Title: Regarding  .backup_time
Last modified: August 24, 2016

---

# Regarding .backup_time

 *  Resolved [twicealive](https://wordpress.org/support/users/twicealive/)
 * (@twicealive)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/regarding-backup_time-1/)
 * Hello,
 * I saw your thread about .backup_time
    There seems to be a lot of sites that have
   this same issue.
 * Can you tell me if it is malicious?
 * Here is the file content:
 * [example 1](http://www.rosatigella.com/wp-content/themes/kore-design/wpv_common/admin/ajax/.backup_time)
 * [example 2](http://www.connerlorre.com/wp-content/themes/musicpro/includes/features/bd-paypal/.backup_time)
 * [example 3](http://ultimatefunnelnetwork.com/wp-content/plugins/opt/admin_pages/ajax/.backup_time)
 * Thank you,
    Michael
 * [https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071539)
 * Yes it is.
    [http://stackoverflow.com/questions/22647441/what-does-this-malicious-php-code-found-in-a-wordpress-install-do](http://stackoverflow.com/questions/22647441/what-does-this-malicious-php-code-found-in-a-wordpress-install-do)
 *     ```
       <?php
   
       function Uno_decode($String)
       {
           $String = base64_decode($String);
           $Salt = "dc5p9dOpBc";
           $StrLen = strlen($String);
           $Seq = "DMEf5HZuPq";
           $Gamma = "";
           while (strlen($Gamma) < $StrLen)
           {
               $Seq = pack("H*", sha1($Gamma.$Seq.$Salt));
               $Gamma.=substr($Seq, 0, 8);
           }
   
           return $String ^ $Gamma;
       }
   
       $b64s = file_get_contents( $example_1_link );
       foreach ( explode( "\n", $b64s ) as $line ) {
           echo Uno_decode( $line ) . "\n";
       }
       ```
   
 * outputs:
 *     ```
       googlebot|indows|ipad|iphone|android
       178.21.23.230
       62.113.208.128
       128.199.141.242
       185.31.209.43
       178.32.151.22
       188.40.249.90
       ```
   
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071661)
 * Thanks [@szepeviktor](https://wordpress.org/support/users/szepeviktor/) I will
   mark this ticket as resolved considering that the question was answered. My suggestion
   for [@twicealive](https://wordpress.org/support/users/twicealive/) is to check
   the source code of your project with a server-side malware scanner _(not a web
   scanner)_ to find the file that is generating the _“.backup\_time”_ files.
 *  [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071674)
 * There are a lot of interesting stuff on this page:
    [https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/shared-hosting-aid/Malware.md#search-for-malware-patterns](https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/shared-hosting-aid/Malware.md#search-for-malware-patterns)
 *  [Dave McHale](https://wordpress.org/support/users/dmchale/)
 * (@dmchale)
 * [11 years ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071892)
 * I have the same issue on a client site of mine, and unfortunately sucuri scanner
   has been unsuccessful in detecting all of the cases of this when they’re outside
   of core, or contained in plugins/themes that are not (or are no longer) in the
   repository.
 * I have found that these files come in at least two flavors: they are often named`.
   backup_time` but are sometimes called simply `..` (dot dot space). These files
   also persistently recreate themselves due to code that is infecting other php
   files.
 * The most common location of the infection is the wp-config file, as well as /
   wp-content/index.php, /wp-content/plugins/index.php and /wp-content/themes/index.
   php – these files will be 26K-28K in size when infected, when they should in 
   reality be only 28 Bytes. It will also try and get into your plugins and themes
   if it is able.
 * I also found it injected into an old plugin called “Font Uploader” written by
   pippen (now officially a dead project, but this client has been running it for
   years), as well as an old copy of u-design which they had installed.
 * The malicious code generally injects itself into the top line of the file, waaaaaaaaaaaay
   out to the right. Open the file, and press the “End” key. You will probably also
   notice a very small horizontal scroll bar which is a good clue something’s up.
 * Unfortunately, this hack is so persistent that it’s unclear exactly how many 
   places you may find it. What I found interesting in MY case (YMMV, obviously)
   is that the infected code defined its php functions with a double space between“
   function” and the open parentheses. That’s not really a common notation, so I
   decided to try and dig into my site some more using that as a searchable pattern.
   On my system (an out-of-the-box VVV install running the default VM) the following
   grep command worked when ran from the root of the downloaded website.
 * `grep -ri 'function\+[:space:](http://codex.wordpress.org/:space:)\+\+[:space:](http://codex.wordpress.org/:space:)\
   +' * > output.txt`
 * It was important to pipe the results into a text file I could open when it was
   done, because the massive block of malicious code comes back in the result, and
   quickly made my console buffer useless. But when I opened the text file, I actually
   got good information about my remaining infected files.
 *     ```
       wp-content/plugins/font-uploader/includes/functions.php:<?php
       wp-content/themes/u-design/functions.php:<?php
       wp-content/themes/u-design/header.php:<?php
       wp-content/themes/u-design/index.php:<?php
       wp-content/themes/u-design/scripts/admin/colorpicker/js/colorpicker.js:			fillRGBFields = function  (hsb, cal) {
       wp-content/themes/u-design/scripts/admin/colorpicker/js/colorpicker.js:			fillHSBFields = function  (hsb, cal) {
       wp-content/themes/u-design/scripts/cache/index.php:
       wp-includes/functions.php: * @param string $function    The function that was called.
       wp-includes/functions.php:	 * @param string $function    The function that was called.
       wp-includes/js/twemoji.js:       *          Function            if specified, this will be invoked per each emoji
       wp-includes/js/twemoji.js:       *            callback   Function  the callback to invoke per each found emoji.
       wp-includes/js/twemoji.js:       * @param   Function  a generic callback that will be
       wp-includes/js/twemoji.js:    *            .callback   Function  the callback to invoke per each found emoji.
       wp-includes/js/twemoji.js:   *            .callback   Function  the callback to invoke per each found emoji.
       ```
   
 * With only a few exceptions, you can see that when I ran this code I still had
   an infected file inside the font-uploader plugin and multiple infected files 
   inside of u-design. The rest of the files, from inside /wp-includes, are harmless.
   But the rest of the files all had the malicious code on line 1.
 * It is ENTIRELY possible that there are more infections at different locations,
   but I wanted to share my experience about this particular piece of it here in
   case this information helps someone else. Good luck!
 *  [ed](https://wordpress.org/support/users/wesleysoccer/)
 * (@wesleysoccer)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071929)
 * Thanks Dave for all the info…all my WP applications (about 8) have been attacked
   with this .backup_time. I spent a few days cleaning out the bad code. The malicious
   code was always on the first line and mainly injected into index.php files…Not
   sure how this hack got into my applications but one of my sites had a really 
   old Udesign theme plus old version of WP. All code has been removed and theme/
   plugins/WP all updated. Changes all passwords, etc…
 *  [Dave McHale](https://wordpress.org/support/users/dmchale/)
 * (@dmchale)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071930)
 * I’m glad it helped someone, ed! Old core is obviously no good, but I can say 
   with certainty (because this was our case as well) that old versions of UDesign
   still contained timthumb… if I had to guess, I’d place the blame there. 🙂 Good
   luck, and I hope your issues don’t come back!
 *  [ed](https://wordpress.org/support/users/wesleysoccer/)
 * (@wesleysoccer)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071931)
 * Thanks again Dave. I also found this at udesign support forum…thoughts?
 * [http://cl.ly/image/1k331f0o3733](http://cl.ly/image/1k331f0o3733)

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Regarding .backup_time’ is closed to new replies.

 * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755)
 * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/)
 * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/)

 * 7 replies
 * 5 participants
 * Last reply from: [ed](https://wordpress.org/support/users/wesleysoccer/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/regarding-backup_time-1/#post-6071931)
 * Status: resolved