Regarding .backup_time

Yes it is.
https://stackoverflow.com/questions/22647441/what-does-this-malicious-php-code-found-in-a-wordpress-install-do

<?php

function Uno_decode($String)
{
    $String = base64_decode($String);
    $Salt = "dc5p9dOpBc";
    $StrLen = strlen($String);
    $Seq = "DMEf5HZuPq";
    $Gamma = "";
    while (strlen($Gamma) < $StrLen)
    {
        $Seq = pack("H*", sha1($Gamma.$Seq.$Salt));
        $Gamma.=substr($Seq, 0, 8);
    }

    return $String ^ $Gamma;
}

$b64s = file_get_contents( $example_1_link );
foreach ( explode( "\n", $b64s ) as $line ) {
    echo Uno_decode( $line ) . "\n";
}

outputs:

googlebot|indows|ipad|iphone|android
178.21.23.230
62.113.208.128
128.199.141.242
185.31.209.43
178.32.151.22
188.40.249.90

Thanks @szepeviktor I will mark this ticket as resolved considering that the question was answered. My suggestion for @twicealive is to check the source code of your project with a server-side malware scanner (not a web scanner) to find the file that is generating the “.backup_time” files.

There are a lot of interesting stuff on this page:
https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/shared-hosting-aid/Malware.md#search-for-malware-patterns

I have the same issue on a client site of mine, and unfortunately sucuri scanner has been unsuccessful in detecting all of the cases of this when they’re outside of core, or contained in plugins/themes that are not (or are no longer) in the repository.

I have found that these files come in at least two flavors: they are often named .backup_time but are sometimes called simply .. (dot dot space). These files also persistently recreate themselves due to code that is infecting other php files.

The most common location of the infection is the wp-config file, as well as /wp-content/index.php, /wp-content/plugins/index.php and /wp-content/themes/index.php – these files will be 26K-28K in size when infected, when they should in reality be only 28 Bytes. It will also try and get into your plugins and themes if it is able.

I also found it injected into an old plugin called “Font Uploader” written by pippen (now officially a dead project, but this client has been running it for years), as well as an old copy of u-design which they had installed.

The malicious code generally injects itself into the top line of the file, waaaaaaaaaaaay out to the right. Open the file, and press the “End” key. You will probably also notice a very small horizontal scroll bar which is a good clue something’s up.

Unfortunately, this hack is so persistent that it’s unclear exactly how many places you may find it. What I found interesting in MY case (YMMV, obviously) is that the infected code defined its php functions with a double space between “function” and the open parentheses. That’s not really a common notation, so I decided to try and dig into my site some more using that as a searchable pattern. On my system (an out-of-the-box VVV install running the default VM) the following grep command worked when ran from the root of the downloaded website.

grep -ri 'function\+:space:\+\+:space:\+' * > output.txt

It was important to pipe the results into a text file I could open when it was done, because the massive block of malicious code comes back in the result, and quickly made my console buffer useless. But when I opened the text file, I actually got good information about my remaining infected files.

wp-content/plugins/font-uploader/includes/functions.php:<?php
wp-content/themes/u-design/functions.php:<?php
wp-content/themes/u-design/header.php:<?php
wp-content/themes/u-design/index.php:<?php
wp-content/themes/u-design/scripts/admin/colorpicker/js/colorpicker.js:			fillRGBFields = function  (hsb, cal) {
wp-content/themes/u-design/scripts/admin/colorpicker/js/colorpicker.js:			fillHSBFields = function  (hsb, cal) {
wp-content/themes/u-design/scripts/cache/index.php:
wp-includes/functions.php: * @param string $function    The function that was called.
wp-includes/functions.php:	 * @param string $function    The function that was called.
wp-includes/js/twemoji.js:       *          Function            if specified, this will be invoked per each emoji
wp-includes/js/twemoji.js:       *            callback   Function  the callback to invoke per each found emoji.
wp-includes/js/twemoji.js:       * @param   Function  a generic callback that will be
wp-includes/js/twemoji.js:    *            .callback   Function  the callback to invoke per each found emoji.
wp-includes/js/twemoji.js:   *            .callback   Function  the callback to invoke per each found emoji.

With only a few exceptions, you can see that when I ran this code I still had an infected file inside the font-uploader plugin and multiple infected files inside of u-design. The rest of the files, from inside /wp-includes, are harmless. But the rest of the files all had the malicious code on line 1.

It is ENTIRELY possible that there are more infections at different locations, but I wanted to share my experience about this particular piece of it here in case this information helps someone else. Good luck!

Thanks Dave for all the info…all my WP applications (about 8) have been attacked with this .backup_time. I spent a few days cleaning out the bad code. The malicious code was always on the first line and mainly injected into index.php files…Not sure how this hack got into my applications but one of my sites had a really old Udesign theme plus old version of WP. All code has been removed and theme/plugins/WP all updated. Changes all passwords, etc…

I’m glad it helped someone, ed! Old core is obviously no good, but I can say with certainty (because this was our case as well) that old versions of UDesign still contained timthumb… if I had to guess, I’d place the blame there. ?? Good luck, and I hope your issues don’t come back!

Thanks again Dave. I also found this at udesign support forum…thoughts?

https://cl.ly/image/1k331f0o3733