Recently we began getting strange errors on one of our PHP sites claiming that a file could not be found for a "require". When looking deeper into the issue, we noticed the file had actually been renamed to filename.php.suspected. What??
As it turns out, this is happening to a lot of people. This is not just limited to Wordpress, but it appears Wordpress sites have been targeted more than others. Using the following grep command we found over 25 malware files on the server:
egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset|isset.*eval' /path/to/webserver
There were a few false positives, but we had a ~90% success rate with this command. We dug deeper and found the reason these hackers want the server--spam mail. A PHP mailer script was installed on the server and the hackers were POSTing to it to send (lovely) spam messages.
Since utilizing this script, we have fixed hacks on many Wordpress websites and successfully recovered 100% of the websites brought to us.
If you are experiencing this Wordpress hack, you need a cyber security expert to resolve the issue. We offer great rates to resolve website hacks--contact us for more info.