Recently, many websites have been defaced to display fake Google login screens, and we will provide examples and explanations of these defacements.
Malware that steals Google login information
This malware creates a file called heck.php mainly in the following folder of WordPress core files by taking advantage of vulnerabilities in WordPress, such as taking administrative privileges or plugins.
/wp-includes/SimplePie/Content/Type/
This malware may also be named wp-options.php.
Contents of heck.php
This malware contains the following code
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="id"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop ="image"><title>Google</title><script nonce="2p6MrvcplO0MKAIOgE7jnQ">(function(){window.google=
file to reproduce the Google search screen.
The malware misleads the user into believing this screen is the real Google search screen, and when the user logs in, it sends the ID and password to the malicious hacker instead of Google.
Detecting Fake Google Login Malware
To detect this malware, check /wp-options.php or /wp-includes/SimplePie/Content/Type/heck.php for the HTML code for the Google home page.
You can detect malware from the malware scan from the admin screen at [ Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
Disinfection
The files named heck.php and wp-options.php are not originally included in WordPress, so you should have no problem deleting them.
However, we recommend that you make a backup of your entire site before deleting the files.