Hacking my site, intrusion c99shell

[satine88]

Good evening

For several days my site was put in "Hack" by OVH, because:
Your scripts consume too much CPU and overload our servers

I know I have a script that is not unladen, so I went in search of some optimization (update, I removed the mods too greedy).

But there I went on statistics ovh and now I see that we have gone several times:
/ Nadhir.php

What's that?
I went on this file and it gave me (something like that, I do not voluntarily give my screen):

Header:


Footer:


I claps in google what is written in the footer: c99shell

Sample content (taken from Google):




Personally, I do not know anything about secure sites I work almost exclusively with Wordpress, 4images.

I delete the file and a file nadhir include_ads

What do I do now?
Can you help me?

Thank you thousand times what could help me / advise me

-> http://www.fond-ecran-gratuit.biz/

[V@no]

I can only speak about 4images, but if I had to bet, I'd bet you've been hacked through wordpress, and you would not be the first person...

Scan your 4images directory for any .php files that are not part of 4images. If you found any - delete it (you could save it to your computer just in case you want investigate further).
definitely delete that c99shell trojan.

Also, scan all .php files on your site, make sure they don't have anything remotely similar to
<?php
/**/eval(base64_decode('aWYoZnV.....REMOVED.....yk7fX19'));
?> 
it could be one very long line, usually on top of .php files. Also scan all 4images files for eval keyword, you should only find it in includes/templates.php, if you find it anywhere else - it's probably a trojan.

[GaYan]

  ohh ! your site is being hacked through WordPress ! the something happens to me within 2 months ago ! install the latest security fixes in the wp forums ! ! !
if you want the fix for wordpress,send me a PM !

[satine88]

Hello
Thank you for your help!

I put all the scripts to update and delete scripts

For now, I think it's over, but I'm waiting