We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers.


Characteristics of malware embedded in WordPress

Hackers who gain unauthorized access to the server through a vulnerability in an older program included in WordPress or by stealing administrative privileges embed a variety of malware in various files.

Malware code, much of it, has certain characteristics.

1 Numerous comments, Unicode characters, Base64 due to obfuscation process

Malware code is often obfuscated to prevent people from knowing what the code is doing or to prevent detection of malware.
For this reason, they often contain a large number of comments (enclosed in /*), a special notation called Unicode (slashes and numbers), and Base64 encoding (characters converted to hexadecimal numbers).

The code shown in the image below is such a case.

2 One long line

Because obfuscation software is often used to obfuscate 1, and because that software often reduces the output to a single line, files with embedded malware often contain very long single lines of code.

3 eval is included in the final process.

eval is a function in a PHP program, an instruction that interprets a string as a program and executes it. This function is rarely used in WordPress itself or in theme plugins, but in the case of malware, it is highly likely to be included in the final process to execute an obfuscated string.

4 @include

The include statement is used to load another program. This include statement is used to load the malware body from various files. It may also be an @include.

5 Meaningless string filename or $ variable

General programs are named in such a way that it is easy to understand what the file or included program is doing, with maintainability in mind.
Malware, on the other hand, is intended to keep it secret so that it cannot be recognized at a glance, so many random string file names or functions are often used in the code.

What if the site contains files that contain strings like the above?

If the above code is included in a site’s program, it is most likely malware, but even legitimate code may be obfuscated for some reason, or the way the code is written may look like malware at first glance.

For this reason, we recommend that you do not delete it immediately, but rather check if it is determined to be malware by using a plug-in that detects malware.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Related Posts:

  1. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  2. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  3. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  4. File names commonly seen these days in WordPress malware
    Here are some common malware (virus) file names that WordPress Doctor has discovered recently....
  5. If you can’t find wordpress malware, where is the malware hidden?
    We will explain how hackers hide malware when WordPress has been defaced and no malware is found....
  6. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....