."
for i in {1..24}; do echo "Check $i/24:"; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php; sleep 5; done
clear
echo "=== public_html DB ==="
grep "DB_NAME\|DB_USER\|DB_PASSWORD" ~/public_html/wp-config.php | grep define
echo ""
echo "=== gmexperts.org DB ==="
grep "DB_NAME\|DB_USER\|DB_PASSWORD" ~/gmexperts.org/wp-config.php | grep define
echo ""
echo "=== innovativegenerations.org DB ==="
grep "DB_NAME\|DB_USER\|DB_PASSWORD" ~/innovativegenerations.org/wp-config.php | grep define
clear
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_name FROM wp_options WHERE option_value LIKE '%eval%' OR option_value LIKE '%base64%' LIMIT 20;"
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_value FROM wp_options WHERE option_name='active_plugins' LIMIT 1;" | head -50
clear
echo "=== Searching public_html database ==="
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_name FROM wp_options WHERE option_value LIKE '%eval%' OR option_value LIKE '%base64%' LIMIT 20;"
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_value FROM wp_options WHERE option_name='active_plugins' LIMIT 1;" | head -50
echo "=== Searching gmexperts.org database ==="
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "SELECT option_name FROM wp_options WHERE option_value LIKE '%eval%' OR option_value LIKE '%base64%' LIMIT 20;"
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "SELECT option_value FROM wp_options WHERE option_name='active_plugins' LIMIT 1;" | head -50
echo "=== Searching innovativegenerations.org database ==="
mysql -u ukqcurpj_wp_ig -p']5[73wb(SVk@-8Gp' ukqcurpj_wp_ig -e "SELECT option_name FROM wpig_options WHERE option_value LIKE '%eval%' OR option_value LIKE '%base64%' LIMIT 20;"
mysql -u ukqcurpj_wp_ig -p']5[73wb(SVk@-8Gp' ukqcurpj_wp_ig -e "SELECT option_value FROM wpig_options WHERE option_name='active_plugins' LIMIT 1;" | head -50
clear
ls -la ~/gmexperts.org/wp-content/plugins/ | grep -E "index_core|conditional-email|mp-to-facebook|users-simple"
rm -rf ~/gmexperts.org/wp-content/plugins/index_core
rm -rf ~/gmexperts.org/wp-content/plugins/conditional-email-for-for
rm -rf ~/gmexperts.org/wp-content/plugins/mp-to-facebook-for
rm -rf ~/gmexperts.org/wp-content/plugins/users-simple
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "UPDATE wp_options SET
option_value='a:12:{i:0;s:39:\"anps_theme_plugin/anps_theme_plugin.php\";i:1;s:47:\"auto-install-free-ssl/auto-install-free-ssl.php\";i:2;s:26:\"burst-statistics/burst.php\";i:3;s:33:\"complianz-gdpr/complianz-gpdr.php\";i:4;s:57:\
"complianz-terms-conditions/complianz-terms-conditions.php\";i:6;s:36:\"contact-form-7/wp-contact-form-7.php\";i:7;s:37:\"custom-scrollbar/custom-scrollbar.php\";i:8;s:32:\"duplicate-page/duplicatepage.php\";i:9;s:31:\"envato-marke
clear
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "UPDATE wp_options SET option_value='a:12:{i:0;s:39:\"anps_theme_plugin/anps_theme_plugin.php\";i:1;s:47:\"auto-install-free-ssl/auto-install-free-ssl.php\";i:2;s:26:\"burst-statistics/burst.php\";i:3;s:33:\"complianz-gdpr/complianz-gpdr.php\";i:4;s:57:\"complianz-terms-conditions/complianz-terms-conditions.php\";i:6;s:36:\"contact-form-7/wp-contact-form-7.php\";i:7;s:37:\"custom-scrollbar/custom-scrollbar.php\";i:8;s:32:\"duplicate-page/duplicatepage.php\";i:9;s:31:\"envato-market/envato-market.php\";i:11;s:27:\"js_composer/js_composer.php\";i:13;s:23:\"revslider/revslider.php\";i:15;s:27:\"woocommerce/woocommerce.php\";}' WHERE option_name='active_plugins';"
pkill -9 -f "lsphp"
chmod 644 ~/gmexperts.org/index.php
rm -f ~/gmexperts.org/index.php
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
ls -lh ~/gmexperts.org/index.php ~/public_html/index.php ~/innovativegenerations.org/index.php
sleep 30 && ls -lh ~/gmexperts.org/index.php ~/public_html/index.php ~/innovativegenerations.org/index.php
clear
ls -la ~/gmexperts.org/wp-content/plugins/ | grep -E "index_core|conditional|mp-to-facebook|users-simple"
ls ~/gmexperts.org/wp-content/plugins/
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "SELECT option_value FROM wp_options WHERE option_name='active_plugins';"
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "SELECT * FROM wp_options WHERE option_name LIKE '%hook%' OR option_name LIKE '%cron%' LIMIT 20;"
clear
echo "=== ACTIVE THEMES ==="
mysql -u ukqcurpj_gmexperts -p'ZUWJ3HtTG)%p' ukqcurpj_gmexperts -e "SELECT option_value FROM wp_options WHERE option_name='template' OR option_name='stylesheet';"
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_value FROM wp_options WHERE option_name='template' OR option_name='stylesheet';"
mysql -u ukqcurpj_wp_ig -p']5[73wb(SVk@-8Gp' ukqcurpj_wp_ig -e "SELECT option_value FROM wpig_options WHERE option_name='template' OR option_name='stylesheet';"
echo "=== Checking gmexperts.org theme for malware ==="
find ~/gmexperts.org/wp-content/themes/ -name "*.php" -type f -exec grep -l "eval.*base64\|system.*base64\|exec.*base64" {} \; 2>/dev/null | head -10
echo "=== Checking public_html theme for malware ==="
find ~/public_html/wp-content/themes/ -name "*.php" -type f -exec grep -l "eval.*base64\|system.*base64\|exec.*base64" {} \; 2>/dev/null | head -10
echo "=== Checking innovativegenerations theme for malware ==="
find ~/innovativegenerations.org/wp-content/themes/ -name "*.php" -type f -exec grep -l "eval.*base64\|system.*base64\|exec.*base64" {} \; 2>/dev/null | head -10
clear
echo "=== MU-PLUGINS ==="
ls -la ~/public_html/wp-content/mu-plugins/ 2>/dev/null
ls -la ~/gmexperts.org/wp-content/mu-plugins/ 2>/dev/null
ls -la ~/innovativegenerations.org/wp-content/mu-plugins/ 2>/dev/null
echo "=== INFECTED INDEX.PHP CODE ==="
head -100 ~/public_html/index.php | strings | head -50
echo "=== CHECK WP-INCLUDES FOR MALWARE ==="
find ~/public_html/wp-includes -name "*.php" -type f -mtime -7 -size +50k 2>/dev/null | head -5
find ~/gmexperts.org/wp-includes -name "*.php" -type f -mtime -7 -size +50k 2>/dev/null | head -5
find ~/innovativegenerations.org/wp-includes -name "*.php" -type f -mtime -7 -size +50k 2>/dev/null | head -5
clear
cat > ~/public_html/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
chmod 644 ~/innovativegenerations.org/.htaccess
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
EOF
clear
pkill -9 -f "lsphp"
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
rm -f ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
for site in ~/public_html ~/gmexperts.org ~/innovativegenerations.org; do
cat > $site/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
done
done
EOF
;
clear
for site in ~/public_html ~/gmexperts.org ~/innovativegenerations.org; do
cat > $site/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
done
done
clear
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
sleep 60 && ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
clear
cat > ~/public_html/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
clear
echo "Traffic restored. Monitoring for reinfection..."
for i in {1..36}; do echo "Check $i/36 ($(date +%H:%M:%S)):"; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php | awk '{print $5, $6, $7, $9}'; sleep 5; done
clear
ls -la ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess
chmod 644 ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess 2>/dev/null
head -30 ~/innovativegenerations.org/.htaccess
clear
cat > ~/public_html/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
clear
ls -lh ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess
clear
echo "Monitoring started at $(date +%H:%M:%S)"
for i in {1..36}; do printf "Check %2d/36: " $i; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null | awk '{printf "%s ", $5}'; echo ""; sleep 5; done
clear
cat > ~/public_html/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
EOF
cat > ~/gmexperts.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
EOF
cat > ~/innovativegenerations.org/.htaccess << 'EOF'
Order Deny,Allow
Deny from all
EOF
clear
echo "=== Searching for backdoor files ==="
find ~/public_html/wp-content/plugins -name "*.php" -size +5k -type f -exec grep -l "eval.*base64\|system\|exec\|passthru\|shell_exec" {} \; 2>/dev/null | head -20
find ~/gmexperts.org/wp-content/plugins -name "*.php" -size +5k -type f -exec grep -l "eval.*base64\|system\|exec\|passthru\|shell_exec" {} \; 2>/dev/null | head -20
find ~/innovativegenerations.org/wp-content/plugins -name "*.php" -size +5k -type f -exec grep -l "eval.*base64\|system\|exec\|passthru\|shell_exec" {} \; 2>/dev/null | head -20
clear
mv ~/public_html/wp-content/plugins ~/public_html/wp-content/plugins_DISABLED
mv ~/gmexperts.org/wp-content/plugins ~/gmexperts.org/wp-content/plugins_DISABLED
mv ~/innovativegenerations.org/wp-content/plugins ~/innovativegenerations.org/wp-content/plugins_DISABLED
pkill -9 -f "lsphp"
chmod 644 ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
rm -f ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
rm -f ~/public_html/.htaccess ~/gmexperts.org/.htaccess ~/innovativegenerations.org/.htaccess
clear
echo "Plugins disabled. Monitoring..."
for i in {1..12}; do printf "Check %2d/12: " $i; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null | awk '{printf "%s ", $5}'; echo ""; sleep 5; done
clear
mysql -u ukqcurpj_wp702 -p'CodeStudio@123_' ukqcurpj_wp702 -e "SELECT option_value FROM wp_options WHERE option_name='template' OR option_name='stylesheet';"
find ~/public_html/wp-content/themes/twentytwentyfive -name "*.php" -type f -exec grep -l "eval.*base64\|base64_decode.*eval" {} \; 2>/dev/null
ls -laR ~/public_html/wp-content/themes/twentytwentyfive/ | grep -E "\.php$" | grep -v "\.php~"
find ~/public_html/wp-includes -name "*.php" -type f -size +100k -mtime -30 2>/dev/null
tail -50 ~/public_html/wp-settings.php
clear
tail -20 ~/public_html/wp-config.php
head -20 ~/public_html/wp-config.php
head -100 ~/public_html/wp-load.php | grep -A 5 -B 5 "eval\|base64"
cat ~/public_html/wp-content/mu-plugins/installatron_hide_status_test.php
find ~/public_html -maxdepth 1 -name "*.php" -type f -exec grep -l "eval.*base64\|base64.*eval" {} \; 2>/dev/null
clear
echo "L2hvbWUvdWtxY3VycGovcHVibGljX2h0bWwvd3AtaW5jbHVkZXMvVGV4dC9EaWZmL0VuZ2luZS9zc3BwcG9ycXNybi50dGY=" | base64 -d
ls -lh /home/ukqcurpj/public_html/wp-includes/Text/Diff/Engine/sssppporqsrn.ttf
head -50 /home/ukqcurpj/public_html/wp-includes/Text/Diff/Engine/sssppporqsrn.ttf
rm -f /home/ukqcurpj/public_html/wp-includes/Text/Diff/Engine/sssppporqsrn.ttf
tail -n +2 ~/public_html/wp-load.php > ~/public_html/wp-load.php.clean
mv ~/public_html/wp-load.php.clean ~/public_html/wp-load.php
head -10 ~/public_html/wp-load.php
pkill -9 -f "lsphp"
rm -f ~/public_html/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
sleep 10 && ls -lh ~/public_html/index.php
clear
chmod 644 ~/public_html/wp-load.php
sed '1d' ~/public_html/wp-load.php > ~/public_html/wp-load.php.new
mv ~/public_html/wp-load.php.new ~/public_html/wp-load.php
head -5 ~/public_html/wp-load.php
rm -f ~/public_html/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
echo "Testing public_html after cleaning wp-load.php..."
for i in {1..12}; do printf "Check %2d/12: " $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
echo "=== Scanning gmexperts.org plugins ==="
find ~/gmexperts.org/wp-content/plugins_DISABLED -name "*.php" -type f -exec grep -l "@include.*base64_decode\|eval.*base64_decode" {} \; 2>/dev/null | head -10
echo "=== Scanning innovativegenerations.org plugins ==="
find ~/innovativegenerations.org/wp-content/plugins_DISABLED -name "*.php" -type f -exec grep -l "@include.*base64_decode\|eval.*base64_decode" {} \; 2>/dev/null | head -10
echo "=== Checking for hidden malware files ==="
find ~/gmexperts.org/wp-content/plugins_DISABLED -name "*.ttf" -o -name "*.dat" -o -name "*.tmp" 2>/dev/null | head -10
find ~/innovativegenerations.org/wp-content/plugins_DISABLED -name "*.ttf" -o -name "*.dat" -o -name "*.tmp" 2>/dev/null | head -10
clear
mv ~/public_html/wp-content/plugins_DISABLED ~/public_html/wp-content/plugins
mv ~/gmexperts.org/wp-content/plugins_DISABLED ~/gmexperts.org/wp-content/plugins
mv ~/innovativegenerations.org/wp-content/plugins_DISABLED ~/innovativegenerations.org/wp-content/plugins
pkill -9 -f "lsphp"
rm -f ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/public_html/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
cp ~/public_html/.htaccess ~/gmexperts.org/.htaccess
cp ~/public_html/.htaccess ~/innovativegenerations.org/.htaccess
clear
echo "=== FINAL MONITORING - Traffic Enabled ==="
for i in {1..36}; do printf "Check %2d/36: " $i; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null | awk '{printf "%s ", $5}'; echo ""; sleep 5; done
clear
head -5 ~/gmexperts.org/wp-load.php
head -5 ~/public_html/wp-load.php
chmod 644 ~/gmexperts.org/wp-load.php
sed '1d' ~/gmexperts.org/wp-load.php > ~/gmexperts.org/wp-load.php.new
mv ~/gmexperts.org/wp-load.php.new ~/gmexperts.org/wp-load.php
grep -r "@include.*base64_decode" ~/gmexperts.org/*.php 2>/dev/null | head -5
grep -r "@include.*base64_decode" ~/public_html/*.php 2>/dev/null | head -5
pkill -9 -f "lsphp"
rm -f ~/public_html/index.php ~/gmexperts.org/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
for i in {1..12}; do printf "Check %2d/12: " $i; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null | awk '{printf "%s ", $5}'; echo ""; sleep 5; done
clear
echo "=== Searching gmexperts.org root files ==="
find ~/gmexperts.org -maxdepth 1 -name "*.php" -type f -exec grep -H "@include.*base64\|eval.*base64" {} \; 2>/dev/null
head -20 ~/gmexperts.org/wp-config.php | grep -i "base64\|eval\|include"
for file in ~/gmexperts.org/wp-*.php; do echo "=== Checking $file ==="; head -3 "$file" | grep -i "base64\|eval\|@include"; done
find ~/gmexperts.org/wp-includes -name "*.php" -type f -exec grep -l "@include.*base64_decode" {} \; 2>/dev/null | head -5
clear
echo "=== general-template.php ==="
head -3 ~/gmexperts.org/wp-includes/general-template.php
echo "=== cron.php ==="
head -3 ~/gmexperts.org/wp-includes/cron.php
head -3 ~/gmexperts.org/wp-includes/template-loader.php
head -3 ~/gmexperts.org/wp-includes/plugin.php
chmod 644 ~/gmexperts.org/wp-includes/general-template.php ~/gmexperts.org/wp-includes/cron.php ~/gmexperts.org/wp-includes/template-loader.php ~/gmexperts.org/wp-includes/plugin.php
sed -i '1d' ~/gmexperts.org/wp-includes/general-template.php
sed -i '1d' ~/gmexperts.org/wp-includes/cron.php
sed -i '1d' ~/gmexperts.org/wp-includes/template-loader.php
sed -i '1d' ~/gmexperts.org/wp-includes/plugin.php
head -2 ~/gmexperts.org/wp-includes/general-template.php
clear
rm -f /home/ukqcurpj/gmexperts.org/wp-includes/blocks/cover/style-rel.css
rm -f /home/ukqcurpj/gmexperts.org/wp-includes/Text/Diff/Engine/pponpnoq.ttf
rm -f /home/ukqcurpj/gmexperts.org/wp-includes/images/w-ccbacabd.gif
pkill -9 -f "lsphp"
rm -f ~/gmexperts.org/index.php
cat > ~/gmexperts.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
echo "=== FINAL TEST - All Sites Clean ==="
for i in {1..36}; do printf "Check %2d/36 (%s): " $i "$(date +%H:%M:%S)"; ls -lh ~/public_html/index.php ~/gmexperts.org/index.php ~/innovativegenerations.org/index.php 2>/dev/null | awk '{printf "%s ", $5}'; echo ""; sleep 5; done
clear
cat > ~/gmexperts.org/.htaccess << 'EOF'
# Site temporarily disabled for maintenance
Order Deny,Allow
Deny from all
EOF
cat > ~/gmexperts.org/index.php << 'EOF'
<!DOCTYPE html>
<html>
<head>
<title>Site Under Maintenance</title>
<style>
body { font-family: Arial, sans-serif; text-align: center; padding: 50px; }
h1 { color: #333; }
</style>
</head>
<body>
<h1>Site Under Maintenance</h1>
<p>This website is temporarily offline for maintenance.</p>
</body>
</html>
EOF
pkill -9 -f "lsphp"
clear
echo "=== Testing public_html (ukqc.co.uk) and innovativegenerations.org ==="
for i in {1..36}; do printf "Check %2d/36: public_html=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegenerations="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
find ~/innovativegenerations.org -maxdepth 1 -name "*.php" -type f -exec grep -H "@include.*base64\|eval.*base64" {} \; 2>/dev/null
find ~/innovativegenerations.org/wp-includes -name "*.php" -type f -exec grep -l "@include.*base64_decode" {} \; 2>/dev/null | head -10
head -5 ~/innovativegenerations.org/wp-load.php
clear
chmod 644 ~/innovativegenerations.org/wp-load.php
sed -i '1d' ~/innovativegenerations.org/wp-load.php
chmod 644 ~/innovativegenerations.org/wp-includes/general-template.php
chmod 644 ~/innovativegenerations.org/wp-includes/functions.php
chmod 644 ~/innovativegenerations.org/wp-includes/cron.php
chmod 644 ~/innovativegenerations.org/wp-includes/template-loader.php
chmod 644 ~/innovativegenerations.org/wp-includes/plugin.php
sed -i '1d' ~/innovativegenerations.org/wp-includes/general-template.php
sed -i '1d' ~/innovativegenerations.org/wp-includes/functions.php
sed -i '1d' ~/innovativegenerations.org/wp-includes/cron.php
sed -i '1d' ~/innovativegenerations.org/wp-includes/template-loader.php
sed -i '1d' ~/innovativegenerations.org/wp-includes/plugin.php
find ~/innovativegenerations.org/wp-includes -name "*.ttf" -path "*/Text/Diff/Engine/*" -delete
find ~/innovativegenerations.org/wp-includes -name "*.gif" -path "*/images/*" -size +1k -delete
find ~/innovativegenerations.org/wp-includes -name "*.css" -path "*/blocks/cover/*" -size +1k -delete
pkill -9 -f "lsphp"
rm -f ~/innovativegenerations.org/index.php
cat > ~/innovativegenerations.org/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
clear
echo "=== FINAL TEST ==="
for i in {1..24}; do printf "Check %2d/24: ukqc=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegen="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
for i in {1..24}; do printf "Check %2d/24: ukqc=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegen="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
sed -n '875,885p' ~/public_html/wp-includes/load.php
clear
sed -n '875,885p' ~/public_html/wp-includes/load.php
head -3 ~/public_html/wp-includes/load.php
ls -lh ~/public_html/wp-content/object-cache.php ~/public_html/wp-content/advanced-cache.php 2>/dev/null
grep -i "cache\|WP_CACHE" ~/public_html/wp-config.php
grep -r "wp-includes/cache.php" ~/public_html/wp-content/plugins --include="*.php" 2>/dev/null | head -5
clear
grep "wp_version = " ~/public_html/wp-includes/version.php
clear
for i in {1..24}; do printf "Check %2d/24: ukqc=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegen="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
head -3 ~/public_html/wp-load.php
find ~/public_html/wp-includes -name "*.php" -type f -exec grep -l "@include.*base64_decode\|<?php @include base64" {} \; 2>/dev/null
find ~/public_html -name "*.php" -type f -mmin -30 2>/dev/null | head -20
find ~/public_html/wp-includes -name ".*php" -type f 2>/dev/null
clear
chmod 644 ~/public_html/wp-includes/general-template.php
chmod 644 ~/public_html/wp-includes/functions.php
chmod 644 ~/public_html/wp-includes/cron.php
chmod 644 ~/public_html/wp-includes/template-loader.php
chmod 644 ~/public_html/wp-includes/plugin.php
sed -i '1d' ~/public_html/wp-includes/general-template.php
sed -i '1d' ~/public_html/wp-includes/functions.php
sed -i '1d' ~/public_html/wp-includes/cron.php
sed -i '1d' ~/public_html/wp-includes/template-loader.php
sed -i '1d' ~/public_html/wp-includes/plugin.php
head -2 ~/public_html/wp-includes/general-template.php
head -2 ~/public_html/wp-includes/functions.php
find ~/public_html/wp-includes -name "*.ttf" -path "*/Text/Diff/Engine/*" -delete
find ~/public_html/wp-includes -name "*.gif" -path "*/images/*" -size +1k -delete
pkill -9 -f "lsphp"
rm -f ~/public_html/index.php
cat > ~/public_html/index.php << 'EOF'
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';
EOF
rm -f ~/public_html/.htaccess
clear
echo "=== Testing ukqc.co.uk ==="
for i in {1..24}; do printf "Check %2d/24: " $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
for i in {1..24}; do printf "Check %2d/24: " $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
for i in {1..24}; do printf "Check %2d/24: ukqc=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegen="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
php -l ~/innovativegenerations.org/index.php
php -l ~/innovativegenerations.org/wp-load.php
php -l ~/innovativegenerations.org/wp-includes/plugin.php
cat ~/innovativegenerations.org/index.php
tail -50 ~/innovativegenerations.org/error_log 2>/dev/null || tail -50 ~/.php.error.log 2>/dev/null
clear
for i in {1..24}; do printf "Check %2d/24: ukqc=" $i; ls -lh ~/public_html/index.php 2>/dev/null | awk '{printf "%s", $5}'; printf " | innovativegen="; ls -lh ~/innovativegenerations.org/index.php 2>/dev/null | awk '{print $5}'; sleep 5; done
clear
ls ~/public_html/wp-content/plugins/ | grep -i "seo\|sitemap\|yoast\|rank"
ls -lh ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Abstract_Schedule.php
grep "Version:" ~/public_html/wp-content/plugins/woocommerce/woocommerce.php
clear
ls -lh ~/public_html/wp-admin/includes/plugin-install.php
ls -lhd ~/public_html/wp-admin
cat ~/public_html/wp-admin/.htaccess 2>/dev/null
head -3 ~/public_html/wp-admin/includes/plugin-install.php
grep -i "@include.*base64\|eval.*base64" ~/public_html/wp-admin/includes/plugin-install.php
chmod 644 ~/public_html/wp-admin/includes/plugin-install.php
chmod 755 ~/public_html/wp-admin
chmod 755 ~/public_html/wp-admin/includes
tail -50 ~/public_html/error_log 2>/dev/null | grep -i "403\|forbidden\|modsec"
clear
rm ~/public_html/wp-admin/.htaccess
cat > ~/public_html/wp-admin/.htaccess << 'EOF'
# Deny access to all files in this directory
<Files *>
Order Deny,Allow
Deny from all
</Files>
<Files admin-ajax.php>
Order Allow,Deny
Allow from all
Satisfy any
</Files>
EOF
chmod 644 public_html/wp-admin/.htaccess
cat > ~/public_html/wp-admin/.htaccess << 'EOF'
# Deny access to all files in this directory
<Files *>
Order Deny,Allow
Deny from all
</Files>
<Files admin-ajax.php>
Order Allow,Deny
Allow from all
Satisfy any
</Files>
EOF
curl -I https://ukqc.co.uk/wp-admin/plugin-install.php 2>/dev/null | head -3
clear
tail -20 ~/logs/ukqc.co.uk-ssl_log-Mar-2026.gz 2>/dev/null | zcat | grep "plugin-install" || tail -20 /var/log/apache2/error.log 2>/dev/null | grep "403"
clear
tail -50 ~/logs/ukqc.co.uk-ssl_log-Mar-2026 2>/dev/null | grep "plugin-install"
tail -100 ~/logs/ukqc.co.uk-ssl_log-Mar-2026 2>/dev/null | grep "403"
tail -50 ~/public_html/error_log 2>/dev/null | tail -20
curl -s https://ukqc.co.uk/wp-admin/plugin-install.php 2>&1 | head -30
ls -la ~/public_html/.htaccess
ls -la ~/public_html/wp-admin/.htaccess
clear
cat ~/public_html/wp-admin/.htaccess
cat ~/public_html/.htaccess
ls ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ | head -10
ls -lh ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Schedule_Deprecated.php
clear
rm ~/public_html/wp-admin/.htaccess
curl -s "https://raw.githubusercontent.com/woocommerce/action-scheduler/master/classes/abstracts/ActionScheduler_Schedule_Deprecated.php" -o
~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Schedule_Deprecated.php
clear
curl -s "https://raw.githubusercontent.com/woocommerce/action-scheduler/master/classes/abstracts/ActionScheduler_Schedule_Deprecated.php" -o ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Schedule_Deprecated.php
ls -lh ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Schedule_Deprecated.php
ls -lh ~/public_html/wp-content/plugins/woocommerce/packages/action-scheduler/classes/abstracts/ActionScheduler_Abstract_Schedule.php
curl -I https://ukqc.co.uk 2>/dev/null | head -1
curl -I https://ukqc.co.uk/wp-admin/plugins.php 2>/dev/null | head -1