WordPress Hack: Malware Scanner

This Malware Scanner script scans files and detects for a possible malware codes. This script will return a list of possible infected files. Each file will be labelled with (eval, c99madshell, & long_text) and a portion of the matched codes. The script will match a word “eval(…), <?php $md5=”…”; $wp_salt=”…”; … (also know as ‘c99madshell’), and a long_text such as “FEKS2121asFklMn83kUgdlf/sDkn12L+…”, because I believe these are potential malware code.

When you’re done running the malware scanner script, double check the result. Do not delete or clean them immediately. The script matches also clean files as long as it has the 3 potential hacker codes. So, please be careful.

Below are the sample results:

1. ./website.com/wp-includes/js/tw-sack.dev.js – eval – eval(this.response

  • File  – ./website.com/wp-includes/js/tw-sack.dev.js
  • Label – eval
  • Small portion of Matched Code – eval(this.response
  • Not a hacker code

2. ./website2.com/system/libs/65d1.php – long_text – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr

  • File  –  ./website2.com/system/libs/65d1.php
  • Label – long_text
  • Small portion of Matched Code – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr
  • I checked the file and confirmed it was a hacker’s code.

Download Malware Scanner
To use the script you can run it on your favorite browser or using a command line (recommended):

$ time php scanner_2.6.php 2>&1 >> scanner_log | tail -f scanner_log

This command will run the scanner_2.6.php and log the output on scanner_log file.

Title: scanner_2.6 (8320 clicks)
Filename: scanner_2-6.zip
Size: 3 KB

Other recommendation is a wordpress plugin by ELI ( I haven’t tried it but as you can see the comment below said it worked for him ) – Anti-Malware and Brute-Force Security by ELI

This entry was posted in Wordpress. Bookmark the permalink.

80 Responses to WordPress Hack: Malware Scanner

  1. Anthony says:

    Hi Paolo

    First up, thanks for your great work with this script.

    When I run it via command line or browser, I get this:


    Found Files
    Summary. You can take a better look on files that matches a potential hack script.

    Then in my error log I see:

    [28-Feb-2012 20:41:34] PHP Warning: opendir(../infected/) [function.opendir]: failed to open dir: No such file or directory in /*****/*****/public_html/barcodeinfo/scanner_2.3.php on line 83
    [28-Feb-2012 20:41:35] PHP Warning: Invalid argument supplied for foreach() in /***/*****/public_html/barcodeinfo/scanner_2.3.php on line 57

    Any ideas?


    • Paolo says:

      Oh! Sorry about that Anthony, I have fixed it, I changed now the $root="./"; on line 25.

      Let me know your thoughts about the scanner. Thanks for using.


  2. Brian says:


    I have some malware issues going on but I’m not sure how to fix. I run the cleaner and it works but the malware returns again so I don’t think that I’m getting to the root of the issue. I ran the scanner but am not sure what I’m looking for. Can you please help or point me in the right direction?

    These are always the infected files found by the cleaner


    • Paolo says:

      Hi Brian,

      We need to find the script that creates the malware code.
      The scan result can help me find it.

      I’ll run the scanner on your site and check the result.

      Let you know.


  3. Die2mrw007 says:

    Great work Paolo….This is really useful plugin 🙂
    The best one indeed.

    • Paolo says:

      Thank you 🙂 but this isn’t a plugin. It’s just a simple script 🙂

      Have a great day!

  4. Rulex says:

    The scanner code is not working for me, it says that the server is busy after it stays there for a while like it is doing something but is says server busy after a while.

    Total newb here, pls be patient 🙂

    And thank you very much for this!

    • Paolo says:

      Hello Rulex,

      Thanks for using my code. Can you check if there’s scanner_log on your directory where the scanner_2.4.php is located.
      Actually, the scanner should output directories or files as it scans your server.
      If it doesn’t show try this command :

      $ time php scanner_2.4.php 2>&1 >> scanner_log | tail -f scanner_log

      Also, when it’s done can you send the scanner_log to info@php-beginners.com because as of now I am the only who can
      understand the scanner_log but am still working on upgrading it.

      Let me know. Thanks.


  5. teresa says:

    Hi Paolo,

    I ran the script on my site and is having the same issue as the guy above. I don’t know what I am looking for and not sure if the malware is cleaned because the malware is still on the site. Here is the site

    http://thelauryndoll.com/scanner_2.4.php. I will email you as well. Thanks.

    • Paolo says:

      Hello Teresa,

      Thanks for using malware scanner. I’ll run it now and see what I found.
      Thanks. Keep you posted.

      Paolo 🙂

    • Paolo says:

      Hi Teresa,

      I just finished running the scanner, I found these suspicious 12 files:
      2. ./wp-signup.php
      -eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF

      76. ./wp-content/themes/headway/library/api/api-child-theme.php
      -eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF

      108. ./wp-content/themes/DailyNotes/page-gallery.php
      -timthumb vulnerability – timthumb

      109. ./wp-content/themes/DailyNotes/changelog.txt
      -timthumb vulnerability – timthumb
      -timthumb vulnerability – Timthumb

      110. ./wp-content/themes/DailyNotes/page-template-portfolio.php
      -timthumb vulnerability – timthumb

      111. ./wp-content/themes/DailyNotes/single.php
      -timthumb vulnerability – timthumb

      112. ./wp-content/themes/DailyNotes/page-blog.php
      -timthumb vulnerability – timthumb

      115. ./wp-content/themes/DailyNotes/epanel/custom_functions.php
      -timthumb vulnerability – timthumb

      120. ./wp-content/themes/DailyNotes/includes/entry.php
      -timthumb vulnerability – timthumb

      121. ./wp-content/themes/DailyNotes/includes/entry2.php
      -timthumb vulnerability – timthumb

      122. ./wp-content/themes/DailyNotes/includes/functions/troubleshooting.php
      -timthumb vulnerability – timthumb
      -timthumb vulnerability – Timthumb

      123. ./wp-content/themes/DailyNotes/includes/functions/installation.php
      -timthumb vulnerability – TimThumb

      I really got the feeling that the main malware script is in ./wp-signup.php
      Please send the files to me at info@php-beginners.com

      Let me know. Thanks.

      Paolo 🙂

  6. Cesar says:

    Hi Paolo, can I use the script to scan an Joomla website?
    Thank you.

    • Paolo says:

      Yes Cesar, you can use it on Joomla, just send me the scan result if you don’t know how to read it.

      Thanks for using it.

      Paolo 🙂

  7. wayne says:

    I don’t know anything about php and would like to use this scanner. I know basic WP installs but that is it. My sites have been hit with a JS Redirect trojan. My host company found malware on a few sites and cleaned those. I’m blocked by my antivirus from visiting a couple other sites still. Do you have steps for a complete newb on how to use your scanner?


    • Paolo says:

      Hi Wayne,

      I’ll create one for you Wayne don’t worry.
      What hosting are you using? What’s your website URL?
      Can you access your server using “Shell Access” if
      don’t have any please ask your hosting support about
      “Shell Access”.

      Keepy you posted.

      Paolo 🙂

  8. Pingback: WordPress Hack : Malware Scanner | Komputer, Internet, Software Tips

  9. Sandman77 says:

    Thanks for the script but I get timeouts 🙁 I am on Dreamhost.com but live in Germany…


    I have 5 WordPress sites on there and one directs ONLY in Safari oddly… Can you help? I have reinstalled wordpress but not removed old themes or old plugins but updated most…

  10. Enric says:

    Hi Paolo, thanks for the great work.
    It’s possible to run the script in a drupal installation?
    Let me explain my scenario 🙂 , I’m been infected by and old installation of Joomla (almost sure) that I’m not using anymore. But, they infected all my server drupal installations changing the .htaccess files with the code on the end of my message.
    I ran your cleaner but about 30 min after the .htaccess it has been modified again.
    Any ideas??? I’m run of it.
    Any help It will be appreciated.
    p.d. Sorry for my english.
    Best regards!!

    RewriteEngine On

    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|










    RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]
    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|










    RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]

    • Paolo says:

      Hello Enric,

      You need to find the file that is responsible on writing again
      the malware script on your server.

      You can do it by running a malware scanner, you can download it here:

      and send the scan result to me @ info@php-beginners.com.


      • Enric says:

        Ok, thanks Paolo,
        I’ll leave running the script all night. 🙂 . There’s a lot of drupal installation, but fortunately the problem it’s the same.
        I had tried to search manually the f… file, but with no results 🙁
        Thanks in adavance!!


        • Sandra says:

          I had a blog where the hackers injetced black hat links in my content. The liks could only be seen in the code and not on the visual part of the blog. I found out it was hacked when I looked up the most used keywords in Google webmaster tools. I knew I never used keywords like viagra and other pharmacy products, still it was according got GWT the most used keywords onm my site. I did not use the timthumb.php. Script, and I am not quite sure where the hackers got in. It my be the files on the server had write access and the server was shared. Bjorn recently posted..

      • Enric says:

        Hi Paolo!!,
        the script still working. A lot of directories 🙂
        Tomorrow I’ll send to you.

  11. angela says:

    Hi, Paolo,

    Thanks for the scripts. My site have been struggling by the hackers for months, and i have no idea how to solve it instead of keep asking the host Q&A to restore…I guess ur work can help me to get rid of it completely…but the problem is the scanning is running very slow on my computer that no result showed. Also, i believe even the result can show, i cant able to read it. Sincerely ask you to help me~~Thank you…

  12. Kenneth says:

    I think my sites (22 joomla installations on one server). I have run your cleaner and scanner. But I have problem finding the source of my problem.

    • Paolo says:

      Hello Kenneth,

      Just send the scan logs to me. Maybe that way we can find the mail malware script.

      Let me know

  13. Pinky says:

    I sent you an email at info@php-beginners.com.
    I’m unable to run the scanner_2.6.php script from any browser. The email contains info that may help.

    I hope this was ok…. just desperate to fix this problem!

  14. John says:

    Hi Paolo, I’ve sent you an email with a scanner log. If you could help Id really appreciate as this has been driving me mad for weeks.



  15. Vibha says:

    Thank you Paolo!
    I have replaced all garbage code from your help and changed FTP details.
    After 3-4 days again this code came back, What should i do?

    • Paolo says:

      Hi Vibha,

      Can you please try to scan your site. Download my malware scanner here:

      Run and send the scan result to me at info@php-beginners.com

      Let me know. Paolo

      • Vibha says:

        Thanks for reply.

        I found these code in all index files.
        * ./wp-content/themes/twentyeleven/index.php
        -eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU
        * ./index.php
        -eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU

        And found one cgi_bin folder under root which have yhqti.php file with garbage coding.

        There is also one log file generated on root because of virus, which have all visited user’s ip addresses.

        • Paolo says:

          ah! I see. just continue the scan and send the result to me.
          We need to find the file that is responding of rewriting the malware codes again.

  16. Viptor says:

    Hello Paolo my site appear to have in the main header the eval64 codes and i deleted all the codes and it appeared again! I have sent the results to your email please review the codes..

  17. tofe says:

    tbaks for the scanner, but can’t you explain how to use your scanner for people who don’t know about command lines and shell whatever? Is that so difficult? What do i have to do? Upload the file and start it somehow?! How? Thank you.

  18. Abrek says:

    Hello Paolo, thanks for your program. I am having the malware problem in my wp header.php file. i cleaned it 100 times but it keeps coming back. I made a scan with your code but the result is too long and complicated. and it says 140 possible malware codes found. is there any way that you can help me?

  19. Abrek says:

    I sent the mail just now. Thank you very much! 🙂

  20. I am now stumped I had 3 sites hacked. I think I have 2 fixed but one the code in the header.php keeps coming back. I an not that good with code. the code that keeps coming back is


    I have all three programs on the site
    the cleaner says no infected but that line keeps coming back. I also have tried the scanner but not sure what I am looking for. Everything I look at seems to belong but I am not a coder.

    I really would appreciate if you could give me a tip on how to find the problem with the scanner because I am sure it will happen again and I will need to try and figure out how to fix on another site.


  21. taimoor says:

    Hello Paolo,

    i have uploaded ur malware scanning script on my server, my site works fine on direct access but if i access it through search engine it redirects to a iframed page, although i had my hosting company scan it but they failed to fix it and messed up my website’s layout 🙁
    this is the site: http://reviewjuicers.com/scanner_2.6.php where i have added the script

  22. Jeff says:

    Hello Paolo,

    First of all, thank you for helping out so many people. I hesitate to ask for your assistance when I see how much you have already done. I’ve read through the posts above and I have a question about whether I’ve used your scripts correctly.

    My site is causing malware warnings for some of its users. I am concerned that if I don’t fix it soon that Google will blacklist it. We are a community-based photography festival in Chicago and have just launched our yearly program this week. I’m in trouble!

    I ran the scanner at http://www.filterfestival.com/scanner_2.6.php and it reported 189 suspect files. I then ran the cleaner at http://www.filterfestival.com/cleaner_2.10.php and it reported 0 infected files.

    Does this mean that your script was successful?

    Thank you again for your help.


  23. Chris says:

    Hi Paolo,

    First off, thanks for creating this. I have uploaded scanner_2.6.php to the root folder of my website and I get the following error when trying to run it:

    Error 355 (net::ERR_INCOMPLETE_CHUNKED_ENCODING): The server unexpectedly closed the connection.

    Can you run the scan for me or give me some pointers? Thanks in advance!


    Best regards,

  24. Fernando says:

    Hello Paolo, great work with the script! I sent you an email with the log file I got from the scan… let me know if you’re available to help!

  25. Cosy says:

    Hi Paolo

    I have request few and need your help?


  26. Modestas says:

    Hi Paolo, i have download your cleaner, i used it. Cleaner founds and cleans this:

    8 Found Infected Files


    In those index.php files on the top are eval(base64_decode(‘ZXJyb3JfcmVwb3J……. virus code.

    After cleaning with your cleaner this code dissapears, but after ~1 hour the code appears again in all index.php files.

    Would you recommend how to solve the problem?

  27. Pedro says:

    Nice job. I ran the version 2.1 first and it removed the infections, then saw that 2.6 was out and tested it on another infected site and found it only reports the infections and does NOT remove them.

    Is that true now? I need to the latest version to clean the infections as well as the version 2.1 did.

    Great script though.


  28. Roelf says:

    Hi There,

    Thank you for your awesome scanner and cleaner.
    I’m currently running your script on my websites (Mostly Joomla) which was infected with an iframe code in all *.js files on all websites. I need to find the backdoor to stop this.

    I have also found another scanner script on another website, and I want to know if you know about it the link is http://25yearsofprogramming.com/php/findmaliciouscode.htm

    Can I send my log files to you for evaluation when I’m done.

    Thank you sooo much

  29. Roelf says:

    Hi Paolo,

    I have send you some of my files, I forgot that the iFrame inserted into all my java files are as follow:

    Thanks again for the great service, surely something worth donating to.

    God Bless

  30. Vik says:

    Hi Paolo

    Thanks for everything. I ran the cleaner without any issues but the scanner is giving me memory errors even if i run in the command line. I am on mac and I have php installed. I have set the memory allocation to 1G but still it gives the memory error.

    time /Applications/XAMPP/xamppfiles/bin/php scanner_2.6.php 2>&1 >> scanner_log | tail -f scanner_log
    * ./CREDITS.php
    -long_text - --------------------------------------------------

    Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 114842 bytes) in /Users/piggyslasher/Sites/xpz/scanner_2.6.php on line 239


  31. Pingback: Automated Fix for Wordpress base64_decode Injection in PHP Files • Raymond.CC

  32. mrs says:

    I was attack with this code eval(base64_decode please help me. I dont know how to delete this atack. I wait your answer.

  33. Krys says:

    I have uploaded cleaner file into my directory using cpanel on godaddy/wordpress. I am not sure if uploading the file is all that I need to do. Or how do I run it? I am php newbie. Can you please help me. I need to fix 20 hacked sites on godaddy

  34. dodee says:

    Hello admin, i dont know how to run it???please help me…my site has a malware

  35. dodee says:

    ok i upload scanner_2.6.php into my cpnel and open my web (bappeda.bireuenkab.go.id/scanner_2.6.php)…is it the right way??

  36. dodee says:

    After scanning there no scanner log file in the Public_html, where i can find log file??

    • Paolo says:

      If you run it using command line you’ll see it on ‘scanner_log’ file. Otherwise, if on browser, it won’t save the log on scanner_log file but it will display on browser which you’ll save it to your computer and send it to me.

    • Paolo says:

      You’ll find it on the folder where you ran the command.

  37. dodee says:

    I tried 2.10 cleaner and it shows “to see error bla3”, but scanner 2.6 i saw nothing…i run it on mozilla…new version

  38. Abhay says:

    Hi I tried your code and its working for me I want to add some more pattern in your file please help me out in this topic because in my website 2-3 pattern of code which is not scanned by your code

  39. Gene says:

    where can I download the scanner?

  40. Stephanus says:

    Hi I can’t find the download link. Is it not available anymore?

  41. Bonn says:

    Hi! I am also a victim of these malware and they keep on coming back. I sent you an email the result of the scanner. Hope you can help me.

  42. Benoit says:

    Hi Paolo, first of all, thank you for helping out a lot of people and for your great work. I’m not a developper and i create several wordpress websites. Only mine have been attacked. Then they were suspended a lot of time by my webhoster (when i delete an infected file, it came back again). I ran cleaner_2.10.php (0 infected files) and scanner 2.06_php. The scanner found 609 suspected files and :
    – I don’t know how to read it
    – I don’t know how to get rid of this (how to delete the right line if i have to do this ?).
    May would you help me ?
    Benoît B.

    • Paolo says:

      Yeah! Sure just send it to info@php-beginners.com, but I can’t do it asap ’cause I’m out of town. I think those 609 are just suspicious files, it doesn’t they are infected. It means that it has a similar signature of such malware. Are you still having the same problem? Maybe malware cleaner get rid of it. Try checking your site here: https://sitecheck.sucuri.net/

  43. Benoit says:

    Thanks a lot ! I sent it to you. I checked with sucuri and it seems to be ok. Today i got rid of a file named “unz.php” which was a backdoor according to Anti-Malware by ELI.
    Seems i’ll have to learn definitively about php.. 🙂

  44. gujit says:


    How can i use this script in wordpress theme. I want to scan and delete Malware/hacking code script in my wordpress theme. Please guide me how can i do this. It will be big thanks.

    Please mail me.

    Gurjit Singh

Comments are closed.