Support » Fixing WordPress » code added to functions file

  • Hello,

    I am running a local development installation with DesktopServer. By accident I found two strange things:

    1. Code added to all themes functions.php

    It looks like the code changes the head section of the rendered HTML.

    2. Table wp_datalist added with columns url, title, keywords, description, content and full_content.

    Has anyone seen this added code before and is there anyone who can advice me on how to handle this?

    Kind regards,

    Ger van de Lindt

Viewing 13 replies - 1 through 13 (of 13 total)
  • Same here, also some files added in wp-includes (wp-cd.php, post.php) and in functions.php as you pointed out.

    Tried to clean those files but after a while it pops up again. Checked the logs and there were no POSTS requests. It seems there is still some md5 encoded text which apparently inject this code.

    Regards.

    Hi guys,

    I found the problem. I downloaded a file from dlwordpress.com named wootabs.zip which should add extra producttabs to a woocommerce product. The file is the one injecting the code in the theme’s function file. It also creates two files in wp-includes: wp.class.php and wp-cd.php. At last it creates a table wp_datalist in the database. Steps taken to clean my development site:

    1. deletes all core files
    2. uploaded new core files downloaded from wordpress.org
    3. deleted the plugin folder created by wootabs.zip
    4. reinstalled all plugins
    5. ran a scan with sucuri security plugin

    Pse be careful downloading what is called “nulled” plugins. The can ruin your site. Only udoenload and use plugins/themes from trusted sources.

    Cheer,
    Ger

    I’ve just found this in my client site. No idea how it came. Just used Wordfence to restore origin WordPress files and delete wp.class.php and wp-cd.php files. And also delete injected code in functions.php.

    If anyone has suggestion, please advice.

    Thank you so much.

    Hi Menn,

    Looks like there is a plugin that injects the code. I used wootabs.zip from wplocker.com. I think that site has a lot of so called nulled plugins. Never ever download those.

    Cheers,
    Ger

    Hi Ger,

    Thank you so much 🙂

    Hi Ger, I got the exactly same problem and thankfully for your guild I deleted injected code in theme function, restore WordPress core, and delete wp.class.php and wp-cd.php in wp-includes, hope that is all what I have to do.

    Do you have any idea why would it happen at the same time on all of my wordpress sites (~10 sites) on same server? (some of the sites are not installed any insecure plugin before?).

    I remember have tried to install a nulled plugin before but not success, but it was a really long time ago and nothing happen for a month, could that be a problem?

    Thank you.

    • This reply was modified 2 years, 8 months ago by  nisoran123.

    Hi Nisoran,
    Looks like your hosting company or your server got hacked? But my knowledge is insufficient to definitely say that.
    Cheers,
    Ger

    All my sites hosted in same server from globehost.com is having same problem. Even the code is injected into original themes downloaded from wordpress.org

    @kleindberg what’s interesting is that this just happened to me on a brand new install and the only plugins I have running are Wordfence (which blocked the issue), MainWP (and a couple of its extensions) and UpdraftPlus… 2017 for the theme and nothing else

    in the wp-cd.php file, there was only this

    
    <?php error_reporting(0);?>

    what do you think’s happening?

    Found this code in my twenty seventeen functions.php file

    [removed some dodgy code, please do not post that here]

    What has this code done, I’m not sure really… and if it did anything, what are the next steps?
    – Reverting it
    – What’s causing it
    – How to stop it
    also, how robust is the WordFence platform in fending this kinda crap off?

    That’s no need to touch system wp-cd.php file. The virus located at plugin or theme folder.

    For example, let’s download nulled All in One SEO Pack Pro from famous dlwordpress.com (creator of the virus).

    This file included at all-in-one-seo-pack-pro\admin\display\welcome.php:
    require_once dirname(__FILE__).'/class-tgm.php';

    You never find it manually. You need something like Folder Find Text (not sure if there an English version) or any other tool for recursive search in files and folders.

    First of all we looking for DEFINE('MAX_LEVEL', 2); or just DEFINE( in all php files.

    Next step – find where this virus file included (usually require_once dirname(__FILE__).). The name of virus file varies from plugin to plugin.

    The same steps for themes. Clever hacker never put a virus to functions.php file. So use recursive search…

    • This reply was modified 2 years, 5 months ago by  kleindberg.
    • This reply was modified 2 years, 5 months ago by  kleindberg.

    About functions.php (theme main settings file). I found this code on infected site:

    I’m not sure if it virus or just All in One SEO Pack Pro plugin settings, but this code doesn’t present at clean default themes. I see it uses wp_cd_code (distant publishing, if I not mistake) and starts from strange password request hashed at md5:

    We can see, someone or something try access to our site and database… So I just delete this code on all themes (located at functions.php file) where I meet it.

    The site still working good after such clean. If someone know this code, say why it needed.

    • This reply was modified 2 years, 5 months ago by  kleindberg.
    • This reply was modified 2 years, 3 months ago by  Jan Dembowski.

    Hi all!!! Malicious code has one of its (well known) origins:

    * //apiword.press/

    * //apiword.press/addadmin_1.txt

    The originator has (also) a chance triggering demo data import.

    Support fine developers and BUY your themes/plugins from secure and honest sources, that’s a good remedy.

    • This reply was modified 2 years, 5 months ago by  Paquin. Reason: Didn't check "notify of follow-up replies"
    • This reply was modified 2 years, 5 months ago by  Paquin.
Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘code added to functions file’ is closed to new replies.