File appears to be malicious: wp-head.php (eval($_POST[)

wp-head.php file in its entirety…

Possible malicious code removed.

An outdated version of the Revolution Slider that was pre-packaged with the theme was the attack vector. Site host restored parent directory from a backup to resolve and the theme was manually updated.

A few similiar posts via StackOverflow and SomeWebGeek…

https://stackoverflow.com/questions/8929141/hacked-website-unusual-php-file

https://stackoverflow.com/questions/8929141/hacked-website-unusual-php-file

I am having the exact same problem. How to resolve it?

More details on my previous short post:
Same issue as anthonyadinolfi’s post – same conditions. I tried uploading a fresh install of WordPress 4.2, and also manually uploaded the newest version of the theme which was also packaged with Revolution Slider. But the site would not work unless I uploaded the wp-head.php file.

There are some obvious issues in this file, and I’m trying to figure out what to do to get rid of it without breaking the site.

Wordfence: File Viewer
Filename: /home5/pnanvorg/public_html//wp-head.php
File Size: 15,348 bytes
File last modified: Saturday 25th of April 2015 06:03:25 AM

Possible malicious code removed.

2 things for the removal:

1. wp-head.php is not a core file.. delete it entirely.
2. the error you’ll probably see is WP cant find the wp-head.php file and the location of where it’s showing up.
– usually, this is injected into wp-config.php or settings and looks like this:

// this comment is here to fool you into believing this is important
require_once(ABSPATH . ‘wp-head.php’);

delete that line with prejudice. and the site should be back to normal.

This does not solve the problem of how it got there… so update and use a security plugin to find the weak spot and fix accordingly.

Yeah, echoing @neschalk, this thing is definitely bad. In the first posted example, you can see where the file itself is changing the permissions on wp-config to global r/w/x (chmod 777) and inserting the require_once line as well as the preceding comment leading you to believe that it is necessary for outputting the site header. This is actually in the second example as well along with a list of pharmaceuticals that I’m sure the WordPress foundation doesn’t endorse. Best advice? Take off and nuke it all from orbit; only way to be sure. Definitely have a security deficiency somewhere. It’s highly likely that deleting that file (wp-head) and removing the require_once statement will prevent this particular hack from working but it’s likely the attack vector still exists.

Great advice @failedprocess and @neschalk, appreciate the responses. I think the biggest take away from this is to make sure that…

1. Your WordPress install is always up to date.
2. Your plugins are always up to date.
3. Your themes (and any nested plugins) are always up to date.
4. You take steps (Sucuri, WordFence, etc) to further harden your site.
5. BACKUP YOUR SITE ON THE REGULAR.

That will go a long way towards preventing this from happening. It was far more efficient for us to nuke the site and restore from a backup than it was to parse through the files attempting to find offending code. The client has since taken all of the appropriate steps outlined above.

Good times!

Best,
Anthony Adinolfi