This section describes malware files including index.html.bak.bak that infects index.php.


Malware that disguises and replaces index.php

This malware, which has been increasingly detected in recent years, replaces or generates index.php on WordPress sites and writes the following malicious code.

Malware Structure

The /*random string*/ portion of this malware is an identifier that the malware uses to check its own residual status.

The @include statement loads the malware itself, but the path is often obfuscated.
The obfuscated code may be removed by using http://php-decoder.site/, etc.

echo @file_get_contents(‘index.html.bak.bak’); reads the original index.php content and outputs it.

In other words, this malware rewrites the original index.php or index.html into a file name such as index.html.bak.bak or index.html.bak, and generates a fake index.php that executes malicious code.

Users accessing the site will then execute the fake file and be presented with a page that contains the malware’s executable code in addition to the page they were originally intended to view.

Malware Removal

The following three steps are required to remove this malware.

1 Remove the malware itself that is loaded in the @include statement
2 Delete the replaced fake index.php
3 Rename the renamed index.html.bak.bak back to the original index.php and index.html

You can also use the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] to scan for this type of malware at once. Please take advantage of this service.