walied

I’m facing the same issue, spamming link such as posting in comments was posted below the header of my site, when search for them through ssh I found them in public_html/wp-content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11
When I disable the w2tc pluging they go, when I enable it they come in the same place content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11

when I run the exploid scanner this was the comment regarding w2tc

wp-content/plugins/w3-total-cache/lib/JSON.php:22
Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:111
Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($accountKey);
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:135
Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($value);
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Storage/Queue.php:467
Used by malicious scripts to decode previously obscured data/programs base64_decode((string)$xmlMessages[$i]->MessageText)
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/SessionHandler.php:150
Used by malicious scripts to decode previously obscured data/programs return base64_decode($sessionRecord->serializedData);
wp-content/plugins/w3-total-cache/lib/Minify/FirePHP.php:1035
Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soapclient.php:711
Often used to execute malicious code eval($evalStr);
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soapclient.php:713
Often used to execute malicious code eval(“\$proxy = new nusoap_proxy_$r(”
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4047
Often used to execute malicious code ug(‘in invoke_method, calling function using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4051
Often used to execute malicious code #039;in invoke_method, calling class method using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4054
Often used to execute malicious code 9;in invoke_method, calling instance method using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4073
Often used to execute malicious code @eval($funcCall);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7020
Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7867
Often used to execute malicious code eval($evalStr);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7869
Often used to execute malicious code eval(“\$proxy = new nusoap_proxy_$r(”
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soap_parser.php:504
Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
wp-content/plugins/w3-total-cache/lib/W3/PgCache.php:1284
Often used to execute malicious code $result = eval($code);
wp-content/plugins/w3-total-cache/pub/js/metadata.js:92
Often used to execute malicious code data = eval(“(” + data + “)”);
wp-content/plugins/w3-total-cache/pub/js/metadata.js:99
Often used to execute malicious code data = eval(“(” + data + “)”);
wp-content/plugins/twitter-tools/OAuth.php:202
Used by malicious scripts to decode previously obscured data/programs $decoded_sig = base64_decode($signature);

Now when you go to you wp-include there would be a file called wp-image.php that file was included in the general-template.php

(@include “wp-image.php”;)

Solution : delete the (@include “wp-image.php”;) . Then delete the entire wp-image.php file

The wp-image.php is not a wp original file, it is encrypted, calles these spamms from other site and prevent to display them from regular users. I would probably got their because of w3tc pluging or any other plugin.

I hope this is helpful for someone