php.suspected Hack

  • December 9, 2015

Recently I began getting strange errors on one of my PHP sites claiming that a file could not be found for a ‘require’. When looking deeper into the issue, I noticed the file had actually been renamed to filename.php.suspected. What??

As it turns out, this is happening to a lot of people. This is not just limited to Wordpress, but it appears Wordpress sites have been targeted more than others. Using the following grep command I found over 25 malware files on the server:

egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset|isset.*eval' /path/to/webserver

There were a few false positives, but I had a ~90% success rate with that command.

*taken from

How helpful was this article to you?

Posting has been disabled.