i have just found this malware in some worpress and i decide to decode it and share with you, this might be useful to help someone else!
Anybody are welcome to help
it seem tht this malware is composed by some file:
- html template file
- some keyword lst file
- ico file that contain some variable
- main file tha contain malware class
- itemap.xml generated file
- cache directory
it seem that this is realted with aioseop plugin
i also found that this malware are downloded by cron from another site but i havenìt found the spawn script so far
some credit from https://blog.manchestergreyhats.co.uk/2018/11/07/php-malware-examination/