Mysterious code in functions.php

You’ve been hacked

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Hi @jansal

Did you by chance copy the entire functions file for the theme here or only the part that was inserted?

Also, what theme are you using? Is it s premium or free theme?

Thanks

Hi there!

I checked the code you provided and its possibly added by a malware indeed.

The code by itself doesn’t seem to have the capability to do more than list all the posts you have and inject some content into them.

You can search the database for <div id=”wp_cd_code”> to check if there was in fact any injection. If any record is found then i recommend you start cleaning up the database or try restore a good backup.

If the code continues to be added to the functions.php file then you may have some backdoor present on the site that needs to be removed.

As a precaution just in case be sure to change all credentials, FTP, wp-admin and database.

Thank you for all your answers.
It is encouraging to get support with such an issue.
I apologize for the code I posted, I was not aware of the forum guidelines.

@ perezbox

No, I just copied the part I had never seen before.
It’s the twenty sixteen theme latest version we are using.

@ cesarnjos

Thank you for your analysis. I looked through the database as suggested but could not find any exact match… I wondered where the _transient_dash entries in the wp_options table might come from as they contain URLs to sites we never frequented…

ex.:

_transient_dash_1fe1af69fc09222ecd89eff603deacc1
<div class="rss-widget"><ul><li><a href='https://www.ads-software.com/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/'>WordPress 4.6.1 Security and Maintenance Release</a> <span class="rss-date">07/09/2016</span><div class="rssSummary">WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in [&hellip;]</div></li></ul></div><div class="rss-widget"><ul><li><a href='https://heropress.com/essays/rebirth/'>HeroPress: Rebirth</a></li><li><a href='https://poststatus.com/art-self-employed-web-consultant-draft-podcast/'>Post Status: The art of being a self-employed web consultant — Draft podcast</a></li><li><a href='https://heropress.com/essays/growing-up-with-wordpress/'>HeroPress: Growing Up With WordPress</a></li></ul></div><div class="rss-widget"><ul><li class="dashboard-news-plugin"><span>Popular Plugin:</span> UpdraftPlus WordPress Backup Plugin&nbsp;<a href="plugin-install.php?tab=plugin-information&plugin=updraftplus&_wpnonce=1672cesf87b&TB_iframe=true&width=600&height=800">(Install)</a></li></ul></div>

• This reply was modified 8 years, 1 month ago by Steven Stern (sterndata).
• This reply was modified 8 years, 1 month ago by Steven Stern (sterndata).

That could have come from a dirty plugin as well. Have you installed anything new lately?

Hi @jansal

Gotcha, if it’s newly added then it’s definitely malicious and it explains why it’s doing what it’s doing. I was asking if it was the entire function file because being unaware of the theme it’s hard to say if it’s talking to features the theme offers. Being it’s all new, and not part of the original theme, it’s safe to say it’s malicious.. ??

On that note, see if this guide here helps: https://sucuri.net/guides/how-to-clean-hacked-wordpress something we put together to help website owners like yourself get things situated post-hack.

Good luck