This section explains how to stop detection of malware resident in the process in WordPress.
What is process-resident malware?
Process-resident malware is a malicious program that runs all the time in the server’s memory. Because it is resident in memory, this type of malware often has no main program file on the server.
The most common type of process-resident malware that is currently confirmed is the type that automatically rewrites htaccess and index.php to prevent login to the administration screen and reinfect other malicious programs.
Also confirmed is backdoor-type process-resident malware that keeps the server itself running programmatically in the process, allowing hackers to easily rewrite folders in the server by sending data.
Such malware continues to programmatically execute the following commands, including infinite loops.
command /usr/local/php/7.4/bin/php /home/path to wordpress/lock666.php command php /home/server user id folder/public_html/path to wordpress/d2a81c15
Instead of executing PHP in response to user access, the php command executes the rogue program directly in memory. Since the program remains in memory, many of them delete their own body files.
For this reason, no matter how many files are inspected in the server, this malware cannot be found.
Detect and remove process-resident malware
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
You can view and stop the list of potentially malicious processes by downloading, adding and activating the WordPress: Malware Scanning & Security Plug-in.
WordPress admin > Malware Scan > Security tab > Scroll to the bottom of the screen
You can stop the malicious process from the Process Manager.
Please note that the function to detect and stop resident malware may not be available if certain commands are not allowed on the server side.
Cautions for Stopping Processes
The Process Manager function mechanically displays the processes that continue to run using PHP commands, so just because something is displayed here does not necessarily mean that the process is malicious.
Please be careful when working with this function, as it may cause server batch processing or other important processes to stop.
In our experience, the following processes are most likely to be malware
The file itself that the process is executing does not exist on the server.
The process has been running for a long time (more than a few hours) (or has been observed repeatedly over a long period of time).
The command points to a file in the WordPress core files, and the file does not exist in the WordPress core files.
There are no files in the WordPress core files that require direct PHP command execution.
The file name that the process is executing is a random meaningless string. Or, the file name is that of a common process-resident malware, such as the following.
lock666.php, small.php, moon.php, wjsindex.php, wp-confiq.php (not wp-config.php)
and other file names are often used by process-resident malware
