if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) {
include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' );
}
I searched Google, but couldn't find a working solution, so I wrote one!
My understanding of this virus / malware is that it creates a lot of publicly accessible files within WordPress which are an obfuscated file manager for scumbags to access anything they want inside WordPress. These files also reinfect other WordPress files when ran.
The obfuscated php files are included using include_once() in key wordpress files so that it is constantly being ran when people visit your website, making it is hard to remove.
Uploade the attached clean.php file into your home or wordpress directory and run to find all infected files.
php clean.php
clean.php will display all injected files and let you know that it cleaned them. It will run twice to make sure it got all it could find.
You can do this on live. I have used this around 6 times now and it does not break the website, but I aways suggest you make a backup first.
Your site should now be fixed!
How can I run it live? could you provide screenshot?