drylander

All better! Thanks.

The “Re-install Now” feature on the updates page is very nice, and a fresh install would be even nicer. The problem is when exploits have been embedded in page content or superfluous files like @Debwork mentioned above. None of the 15 files I removed even belong, but unless I’d installed from scratch (new directory structure and all), they’d still be there.

Actually, I’m using a different security plugin, which shall remain nameless (okay, it’s WP Security), but it wasn’t installed when the site was compromised. My first clue was anonymous links showing up on pages. Reviewing the site back-ups, I saw that the hacks were in the content from 2011, so it’s been a bit of a pain cleaning things up. Identifying (and removing) the files you mentioned above is a big deal!

I found 15 files with those endings, but there were only 4 different sets of sets of contents between them. They’re all using the same technique of setting variables in the first part, and then concatenating strings from them in the second. I haven’t seen exactly what the results are, but likely it’s some form of eval() exploit. Interestingly, they all start with <?php, but it’s not closed at the end. They all end with );, sometimes with a trailing space, too.

This is on a site I just cleaned, removing a bunch of ll.php hacks sprinkled through function.php files and post content.