The last 3 days i see my websites (using wordpress cms) getting error because of this files (link-template.php) automatically rename every morning and afternoon. i check the crontab but there is no issue. i also rename some security plugins (wordfence) but i think the cause is not from the wordfence. (in my opinion this plugins change or rename the files. but when i upload the fresh one, the size of files is also the same with the files in server (the suspected one)
then i also try to rename the files to linkrio.php then i change the included files in wp-settings.php but i think this is not solved the problems. should find the root of this devil code. 🙂
then i follow this discussion here https://wordpress.org/support/topic/link-templatephpsuspected?replies=41
and found the way to find the malware code :
egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/
so after execute that code you can see the list of the files injected.
i open them one by one ..
on you can see something like this below
and also something like this :
so i just delete all of that script list above.
hope this will help you also.