Title: Help me interpret malicious code from hack? Last modified: August 21, 2016 --- # Help me interpret malicious code from hack? * [Steve](https://wordpress.org/support/users/steveschwartz/) * (@steveschwartz) * [13 years, 2 months ago](https://wordpress.org/support/topic/help-me-interpret-malicious-code-from-hack/) * I have WordFence installed and last night I received an email that said the following: * “This alert was generated by WordFence on “” at Tuesday 9th of April 2013 at 09:55:23 PM * A user with username “wp-system” who has administrator access signed in to your WordPress site. User IP: 184.168.152.218 User hostname: p3nlhg693.shr.prod.phx3. secureserver.net” * There has never been an administrator account named wp-system. I neutered the“ admin” account immediately upon installing the site months ago. My username is unique and my password is very long and hard to guess. After getting the warning email from WordFence, I went to my site and noticed that the custom image for the header was gone. I tried to navigate to various pages on the site and they all generated 404 errors. * I logged in my administrator account and noticed an extra file in the child theme called entry-meta.php * Here’s the code: * [http://pastebin.com/rxCAwevr](http://pastebin.com/rxCAwevr) * There was also an extra PHP file in the parent theme called Entry-nav.php. It had equally bad looking code in it. I have a backup of everything and I’ll be able to restore the site. My question is, based on the info above, can anyone help me diagnose how they got in, and what that code does? Thanks ahead of time for your help. The site is [here](http://www.southparkpost.com) Viewing 2 replies - 1 through 2 (of 2 total) * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 2 months ago](https://wordpress.org/support/topic/help-me-interpret-malicious-code-from-hack/#post-3646576) * > can anyone help me diagnose how they got in * Not based on the above, no. Have you asked your hosts for assistance with this? * In the meantime, you need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Anything less will probably result in the hacker walking straight back into your site again. * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * [grosar](https://wordpress.org/support/users/grosar/) * (@grosar) * [13 years ago](https://wordpress.org/support/topic/help-me-interpret-malicious-code-from-hack/#post-3646881) * I got one of these I’m trying to remove from a site too! * This is my entry-nav.php file in the theme directory. Did you ever figure out how to remove it? * _[Please do not post hack code here – see the links posted above]_ Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Help me interpret malicious code from hack?’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 2 replies * 3 participants * Last reply from: [grosar](https://wordpress.org/support/users/grosar/) * Last activity: [13 years ago](https://wordpress.org/support/topic/help-me-interpret-malicious-code-from-hack/#post-3646881) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics