We will explain the characteristics of malware code embedded by WordPress tampering and how to make the code readable and analyze its contents.

Malware code embedded in WordPress

WordPress can be subject to site modification by hackers due to a variety of factors. This causes program code that performs malicious activities unintended by the site operator, collectively referred to as malware.

Malware code is often very distinctive, and most often consists of a single line of unintelligible text, such as the following

$WDP0PDP00D=$WPDD0D0P0P [14]. $WPDD0D0P0P[ 25]. $WPDD0D0P0P[ 6]. $WPDD0D0P0P[ 11]. $WPDD0D0P0P[ 8]. $WPDD0D0P0P[ 18 ]. $WPDD0D0P0P[ 34 ]. $WPDD0D0P0P[ 32 ]. $WPDD0D0P0P[ 24]. $WPDD0D0P0P[ 18]. $WPDD0D0P0P[ 8]. $WPDD0D0P0P[ 34 ]. $WPDD0D0P0P[ 20]. $WPDD0D0P0P[ 19]. $WPDD0D0P0P[ 11]. $WPDD0D0P0P[ 8].....
/*12236*/
@include "7hom5/fu6tre7fun4re.3om/\160ubl.....
;VZDKQPY@ KHHYYS;E@oM K^AEDARG_SY^A UWSI]W^WVQU^^HP ZWBBYVY VMD\Y
\VZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Why would such a string act as malware?

Most malware is obfuscated.

The aforementioned code is obfuscated from common PHP program code, making it difficult to understand how it works, even for those with programming knowledge.

Since PHP is executed mechanically, the machine can execute the process, but people cannot understand the mechanism of how the code works.

Sometimes obfuscated code is also added to avoid malware scanners by inserting comments into the code for people to read.

/*ydhr6ei*/"base". /*ydhr6ei*/." 64_". /*ydhr6ei*/." decode".

How do I de-obfuscate?

Unobfuscating such code can be difficult. It may be possible to use a combination of the following techniques to remove the obfuscation.

manually base64_encode base64_decode (or str_rot13 urlencode, etc.)
Obfuscated strings can be directly output by echo.
Try to manually assign a key file or hash value and output it by echo.
Rewrite an eval string to echo and output the code to be executed.
Use an obfuscation program (available on Github, etc.)

You can also use php-decoder.site, which does some of the above work automatically and online.

Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].

Related Posts:

  1. Characteristics of malware code when WordPress is tampered with
    We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers....
  2. eval function used in over 50% of WordPress malware (tampering and viruses)
    We will explain the process called eval, which is used in more than half of the malware files detected by WordPress Doctor, and how to stop eval....
  3. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  4. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  5. What is a web shell, a type of WordPress malware?
    There have been an increasing number of cases of web shells, a type of WordPress malware, becoming more sophisticated in recent years. We will explain about web shells....
  6. If your wordpress index.php has a one line include statement @include it is infected with malware
    If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware....