On this website :
http://gotmls.net/support-topic/wp-site-guardian-warnings/
When i look for “fuckyou4321”, i found :
[code]
Parameter: POST.fuckyou4321
Data: echo (123454320+1);exit();
Impact: 7/91
Potential Vectors: Cross Site Scripting, Cross Site Request Forgery, Remote File Execution, Local File Inclusion
[/code]
If i take my last backup, the 18th december 2017 (i’m going to restore, i don’t know if a backdoor is added), i don’t find the line with $_POST[‘dd’], and my infected version on dropbox is from 18th january 2017 (oldest)
The oldest log for apache in /var/log/apache2, is from the 25th february, so it’s impossible to check the request with GET parameter… 🙁
So it’s a hack of my website
