zuykis

Just FYI deletion of the row worked smoothly, although I didn’t try to use the scanner module again after the plugin was reactivated.

Thank you for your sincere help.

Thank you a lot!

This might be helpful to have a clue in the future, so i’m adding some additional information.

My guess is that this issue is related to XAttacker.php script (could harm not only WordPress, but actually any CMS, like Joomla).
Usually it’s exploiting plugins “Visual composer” and/or “Revolution slider” (some older versions that were released in past 8 months).

It creates several files, like server.php, cund.php, qunin.php (and might add few other like list**.php, view**.php, search.php, footer.php, etc) in various (random) directories of wp core, plugins, uploads, themes (usually as deep as possible).

It also might add the code to other random files, usually large ones (which has few thousands of lines, like class-pclzip.php) to be avoided on the scan while some servers have low memory_limit and are not able to read those files due to timeout during the scan.

Sometimes it sends spam via php mail(); or wp_mail();

Although it’s main purpose is to act as a SEO malware.

Also once inserted then it is usually executed via wp-cron.php (via the core to create other files and rewrite the main index.php file with SEO malware code which main line is masked in regexp syntax).

server.php: https://pastebin.com/EHYpjPGp

cund.php: https://pastebin.com/9PPmTnax

view48.php (could be any number): https://pastebin.com/3kQKME0s

list98.php (could be any number): https://pastebin.com/8R8ePzSm

search.php (could be any filename that is not suspicious): https://pastebin.com/q7mW6DYB

qunin.php: <?php

echo ‘say7h’;
?>

Thank you again for your work.