GOTMLS identified wp-tmp as a problem containing an ad injection script and offered a fix. However, it did not identify one of the underlying issues that kept rewriting wp-tmp.php which was in the template functions.php; I’ve included the code at the end of this entry.
I removed that from functions.php but it seems as though there is other code somewhere that I have yet to locate that is rewriting that functions.php code.
If anyone has run across this before I’d love to hear from you.
-
This topic was modified 6 years, 8 months ago by Anti-Malware Admin. Reason: Malicious code removed
I removed the malicious code that you posted here because of all the malicious links in it. Plus, it was reformatted for the forum and missing the PHP brackets and other content that was in that file so it was not very useful to me. I could tell that it was very like the code I would have expected in your functions.php file and that is already in my definitions so I am not sure why it was not found on your system. It would help me if you could email me that infected file directly so that I can check it and update my definitions if needed.
My issue turned out to be a whole stack of false PNG files in the Upload area that contained @eval statements. When I cleaned out wp-tmp.php and functions.php from my template the @eval statements were allowing script injection. If you can’t get your website clean using this plugin then delete all of the file types from the filter so that it can see into PNG, JPG, etc files. I haven’t found the initial entry point yet but I’m assuming it was a plugin.