Malicious activity on my website

Hello,

I have a problem with my website. Google search control mention me that I have a problem with the website, the plugin Wordfence also. But nothing with Defender, can you help me.

Best regards,

  • Cedric

    Please see the file for google (capture google)

    This is the wordfence report :

    File appears to be malicious: wp-content/themes/eduma 5/header.php
    Filename: wp-content/themes/eduma 5/header.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 9 hours 25 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "de($x)));');@$o0O("fVVrb6JAFP2MSf/DLCVBsoLM8FDadZsmNe2H7W5j3U02tktQR2WjQABt3bb/fe/FR4tlmhgc5pz7One48+UsmSVHtXBSDzN/GOd1TTuqHdWe8HHFgzFP6/JVv3/TpAYllknJdbziY3LD00UQ8Sifr2Xt9JX6LR4FeRhHJ2SW50l20mw+PDwYo...". The infection type is: eval(gzinflate(base64_decode variant.

    File appears to be malicious: wp-content/themes/eduma/header.php
    Filename: wp-content/themes/eduma/header.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 9 hours 25 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "de($x)));');@$o0O("fVVrb6JAFP2MSf/DLCVBsoLM8FDadZsmNe2H7W5j3U02tktQR2WjQABt3bb/fe/FR4tlmhgc5pz7One48+UsmSVHtXBSDzN/GOd1TTuqHdWe8HHFgzFP6/JVv3/TpAYllknJdbziY3LD00UQ8Sifr2Xt9JX6LR4FeRhHJ2SW50l20mw+PDwYo...". The infection type is: eval(gzinflate(base64_decode variant.

    File appears to be malicious: wp-content/themes/eduma 4/header.php
    Filename: wp-content/themes/eduma 4/header.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 9 hours 25 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "de($x)));');@$o0O("fVVrb6JAFP2MSf/DLCVBsoLM8FDadZsmNe2H7W5j3U02tktQR2WjQABt3bb/fe/FR4tlmhgc5pz7One48+UsmSVHtXBSDzN/GOd1TTuqHdWe8HHFgzFP6/JVv3/TpAYllknJdbziY3LD00UQ8Sifr2Xt9JX6LR4FeRhHJ2SW50l20mw+PDwYo...". The infection type is: eval(gzinflate(base64_decode variant.

  • Adam Czajczyk

    Hello Cedric!

    That indeed looks like a case of a common malicious code. However, it may as well be a "legit" part of the theme as sometimes theme developers try to "hide" some information in the theme in a way that it would make it hard to remove by simply editing code. Usually it's something like "theme credits" that are also then later checked by other piece of code so if you remove it theme breaks.

    However, in order to check what that is exactly a full code would be necessary. Instead, I would suggest taking this step:

    Download the fresh copy of your theme to your local drive and extract the zip archive locally. Use some "clean text" editor (e.g. Notepad++, Sublime or similar) to compare that "header.php" file from the fresh theme with the one from the theme on your site.

    Then if you see that they are identical and they both include that code, I would either suggest getting in touch with theme developer and insist on removing such code (it's against WP rules and good practices) or actually... switching to a different theme.

    If however, the code is only in a file on the server, overwrite the theme on the server with a fresh one and that should clean up the code.

    The question then is whether the code gets back or not. If it doesn't it's all good. If it does that would mean that there's some vulnerability in your site's that's beyond capabilities of the security plugins that you are using so you would most likely need to hire a "WP security pro" to fully review your site and help you deal with that.

    I would start though with a fresh copy of the theme and I believe that will let you solve that and fix the issue.

    If you have any additional question, let me know please.

    Best regards,
    Adam