What’s This File? — postnews.php

By Adrian StoianGuides
What’s This File? postnews.php

This week, I fixed two websites containing a suspicious file: postnews.php. This script was called from 45.195.56.92, and my team found two hosts linked to it: sl-station.spub[.]info and lwj92.fared[.]info. This is most likely an SEO spam malware infection, as it also affects index.php and .htaccess files and triggers a warning in Google Search Console.

MAGEFIX SecurityMalware cleanup & protection

Try our free site check.

A malware analyst will provide a security report for your website.

If you found the postnews.php file in your WordPress root directory, your website is 100% hacked—immediate action is required. Other files that may be linked to this malware: style.php, wp_wlx.php.

postnews.php looks like a remote access backdoor, disguised as a news-posting script. Primary functions:

  • It downloads code from external sources or executes commands embedded in ARRAY.
  • It uses multiple layers of encoding (character map + JSON + base64 + MD5 verification) to hide its code.

If you are a webmaster facing this type of contamination, you can rebuild the website from a known good backup and reinstall WordPress. Before proceeding, make sure to create a complete backup, including both legitimate and malicious files, as well as the database.

After the cleanup is complete, register the website with Google Search Console and check for any suspicious users. If any security issues or manual actions are detected, submit a reconsideration request.

Server logs:
94.131.9.41 – – [02/Oct/2025:11:13:37 +0200] “GET /style.php HTTP/1.1” 200 79 “-” “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.7151.68 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google[.]com/bot.html)”
94.131.9.41 – – [02/Oct/2025:12:26:15 +0200] “GET /wp_wlx.php HTTP/1.1” 200 34836 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0”
45.195.56.92 – – [02/Oct/2025:15:24:26 +0200] “GET /wp_wlx.php HTTP/1.1” 200 34836 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36”
45.195.56.92 – – [02/Oct/2025:15:47:37 +0200] “GET /wp-includes/images/media/media/index.php?ARRAY=7o223.. HTTP/1.1” 200 17 “hxxps://sl-station.spub[.]info/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36”
45.227.253.15 – – [02/Oct/2025:15:42:33 +0200] “POST /postnews.php HTTP/1.1” 200 1180 “https://www.google[.]com/” “-”

Magefix Platinum