locations-wo.conf

## Potentially (Hopefully!) block the .*.ico malware that keeps infecting everything
## Those files contain malicious PHP that injects all sorts of garbage all around the server
## To see if you have any .ico files run this command: find / -name ".*.ico" -print
## This command will search the full server
## The files will be hidden and look something like .u834R9u4.ico
## Ultimately these will create random themes and/or plugins in your site folders that send spam
## This is easy to remove (just delete) but it's a PITA as they just keep coming back within days
## If you'd like to bulk delete them all, run this command: find /var/www -name ".*.ico" -print0 | xargs -0 rm
## This command will search only the /var/www folder and sub-folder

## Add this snippet to /etc/nginx/common/locations-wo.conf to *potentially* stop these files from doing anything
## It'll block the execution of all .ico files except favicon.ico 

location ~* ^/(?!favicon\.ico$).*\.ico$ {
  deny all;
  access_log off;
  log_not_found off;
}

## I'm running NGINX, so there's no need for .htaccess files, and yet these also appear
## So let's throw this in for good measure

location ~* /\.htaccess {
    deny all;
    access_log off;
    log_not_found off;
}

## Found malicious code in a .oti file, whatever that is

location ~* \.oti$ {
    deny all;
    access_log off;
    log_not_found off;
}

I've been running Easy Engine and WordOps servers for many years. Without fail, before too long, I start to get malware files scattered around. Drives me BONKERS. I've done some investigation and there isn't really any solution that I've found yet, but today I realized that if the .ico file contains malicious PHP inside, then I just need to block the .ico file.

This article is much more thorough for hunting down all the malicious files: https://medium.com/@mtoydev/cleaning-an-infected-wordpress-website-ico-virus-3f2e67d681bf