WordPress – Remove Malware Backdoor Code

Removing a string in a PHP file with Start and End
I found my WordPress sites were infected by an exploit and and I’m trying to clean the codes, all php files on the server were added a line like this:

at the beginning of it :

<?php if(!isset($GLOBALS[“\x61\156\x75\156\x61”]))  and ends with -1; ?>.
These codes were added at the begin of all the php files.

Yes, your website was hacked! I searched for a long time, and finally find the solution!

You can follow this guide. You can copy the code and run on your server.

If the code can’t work, and get the error like this:

/bin/sh^M: bad interpreter: No such file or directory

you need to change the code from DOS to UNIX with the tool UltraEdit

(UltraEdit??File–>Conversions–>DOS->UNIX

Or you can download the code here directly. remove_malware

Finally, I removed all the hacked codes.

In order to make sure you have removed all the codes, you can use this tool – Web Shell Detector.

Web Shell Detector – is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.

You can download it here – Web Shell Detector.