Title: license.php malware?
Last modified: August 22, 2016

---

# license.php malware?

 *  Resolved [mpals](https://wordpress.org/support/users/mpalsgaard/)
 * (@mpalsgaard)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/)
 * HI,
    I recently discovered a malware infection on one of my sites. After cleaning
   it up, using Wordfence plugin to scan for changed files, I noticed a file in 
   the root dir called license.php. The beginning of the file looks like this:
 * <?php if(!isset($GLOBALS[“\x61\156\x75\156\x61”])) { $ua=strtolower($_SERVER[“\
   x48\124\x54\120\x5f\125\x53\105\x52\137\x4
 * And so it continues.
 * Anyone knows if this is malware?

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676414)
 * It doesn’t look right to me, You do have a license.txt file and maybe the file
   comes from a plugin.
 * URL please.
 * You do need to upgrade ASAP.
 *  Thread Starter [mpals](https://wordpress.org/support/users/mpalsgaard/)
 * (@mpalsgaard)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676420)
 * Thanks!
 * The url is: teedawn.dk
 * I’ve just updated to 4.1.
 * I also discovered 3 admin users, but one is blank and one is invisible. I guess
   I can delete the blank one, but how do I remove the invisible one???
 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676426)
 * You need to manually remove this invisible admin from your wp_users table by 
   using phpMyadmin or whatever database management tools your hosting provider 
   offers.
 *  Thread Starter [mpals](https://wordpress.org/support/users/mpalsgaard/)
 * (@mpalsgaard)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676429)
 * Thanks, I will do that.
 * Regarding the license.php – should I rename it to start with and then delete 
   if the site looks normal or just delete it right away?
 *  [catacaustic](https://wordpress.org/support/users/catacaustic/)
 * (@catacaustic)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676483)
 * Delete it. It’s not part of the WordPress file system. The hackers hav enamed
   it `licence.php` becuase it looks like the standard `licence.txt` file that is
   included.
 *  Thread Starter [mpals](https://wordpress.org/support/users/mpalsgaard/)
 * (@mpalsgaard)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676516)
 * Thanks, I’ll delete it!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘license.php malware?’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 6 replies
 * 3 participants
 * Last reply from: [mpals](https://wordpress.org/support/users/mpalsgaard/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/licencephp-malware/#post-5676516)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics