Support » Fixing WordPress » Unknown code in Function.php file. How do I check for any malicious activity?

  • reshampanth

    (@reshampanth)


    Hi,
    I just faced the White screen of Death. While trying to figure out how to deal with it, I saw this chunk of code in my function.php file of all themes on the host. Here’s the link to the code- [removed — please do not post malware/hacks/etc.]
    If the code is malicious, how do i safeguard my website?
    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    reshampanth

    (@reshampanth)

    Hi Steve,
    Can you please have a look at the code I have attached?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    I took a look; it sure is fishy. If you didn’t put it there and whoever built your site didn’t put it there and it’s not part of the theme as you got it, you’ve been hacked.

    update: OH, wait, you said it’s in all themes. You’re hacked. Time to start cleaning.

    perezbox

    (@perezbox)

    Hi @reshampanth

    Would you mind sending me the pastebin to the code to tony@sucuri.net?

    Thanks

    cesarnjos

    (@cesarnjos)

    Hi there!

    I checked the code you provided and its possibly added by a malware indeed.

    The code by itself doesn’t seem to have the capability to do more than list all the posts you have and inject some content into them.

    You can search the database for <div id=”wp_cd_code”> to check if there was in fact any injection. If any record is found then i recommend you start cleaning up the database or try restore a good backup.

    If the code continues to be added to the functions.php file then you may have some backdoor present on the site that needs to be removed.

    As a precaution just in case be sure to change all credentials, FTP, wp-admin and database.

    reshampanth

    (@reshampanth)

    thank you @sterndata @cesarnjos The code hasn’t returned yet after I removed it from the files.I’ll search through the database for <div id=”wp_cd_code”>. Is there any way to search automatically through all files? Or do I manually look into each one?
    Thanks

    cesarnjos

    (@cesarnjos)

    To search for something through all the files you can simply find a PHP script that does it on Google, but if you are unsure about this or if the script will even work you can try to check with your hosting provider as they usually don’t mind carrying actions like that.

    Glad to hear it hasn’t returned :), hope everything is good there now.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Unknown code in Function.php file. How do I check for any malicious activity?’ is closed to new replies.