If you find the following code in some index.php files included in your WordPress site, you are infected with malware and should be careful.

Malware that alters index.php and is carried out no matter which page of the WordPress site is loaded

If the index.php file contains @include “\057v\151r\164u\141l\0571 and the include statement sandwiched between comments such as /*963c2*/ above and below, the code is for loading the malware itself.

This code is obfuscated, and when unobfuscated, it will look like the following string.

@(include "/virtual/.24b5f368.ico");.

This code loads the malware body, .24b5f368.ico, and causes the site to perform malicious actions, such as redirecting the site to another site.

The random string of /*963c2*/ comments included at the top and bottom are for hackers to see if they have already embedded malware in that file.

Coping Methods

If you find such a file on your site, immediately delete the line containing @(include “/virtual/” and the random string comments above and below, and re-upload index.php.

Additionally,
We also recommend that you run a site-wide file and database malware scan with the [ Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

Change user passwords, etc.

Related Posts:

  1. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  2. If your wordpress index.php has a one line include statement @include it is infected with malware
    If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware....
  3. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  4. If you can’t find wordpress malware, where is the malware hidden?
    We will explain how hackers hide malware when WordPress has been defaced and no malware is found....
  5. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  6. Cases in which malware (virus infection, tampering) prevents logging in to the management screen
    There have been an increasing number of cases where a hacker has embedded a number of malicious HTACCESS files in a site, making it impossible to log in to the administration screen. This case study will be explained in this issue....