Had a customer’s website blocked by our internal firewall.
They were running WP Antivirus Site Protection plug-in. It listed the following files.
- /wp-content/plugins/nextgen-gallery/nggallery.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/imagemagick.inc.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.router.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.routing_app.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.routing_app.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_routing_app.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/functions.php
/wp-content/plugins/si-contact-form/includes/class-fscf-process.php
This link provided me with some detail. There was a code that looked like “\x73\x63\x5F\x63\x6F”,“\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,“\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68″,“\x77\x69\x64\x74\x68″,“\x68\x65\x69\x67\x68\x74″,“\x63\x68\x61\x72\x73\x65\x74″,“\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,“\x72\x65\x66\x65\x72\x72\x65\x72″,”
Deleting this out is supposed to help.
Here is a good article on this issue.
http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html