Malware or Necessary File? eval(base64_decode on GoDaddy/Installatron Wordpress Site

Question

everyone!

Should I delete this file, or any related files?

File Name: deleteme.4a768ebd031b45c884f93d1314642dbb.php

File Location: public_html/domain-name.com/wp-content

File Contents: ("CODED CONTENT" used as a placeholder, Decoded Below)

   <?php
/******************************************************************************\
|*                                                                            *|
|* All text, code and logic contained herein is copyright by Installatron LLC *|
|* and is a part of 'the Installatron program' as defined in the Installatron *|
|* license: http://installatron.com/plugin/eula                               *|
|*                                                                            *|
|* THE COPYING OR REPRODUCTION OF ANY TEXT, PROGRAM CODE OR LOGIC CONTAINED   *|
|* HEREIN IS EXPRESSLY PROHIBITED. VIOLATORS WILL BE PROSECUTED TO THE FULL   *|
|* EXTENT OF THE LAW.                                                         *|
|*                                                                            *|
|* If this license is not clear to you, DO NOT CONTINUE;                      *|
|* instead, contact Installatron LLC at: support@installatron.com             *|
|*                                                                            *|
\******************************************************************************/
eval(base64_decode('CODED CONTENT'));

Decoded Content:

$file =( $p = strpos(__FILE__,"(") )=== false ? __FILE__ : substr(__FILE__,0,$p);if (!unlink($file)){   chmod($file,0777);  unlink($file);}define("ABSPATH", dirname(dirname($file))."/");include_once(ABSPATH."wp-config.php");include_once(ABSPATH."wp-admin/includes/file.php");include_once(ABSPATH."wp-admin/includes/plugin.php");include_once(ABSPATH."wp-admin/includes/theme.php");include_once(ABSPATH."wp-admin/includes/misc.php");$k = substr($_SERVER["QUERY_STRING"],0,32);$u = substr($_SERVER["QUERY_STRING"],32);$h = $wpdb->get_var( $wpdb->prepare( "SELECT user_pass FROM {$wpdb->users} WHERE ID = %s", $u ) );if ( is_string($h) &&( $k === md5(mktime(date("H"), date("i"), 0).md5($h))                    || $k === md5(mktime(date("H"), date("i")-1, 0).md5($h))                    || $k === md5(mktime(date("H"), date("i")+1, 0).md5($h)) )){ wp_set_auth_cookie($u);}header("Location: ".'http://www.domain-name.com/wp-admin/');

Background: I recently reset my CPanel on GoDaddy because a programmer off of Fiverr told me that my sites are all being infected by malware being served from GoDaddy's side. Each time he removes the Malware, it returns. My RAM and I/O usage was overloaded and all my sites became non functional. GoDaddy tells me this is a false statement and that their "firewalls" would prevent it. I reset the CPanel, installed a fresh Wordpress site, and things are functional, but I found this in the files. I hesitate to continue a fresh site build, not understanding this.

Using WordFence, does not trigger a warning.

A little advice, please? Thanks!

I didn't see any links to follow. I did inspect each of the .php files referenced in the decoded content, but I don't see any random links or anything out of place. — Anni, Aug 15 '17 at 22:37
@rtfm - oh, yeah. That's a legit company. That is an application GoDaddy uses that allows Wordpress and other applications to be installed on their CPanel easily by people with little programming skill (like me!) — Anni, Aug 15 '17 at 22:43
There was a malware thing like this, where it created and decoded a base64 string, I remember reading about it a while back ([something along the lines of this?](https://stackoverflow.com/questions/5922762/how-to-get-rid-of-eval-base64-decode-like-php-virus-files)). Try renaming it / moving it, and if you site continues to work, then delete it. — Toastrackenigma, Aug 16 '17 at 02:16

score 3 · Answer 1 · answered Aug 06 '19 at 12:57

This question is a little bit old, but if somebody is curious still about this one, let me shed some light:

It is not malware.
It is a leftover of the autologin system of Installatron software (used in GoDaddy, but also in some other hosting providers.
It happens, for instance, because, during the process of autologin, this file is used for that, but if the process is interrupted or blocked, this file remains.
You can safely remove it.
Due to the coding style, it usually throw a false positive detection in scanners.

Hope it helps!

score 0 · Answer 2 · answered Aug 17 '17 at 07:02

That looks like malware.

You can scan your website, online, using Sucuri -> https://sitecheck.sucuri.net/. Just enter your website URL in there and see what it does report.

Another way would be to save your file locally on your computer and use some antivirus/antimalware tools to scan that file.

Since you're running wordpress install this plugin: Anti-Malware Security and Brute-Force Firewall. Activate it, go to Settings, register for an API key using your email address, update the definitions and start a full scan. It will scan all your site folders/files looking for malware and provide with a report.

Please keep in mind that it might show you some files as being infected and in reality they might be legit. So I suggest you manually check each reported file.

I'm using this plugin for a very long time and it's really good at identifying malware/suspicious files. So give it a try.

It's not malware but a file from https://installatron.com, a "one-click web app installer" used by many web hosting providers. As properly pointed out by [@Pharar's answer](https://stackoverflow.com/a/57376620/199400). I myself have experienced that leftover artefact at webhost https://EasyName.eu — porg, Jul 27 '21 at 18:53

score -1 · Answer 3 · answered Aug 15 '17 at 22:30

-1

This looks very suspicious. Apparently, this is a very popular way to embed malware into php sites. https://aw-snap.info/articles/php-examples.php.

No reasonable programmer would embed code like that into a page. It also looks like it tries to delete itself, which is strange. It also selects passwords from the database, which is strange. I'm gonna call it 100% malware.

answered Aug 15 '17 at 22:30

Jordan

358
1
9

1

not really, for people trying (in vain) to protect their code its quite common. – Aug 15 '17 at 22:34
One red flag? I'll let it slide. 3 red flags? I'd delete it. It'll delete itself when run anyways (with unlink($file)), so it probably won't cause any harm. – Jordan Aug 15 '17 at 22:36
How can I determine if it is malware or code protection? – Anni Aug 15 '17 at 22:38
Thanks for the advice, Jordan. – Anni Aug 15 '17 at 22:39

Malware or Necessary File? eval(base64_decode on GoDaddy/Installatron Wordpress Site

3 Answers3