Thank you. That makes a lot more sense now
Hi there,
My site has Wordfence and Antimalware installed. Wordfence sends me an email every week telling me what it was up to. Every week it tells me the top modified files are things like:
wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.6d5683eb555fba4c06d32f417260c326.php
They are always in the GOTMLS safe load directory and there is always a lot of them.
So I had a wee look to see what was in one of these files and found some base64 code.
Php code would begin here
—
$GLOBALS["GOTMLS"]["logins"]["e278f3d8359437957452325f82c85676"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxMzoiMTQzNzQxNjAwNy45MiI7fQ==”));
—
Php code would end here
What does this do? When decoded it says this:
a:1:{s:3:”GET”;s:13:”1437416007.92″;}
Is this malicious? Anyone know what and why this is?
Many thanks,
Graham.