Recently I began getting strange errors on one of my PHP sites claiming that a file could not be found for a ‘require’. When looking deeper into the issue, I noticed the file had actually been renamed to filename.php.suspected. What??
As it turns out, this is happening to a lot of people. This is not just limited to Wordpress, but it appears Wordpress sites have been targeted more than others. Using the following grep command I found over 25 malware files on the server:
egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset|isset.*eval' /path/to/webserver
There were a few false positives, but I had a ~90% success rate with that command.