Live Chat

Domain Scan

(empty)

Login


Repeated Malware Infections in Hosting Accounts: Causes and Permanent Solutions
(05-mar-2025)

Repeated Malware Infections in Hosting Accounts - Causes and Permanent Solutions

Many website owners face a frustrating issue: malware infections keep coming back even after cleaning up the infected files. If you've ever removed malware from your hosting account, changed passwords, and thought your site was secure-only to see it get infected again-you're not alone.
In some cases, this recurring infection happens immediately after logging in to the hosting account. Unauthorized logins appear in cPanel records, and the malware structure remains the same within that hosting account, though it differs from account to account. This points to a deeper issue: compromised credentials or an infected local device.

How to Identify If Your Hosting Account Is Infected

If your website is behaving strangely, you might be dealing with a malware infection. Here are key indicators:

  1. Unauthorized Logins to Your cPanel or FTP

    • Check your cPanel login history for unknown IP addresses.
    • If you notice logins from locations you don't recognize, it could mean someone else is accessing your account.

  2. Unexpected or Suspicious Files in Your Account

    • Look for new folders and files in public_html that you didn't create.
    • Malware often places files in nested directories to remain hidden.
    • Example: Randomly named folders such as secussl/infos/portail/F004f19441/ containing unfamiliar .php scripts.

  3. Website Redirecting or Showing Malicious Content

    • If your website redirects visitors to unknown sites, it's a strong sign of malware.
    • Some infections display fake ads, pop-ups, or phishing pages.

  4. Google Flagging Your Website as Unsafe

    • If visitors see a red warning page from Google, your site has been blacklisted due to malware.
    • Use Google Search Console to check for security issues.

  5. Unusual Email Activity from Your Domain

    • If you're getting reports that emails from your domain are marked as spam, malware may be using your account to send phishing emails.

How Does the Malware Keep Coming Back?

If you clean your hosting account but the infection returns, here's why:

  1. Your Local Device Might Be Infected

    • Malware such as keyloggers or Remote Access Trojans (RATs) can steal your cPanel, FTP, or CMS credentials.
    • If your computer is infected, attackers will keep regaining access-even after password changes.

  2. Stolen Credentials Are Used for Repeated Access

    • The attacker logs into your cPanel or FTP using stolen passwords.
    • They re-upload malware files to the same folders every time you log in.
    • This is why the infection follows the same pattern in your account.

  3. Auto-Executing Scripts Keep Reinfecting the Account

    • Some malware plants a backdoor that triggers infections when you access certain areas of your website or cPanel.
    • If you notice the same files appearing repeatedly, this could be the cause.

How to Permanently Remove Malware and Secure Your Account

Step 1: Scan and Clean Your Local Device

Since malware may have stolen your credentials, securing your personal device is the first step:
  • Run a full antivirus scan using:
    • - Windows Defender (Windows Security)
    - Malwarebytes (recommended for keyloggers and trojans)
    - ESET or Kaspersky (for advanced detection)
  • Remove any detected threats and restart your device.

Step 2: Change All Your Hosting Passwords

  • Reset cPanel, FTP, CMS admin, and database passwords.
  • Use a strong, unique password for each service.
  • Avoid reusing old passwords.
  • Enable Two-Factor Authentication (2FA) on your cPanel or CMS for extra protection.

Step 3: Identify and Remove Malware Files

  • Manually check your public_html directory for unknown folders and files.
  • Remove any suspicious .php scripts, especially in deeply nested folders.
  • If you're unsure, ask your hosting provider to perform a malware scan.

Step 4: Review Your cPanel and FTP Logs

  • Look at recent login activity in your cPanel.
  • If you see logins from unrecognized locations, consider blocking those IPs.

Step 5: Secure Your Website Software

  • If you're using WordPress or another CMS:
    • - Update all plugins, themes, and core files.
    - Delete unused plugins and themes.
    - Install a security plugin like Wordfence (for WordPress users) to monitor threats.

Step 6: Request Google to Remove Blacklist Warnings

  • Once malware is removed, use Google Search Console to submit a Request for Review.
  • Google will scan your site and remove the red warning once it's confirmed clean.

Final Thoughts

If your hosting account is repeatedly infected, the most likely cause is a compromised local device or stolen credentials. Simply cleaning the infected files isn't enough-you must secure your computer, reset all passwords, and regularly monitor your hosting account. By following these steps, you can permanently eliminate malware and prevent future attacks. Keeping your device clean and your credentials secure is the key to maintaining a safe website.

Stay vigilant, and always prioritize security!


Written by: Register.lk Systems Hero - Lakshani


Related Articles

How to Remove the Dangerous Site Warning on Your Website
How to Remove the "Dangerous Site" Warning on Your Website
How to Protect Your Webmail with Two-Factor Authentication
How to Protect Your Webmail with Two-Factor Authentication
How to Secure Your WordPress Website with Two-Factor Authentication
How to Secure Your WordPress Website with Two-Factor Authentication
Why You Should Not Use Unauthorized WordPress Plugins and Themes
Why You Should Not Use Unauthorized WordPress Plugins and Themes
BACK 2 BLOG