So I am helping the owner of the site to clean up and secure the site, fixed all updates of php, wordpress and plugins, and trying to get all scan results down, I have uninstalled and installed plugins to make sure cheksums match and such, added some code to fix curl28error with longer response time and so on. on the server side updated as much that was possible.
Done several scans , with different results.
Cerber shows several plugins installed directly from WP-admin as example:
My Custom Functions plugin — Integrity data not found — Resolve issue
Suspicious code found in /my-custom-functions/inc/php/functional.php
As shown below, had a look at several files that have the same error.
I really cant see any malicious code in my humble opinion , but I am not sure.
<?php
/**
* Prevent Direct Access
*/
defined( 'ABSPATH' ) or die( "Restricted access!" );
/**
* Prepare the custom code
*/
function spacexchimp_p001_prepare() {
// Put value of plugin constants into an array for easier access
$plugin = spacexchimp_p001_plugin();
// Retrieve options from database and declare variables
$options = get_option( $plugin['settings'] . '_settings' );
$data = !empty( $options['snippets'] ) ? $options['snippets'] : '';
$enable = !empty( $options['enable'] ) ? $options['enable'] : '';
// Prepare a variable for storing the processed data
$data_out = "";
// If data is not empty...
if ( ! empty( $data ) ) {
// If the custom code is enabled...
if ( $enable == "on") {
// Prepare a variable for storing the processing data, and perform data processing
$data_tmp = $data;
$data_tmp = trim( $data_tmp ); // Cleaning
$data_tmp = ltrim( $data_tmp, '<?php' ); // Cleaning
$data_tmp = rtrim( $data_tmp, '?>' ); // Cleaning
$data_out .= $data_tmp;
}
}
// Return the processed data
return $data_out;
}
/**
* Preparation of the custom code: Check the custom code for duplicate names of functions
*/
function spacexchimp_p001_preparation_duplicates( $data ) {
// Put value of plugin constants into an array for easier access
$plugin = spacexchimp_p001_plugin();
// Find names of user entered snippets and check for duplicates
preg_match_all('/function[\s\n]+(\S+)[\s\n]*\(/i', $data, $user_func_names);
$user_func_a = count( $user_func_names[1] );
$user_func_b = count( array_unique( $user_func_names[1] ) );
// Find all names of declared user snippets and mutch with names of user entered snippets
$declared_func = get_defined_functions();
$declared_func_user = array_intersect( $user_func_names[1], $declared_func['user'] );
$declared_func_internal = array_intersect( $user_func_names[1], $declared_func['internal'] );
// Update error status
if ( $user_func_a != $user_func_b OR count( $declared_func_user ) != 0 OR count( $declared_func_internal ) != 0 ) {
update_option( $plugin['settings'] . '_error', '1' ); // ERROR
$error_status = '1';
} else {
update_option( $plugin['settings'] . '_error', '0' ); // RESET ERROR VALUE
$error_status = '0';
}
// Return error status
return $error_status;
}
/**
* Process the custom code
*/
function spacexchimp_p001_exec() {
// Put value of plugin constants into an array for easier access
$plugin = spacexchimp_p001_plugin();
// If the STOP file exist...
if ( file_exists( $plugin['path'] . 'STOP' ) ) {
return; // EXIT
}
// Get the custom code by calling the "prepare" function
$data = spacexchimp_p001_prepare();
// If data is empty...
if ( empty( $data ) OR $data == ' ' ) {
return; // EXIT
}
// If the duplicates snippets finded...
$duplicates = spacexchimp_p001_preparation_duplicates( $data );
if ( $duplicates != 0 ) {
return; // EXIT
}
// Parsing and execute by Eval
if ( false === @eval( $data ) ) {
update_option( $plugin['settings'] . '_error', '1' ); // ERROR
return; // EXIT
} else {
update_option( $plugin['settings'] . '_error', '0' ); // RESET ERROR VALUE
}
}
/**
* Inject the custom code into the website's backend and frontend
*/
spacexchimp_p001_exec();
From /advanced-custom-fields-pro/pro/updates.php:
<?php
if( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
if( ! class_exists('acf_pro_updates') ) :
class acf_pro_updates {
/*
* __construct
*
* Initialize filters, action, variables and includes
*
* @type function
* @date 23/06/12
* @since 5.0.0
*
* @param n/a
* @return n/a
*/
function __construct() {
// actions
add_action('init', array($this, 'init'), 20);
}
/*
* init
*
* description
*
* @type function
* @date 10/4/17
* @since 5.5.10
*
* @param $post_id (int)
* @return $post_id (int)
*/
function init() {
// bail early if no show_updates
if( !acf_get_setting('show_updates') ) return;
// bail early if not a plugin (included in theme)
if( !acf_is_plugin_active() ) return;
// register update
acf_register_plugin_update(array(
'id' => 'pro',
'key' => acf_pro_get_license_key(),
'slug' => acf_get_setting('slug'),
'basename' => acf_get_setting('basename'),
'version' => acf_get_setting('version'),
));
// admin
if( is_admin() ) {
add_action('in_plugin_update_message-' . acf_get_setting('basename'), array($this, 'modify_plugin_update_message'), 10, 2 );
}
}
/*
* modify_plugin_update_message
*
* Displays an update message for plugin list screens.
*
* @type function
* @date 14/06/2016
* @since 5.3.8
*
* @param $message (string)
* @param $plugin_data (array)
* @param $r (object)
* @return $message
*/
function modify_plugin_update_message( $plugin_data, $response ) {
// bail ealry if has key
if( acf_pro_get_license_key() ) return;
// display message
echo '<br />' . sprintf( __('To enable updates, please enter your license key on the <a href="%s">Updates</a> page. If you don\'t have a licence key, please see <a href="%s">details & pricing</a>.', 'acf'), admin_url('edit.php?post_type=acf-field-group&page=acf-settings-updates'), 'https://www.advancedcustomfields.com/pro' );
}
}
// initialize
new acf_pro_updates();
endif; // class_exists check
/*
* acf_pro_get_license
*
* This function will return the license
*
* @type function
* @date 20/09/2016
* @since 5.4.0
*
* @param n/a
* @return n/a
*/
function acf_pro_get_license() {
// get option
$license = get_option('acf_pro_license');
// bail early if no value
if( !$license ) return false;
// decode
$license = maybe_unserialize(base64_decode($license));
// bail early if corrupt
if( !is_array($license) ) return false;
// return
return $license;
}
/*
* acf_pro_get_license_key
*
* This function will return the license key
*
* @type function
* @date 20/09/2016
* @since 5.4.0
*
* @param n/a
* @return n/a
*/
function acf_pro_get_license_key() {
// vars
$license = acf_pro_get_license();
$home_url = home_url();
// bail early if empty
if( !$license || !$license['key'] ) return false;
// bail early if url has changed
if( acf_strip_protocol($license['url']) !== acf_strip_protocol($home_url) ) return false;
// return
return $license['key'];
}
/*
* acf_pro_update_license
*
* This function will update the DB license
*
* @type function
* @date 20/09/2016
* @since 5.4.0
*
* @param $key (string)
* @return n/a
*/
function acf_pro_update_license( $key = '' ) {
// vars
$value = '';
// key
if( $key ) {
// vars
$data = array(
'key' => $key,
'url' => home_url()
);
// encode
$value = base64_encode(maybe_serialize($data));
}
// re-register update (key has changed)
acf_register_plugin_update(array(
'id' => 'pro',
'key' => $key,
'slug' => acf_get_setting('slug'),
'basename' => acf_get_setting('basename'),
'version' => acf_get_setting('version'),
));
// update
return update_option('acf_pro_license', $value);
}
?>