Some of today’s malware is of the type that writes an infinite loop (or delayed process) into the server process and resides there.
Process-resident malware
Process-resident malware is a malware that resides in a server process as a delayed-processing program that executes in an infinite loop or with a time lag, and restores (reinfects) backdoors (entry points for hackers to hack) from the process even after the malware is removed.
Many servers do not have a mechanism to observe or stop such processes, making it difficult to remove the malware, and the malware may resurface even if you delete it.
How to get rid of process-resident malware?
Sakura Internet Server has a function to stop the display of processes. This feature can be accessed from the Server Panel, Server Status, Running Processes.
However, there are cases where malware processes do not appear here.
Stop process-resident malware on servers via program
To stop the activity of process-resident malware, it is necessary to stop the execution of PHP itself once.
By installing a PHP program and accessing and executing this instruction with a browser, it is possible to stop the malware process as well.
Save the code below as a text file with a .php extension, upload it to the server with FTP software, and access its URL with a browser to stop all PHP processes.
<?php
shell_exec("ps aux | grep -i php | awk {'print $2'} | xargs kill -9");
? >
Although we have confirmed that this works on several well-known servers, this code may not work in some cases or may cause some problems with the server. We are not responsible in such cases.
If you can stop the process, restore index.php and wp-config.php
Once you have stopped the malware process by the above methods, you need to immediately remove the malware itself that is running the process-resident malware.
This malware is generally contained in index.php or wp-config.php. The reason why this file contains the body of the malware is because it is the file that is executed each time a user accesses the site, so it will restart the malware on its own.
Log in to WordPress and inspect and remove the other malware as well.
After successfully removing the main body of the process-resident malware, examine the htaccess file for malicious code and remove it.
In many cases, this type of malware also writes code to the htaccess file that allows access only to specific files, preventing the use of the WordPress administration screen.
Once you have logged in to the WordPress administration screen, we will inspect and remove malware from the entire site.
By using our developed plug-ins, it is possible to scan and remove malware from all files on the site.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
If you still have difficulty getting rid of the malware or keep getting re-infected, we recommend that you consult a specialist.
