Media library virus

Question

My wordpress site recently got detected by my host as virus infected. It started to produce spam mail and so on. Now im able to check where the problem occurred. I noticed that in my wp-content/uploads library there are some kind of random files generated that create these spams, my host provider confirmed that problem comes from these files. (Those are some kind of file without file type)

Restrictions.php contains this code

<?php
/*   __________________________________________________
    |  Obfuscated by YAK Pro - Php Obfuscator  2.0.4   |
    |              on 2019-07-15 15:52:32              |
    |    GitHub: https://github.com/pk-fr/yakpro-po    |
    |__________________________________________________|
*/
goto Il; rR: echo "\141\x75\170\x36\x54\150\x65\151\x6f\107\150\165\145\121\x75\63";

Have anybody ever worked with this kind of situation? And what could be the problem to this and solution?

As far as i can guess, this could be a php infection.

Any help will be appreciated.

Answer 1

you can do different things:

• install an integrity scanner plugin to check if there are some modified file (like core or plugin unofficial portions of code) and check this file one by one
• install a virus scanner that help you to find where the malicious code is
• manually check in ftp folder strange file (by name, by date ecc..)
• the last and I think the safer solutions is to bkp your entire site, bkp your db, reinstall a clean wordpress version, reinstall clean plugin, reinstall clean theme, if you have some custom code reinsert it into your website (for example modified template file, functions.php ecc..), check your db (if there is some malicious code) and then reimport it.