I am running a local development installation with DesktopServer. By accident I found two strange things:
1. Code added to all themes functions.php
It looks like the code changes the head section of the rendered HTML.
2. Table wp_datalist added with columns url, title, keywords, description, content and full_content.
Has anyone seen this added code before and is there anyone who can advice me on how to handle this?
Ger van de Lindt
Same here, also some files added in wp-includes (wp-cd.php, post.php) and in functions.php as you pointed out.
Tried to clean those files but after a while it pops up again. Checked the logs and there were no POSTS requests. It seems there is still some md5 encoded text which apparently inject this code.
I found the problem. I downloaded a file from dlwordpress.com named wootabs.zip which should add extra producttabs to a woocommerce product. The file is the one injecting the code in the theme’s function file. It also creates two files in wp-includes: wp.class.php and wp-cd.php. At last it creates a table wp_datalist in the database. Steps taken to clean my development site:
1. deletes all core files
2. uploaded new core files downloaded from wordpress.org
3. deleted the plugin folder created by wootabs.zip
4. reinstalled all plugins
5. ran a scan with sucuri security plugin
Pse be careful downloading what is called “nulled” plugins. The can ruin your site. Only udoenload and use plugins/themes from trusted sources.
I’ve just found this in my client site. No idea how it came. Just used Wordfence to restore origin WordPress files and delete wp.class.php and wp-cd.php files. And also delete injected code in functions.php.
If anyone has suggestion, please advice.
Thank you so much.
Looks like there is a plugin that injects the code. I used wootabs.zip from wplocker.com. I think that site has a lot of so called nulled plugins. Never ever download those.
Hi Ger, I got the exactly same problem and thankfully for your guild I deleted injected code in theme function, restore WordPress core, and delete wp.class.php and wp-cd.php in wp-includes, hope that is all what I have to do.
Do you have any idea why would it happen at the same time on all of my wordpress sites (~10 sites) on same server? (some of the sites are not installed any insecure plugin before?).
I remember have tried to install a nulled plugin before but not success, but it was a really long time ago and nothing happen for a month, could that be a problem?
- This reply was modified 7 years, 3 months ago by nisoran123.
Looks like your hosting company or your server got hacked? But my knowledge is insufficient to definitely say that.
All my sites hosted in same server from globehost.com is having same problem. Even the code is injected into original themes downloaded from wordpress.org
@kleindberg what’s interesting is that this just happened to me on a brand new install and the only plugins I have running are Wordfence (which blocked the issue), MainWP (and a couple of its extensions) and UpdraftPlus… 2017 for the theme and nothing else
in the wp-cd.php file, there was only this
what do you think’s happening?
Found this code in my twenty seventeen functions.php file
[removed some dodgy code, please do not post that here]
What has this code done, I’m not sure really… and if it did anything, what are the next steps?
– Reverting it
– What’s causing it
– How to stop it
also, how robust is the WordFence platform in fending this kinda crap off?
That’s no need to touch system wp-cd.php file. The virus located at plugin or theme folder.
For example, let’s download nulled All in One SEO Pack Pro from famous dlwordpress.com (creator of the virus).
This file included at all-in-one-seo-pack-pro\admin\display\welcome.php:
You never find it manually. You need something like Folder Find Text (not sure if there an English version) or any other tool for recursive search in files and folders.
First of all we looking for
DEFINE('MAX_LEVEL', 2);or just
DEFINE(in all php files.
Next step – find where this virus file included (usually
require_once dirname(__FILE__).). The name of virus file varies from plugin to plugin.
The same steps for themes. Clever hacker never put a virus to functions.php file. So use recursive search…
About functions.php (theme main settings file). I found this code on infected site:
I’m not sure if it virus or just All in One SEO Pack Pro plugin settings, but this code doesn’t present at clean default themes. I see it uses wp_cd_code (distant publishing, if I not mistake) and starts from strange password request hashed at md5:
We can see, someone or something try access to our site and database… So I just delete this code on all themes (located at functions.php file) where I meet it.
The site still working good after such clean. If someone know this code, say why it needed.
Hi all!!! Malicious code has one of its (well known) origins:
The originator has (also) a chance triggering demo data import.
Support fine developers and BUY your themes/plugins from secure and honest sources, that’s a good remedy.
- The topic ‘code added to functions file’ is closed to new replies.