0

There is a theme hack or a worm circulating online which adds this code to all functions.php files. It happened to me on my local server.

Here's the code - http://pastebin.com/AUsHUng1

How do I find the theme hack that creates it? Or the worm?

UPDATE:

I have found that this line:

$elem == substr(__FILE__,-13)){

checks for the functions.php file (as it's the only one having 13 letters and using file) and by using the fputs() functions writes itself on all functions.php files.

I have deleted all the instances of the code, and, hopefully, it will not replicate itself on another theme activation. I have a local server with about 60 themes.

I still haven't found the original theme that carried the code.

UPDATE AND SOLUTION:

Clean all the malicious code (see my PasteBin link above) from all functions.php files (best to check globally using a text editor like Notepad++) and you're done. Check all downloaded themes for the code in functions.php file. There are more themes infected with this code online.

Improve this question
4
  • Dealing with hacked sites is explicitly out of scope for WPSE. Commented Nov 29, 2012 at 18:24
  • I know Chip, I don't want to clean it. I only need to know how it propagates, and if the infected theme contains any encoded code (like base64 or eval'd). Commented Nov 29, 2012 at 18:27
  • How can I answer my own question? Is it a common practice to do so? Commented Nov 29, 2012 at 19:38
  • 1
    @CiprianPopescu It’s OK to Ask and Answer Your Own Questions - StackExchange Blog. SO meta also has several questions on it. You can accept your own answers after 48 hours. And regardless of whether the question might be off-topic or not, it is definitely better to answer your own question in an answer than in an edit to your question. Commented Nov 30, 2012 at 3:47

3 Answers 3

Reset to default
0

You could always diff your most recent working backup with the infected website. You do have a backup don't you?

Improve this answer
1
  • No, it's not this. I have backups, yes, and the code seems harmless. I also don't need to clean the site, I just want to know if there is a way to detect which theme is the infected one and how it does it. Commented Nov 29, 2012 at 18:25
0

THIS IS MY FINAL SOLUTION:

Clean all the malicious code (see my PasteBin link above) from all functions.php files (best to check globally using a text editor like Notepad++) and you're done. Check all downloaded themes for the code in functions.php file. There are more themes infected with this code online.

Also edited my original post. Thank you @Johannes.

Improve this answer
0

To quickly turn off the code, you can use under Linux. Be very careful with the below line, as it can do a lot of harm!

grep -rl "add_action(\"admin_head\", \"_verify_isactivate_widget\");" --include \*.php . | xargs sed -i 's/add_action(\"admin_head\", \"_verify_isactivate_widget\");/\/\/add_action(\"admin_head\", \"_verify_isactivate_widget\");/g'

This comments out the line add_action("admin_head", "_verify_isactivate_widgets");

See Replace a String in Multiple Files in Linux Using Grep and Sed for an explanation how this works.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.