code added to functions file

Same here, also some files added in wp-includes (wp-cd.php, post.php) and in functions.php as you pointed out.

Tried to clean those files but after a while it pops up again. Checked the logs and there were no POSTS requests. It seems there is still some md5 encoded text which apparently inject this code.

Regards.

Hi guys,

I found the problem. I downloaded a file from dlwordpress.com named wootabs.zip which should add extra producttabs to a woocommerce product. The file is the one injecting the code in the theme’s function file. It also creates two files in wp-includes: wp.class.php and wp-cd.php. At last it creates a table wp_datalist in the database. Steps taken to clean my development site:

1. deletes all core files
2. uploaded new core files downloaded from www.ads-software.com
3. deleted the plugin folder created by wootabs.zip
4. reinstalled all plugins
5. ran a scan with sucuri security plugin

Pse be careful downloading what is called “nulled” plugins. The can ruin your site. Only udoenload and use plugins/themes from trusted sources.

Cheer,
Ger

I’ve just found this in my client site. No idea how it came. Just used Wordfence to restore origin WordPress files and delete wp.class.php and wp-cd.php files. And also delete injected code in functions.php.

If anyone has suggestion, please advice.

Thank you so much.

Hi Menn,

Looks like there is a plugin that injects the code. I used wootabs.zip from wplocker.com. I think that site has a lot of so called nulled plugins. Never ever download those.

Cheers,
Ger

Hi Ger,

Thank you so much ??

Hi Ger, I got the exactly same problem and thankfully for your guild I deleted injected code in theme function, restore WordPress core, and delete wp.class.php and wp-cd.php in wp-includes, hope that is all what I have to do.

Do you have any idea why would it happen at the same time on all of my wordpress sites (~10 sites) on same server? (some of the sites are not installed any insecure plugin before?).

I remember have tried to install a nulled plugin before but not success, but it was a really long time ago and nothing happen for a month, could that be a problem?

Thank you.

• This reply was modified 8 years, 4 months ago by nisoran123.

Hi Nisoran,
Looks like your hosting company or your server got hacked? But my knowledge is insufficient to definitely say that.
Cheers,
Ger

All my sites hosted in same server from globehost.com is having same problem. Even the code is injected into original themes downloaded from www.ads-software.com

@kleindberg what’s interesting is that this just happened to me on a brand new install and the only plugins I have running are Wordfence (which blocked the issue), MainWP (and a couple of its extensions) and UpdraftPlus… 2017 for the theme and nothing else

in the wp-cd.php file, there was only this

<?php error_reporting(0);?>

what do you think’s happening?

Found this code in my twenty seventeen functions.php file

[removed some dodgy code, please do not post that here]

What has this code done, I’m not sure really… and if it did anything, what are the next steps?
– Reverting it
– What’s causing it
– How to stop it
also, how robust is the WordFence platform in fending this kinda crap off?

• This reply was modified 8 years, 1 month ago by stephencottontail.
• This reply was modified 8 years, 1 month ago by stephencottontail. Reason: removed dodgy code

That’s no need to touch system wp-cd.php file. The virus located at plugin or theme folder.

For example, let’s download nulled All in One SEO Pack Pro from famous dlwordpress.com (creator of the virus).

This file included at all-in-one-seo-pack-pro\admin\display\welcome.php:
require_once dirname(__FILE__).'/class-tgm.php';

You never find it manually. You need something like Folder Find Text (not sure if there an English version) or any other tool for recursive search in files and folders.

First of all we looking for DEFINE('MAX_LEVEL', 2); or just DEFINE( in all php files.

Next step – find where this virus file included (usually require_once dirname(__FILE__).). The name of virus file varies from plugin to plugin.

The same steps for themes. Clever hacker never put a virus to functions.php file. So use recursive search…

• This reply was modified 8 years, 1 month ago by Bogdan Gerasymenko.
• This reply was modified 8 years, 1 month ago by Bogdan Gerasymenko.

About functions.php (theme main settings file). I found this code on infected site:

I’m not sure if it virus or just All in One SEO Pack Pro plugin settings, but this code doesn’t present at clean default themes. I see it uses wp_cd_code (distant publishing, if I not mistake) and starts from strange password request hashed at md5:

We can see, someone or something try access to our site and database… So I just delete this code on all themes (located at functions.php file) where I meet it.

The site still working good after such clean. If someone know this code, say why it needed.

• This reply was modified 8 years, 1 month ago by Bogdan Gerasymenko.
• This reply was modified 7 years, 11 months ago by Jan Dembowski.

Hi all!!! Malicious code has one of its (well known) origins:

* //apiword.press/

* //apiword.press/addadmin_1.txt

The originator has (also) a chance triggering demo data import.

Support fine developers and BUY your themes/plugins from secure and honest sources, that’s a good remedy.

• This reply was modified 8 years ago by Paquin. Reason: Didn't check "notify of follow-up replies"
• This reply was modified 8 years ago by Paquin.