================================================================================
                    MALICIOUS FILES IDENTIFIED - vest.sswd.dev
                         Security Report
                         Date: January 19, 2026
================================================================================

STATUS LEGEND:
[FIXED]   = Already cleaned/fixed
[DELETE]  = Must be deleted immediately
[FOLDER]  = Delete entire folder

================================================================================
                              FILES TO DELETE
================================================================================

1. /raw.php                                                           [DELETE]
   Type: Remote Backdoor/Shell
   Details: Fetches and executes malicious code from GitHub
   URL decoded: https://raw.githubusercontent.com/rijal-cpu/Shell/main/radio.txt

2. /send.php                                                          [DELETE]
   Type: Spam Mailer
   Details: "FREEXMAN Mailer" / "Gu3ssWho? Mailer" - bulk email sender

3. /smtp.php                                                          [DELETE]
   Type: Credential Stealer/Password Hacker
   Details: Reads shadow files, replaces email passwords with hardcoded value

4. /app/index.php                                                     [DELETE]
   Type: Malicious Redirect
   Details: Redirects to gambling site (racing168.com)
   Note: Can delete entire /app/ folder

5. /wp-content/uploads/hell_prison.php                                [DELETE]
   Type: Obfuscated Malware
   Details: SEO spam generator, modifies robots.txt, connects to C&C servers

6. /wp-content/uploads/hell_prison.zip                                [DELETE]
   Type: Malware Archive
   Details: ZIP containing backdoor, loaded by infected index.php

7. /wp-content/ale5435s.php                                           [DELETE]
   Type: Suspicious placeholder file
   Details: Empty file, likely placeholder for future malware

================================================================================
                            FOLDERS TO DELETE
================================================================================

8. /wp-admin/zl/                                                      [FOLDER]
   Contains: ah24.php (143-line obfuscated webshell)
   
9. /wp-content/plugins/xjclwqw/                                       [FOLDER]
   Type: Fake "protect-uploads" plugin with backdoor
   Details: index.php accepts POST['0xfans'] and executes via eval()

10. /wp-content/plugins/usbktny/                                      [FOLDER]
    Type: Fake "protect-uploads" plugin with backdoor
    Details: Heavily obfuscated webshell

11. /wp-content/plugins/gallery_1768780460/                           [FOLDER]
    Type: Fake "cloudflare-captcha" plugin
    Contains:
    - 4O4.php (obfuscated shell)
    - assets/images/category.template.1768780464.php (malware disguised as image)

================================================================================
                             FILES FIXED
================================================================================

12. /index.php                                                        [FIXED]
    Issue: Was infected with zip:// backdoor loader
    Action: Replaced with clean WordPress index.php



================================================================================
                              QUICK DELETE COMMANDS
================================================================================

For cPanel File Manager or FTP, delete these paths:

/raw.php
/send.php
/smtp.php
/app/
/wp-content/uploads/hell_prison.php
/wp-content/uploads/hell_prison.zip
/wp-content/ale5435s.php
/wp-admin/zl/
/wp-content/plugins/xjclwqw/
/wp-content/plugins/usbktny/
/wp-content/plugins/gallery_1768780460/

================================================================================
                                  END OF REPORT
================================================================================

