ad-min

The compromised “background-image-cropper.zip” comes with several encrypted files, probably the “IndoXploit-shell”

I confirm, the solution offered above by garymarkfuller it works, at least for me. I removed the & found before $handle in line 153 of the feedwordpresshttpauthenticator.class.php file in the wp-content/plugins/feedwordpress folder. I reactivated the plugin, and there was not any error appearing. I updated the feed and the new posts were syndicated regularly.
No other inconvenience observed so far on the site.
Thank you garymarkfuller!

The same here.

This one below is a php script that may help.
It searches for a particular string inside yourfiles.
Replace “base64_decode” wirh anything you want and it will search all your files for that string and it will show those that have it to you.

This is one way to find if any of your files have been modified by a hacker.

<html><head><title>Find String</title></head><body>
<?php
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');
find_files('.');
function find_files($seed) {
  if(! is_dir($seed)) return false;
  $files = array();
  $dirs = array($seed);
  while(NULL !== ($dir = array_pop($dirs)))
    {
      if($dh = opendir($dir))
        {
          while( false !== ($file = readdir($dh)))
            {
              if($file == '.' || $file == '..') continue;
              $path = $dir . '/' . $file;
              if(is_dir($path)) {    $dirs[] = $path; }
              else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
            }
          closedir($dh);
        }
    }
}
function check_files($this_file) {
   $str_to_find='base64_decode'; // the string(code/text) to search for
   if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file</p>\n"); }
   else { if(stristr($content, $str_to_find)) { echo("<p>$this_file -> contains $str_to_find</p>\n"); }}
   unset($content);
}
?>
</body></html>