[WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites

[gho5t]

Yeah, I know this might not be the right section to post this thread in, but it's really important!

I downloaded a few themes from some "nulled" theme sites to test them out before buying them, and big mistake!

I installed a theme from dlwordpress.com and lots of shit happened a few days after that.

I noticed that Wordfence was reporting a change to my post.php file and that two new files just appeared out of nowhere. (wp.class.php and wp-cd.php) But not on just one of my sites, but all of them shared on the same host.

So, I did a little bit of digging around and found the following:

Code:

https://wordpress.org/support/topic/code-added-to-functions-file/

I found that ALL of the functions.php in the themes folders for ALL of my sites had been modified with this:

Code:

http://stackoverflow.com/questions/40350225/malware-research-what-this-code-do-in-php

I also found a new entry in one of my databases. I noticed that it only affected databases with the prefix wp_.

The worst part is that it infected ALL of my sites that were installed on the same hosting account. So, I had to clean up several sites to get rid of this shit.

Lesson learned and another warning about these f*cking "nulled" theme websites!

NB: You should be using the Wordfence plugin (FREE) on all of your WordPress installs. This plugin really does work!

Code:

https://wordpress.org/plugins/wordfence/

My Wordfence Settings: (be sure to fill in "email to send alerts to" and your domain name to the "immediately block the ip" text field right underneath "admin" and "administrator")

Code:

https://s11.postimg.org/gb0k4583n/wordfence_options.png

Be sure to check all downloaded themes against these sites: (thanks Gadzookz for suggesting these)

Code:

http://themecheck.org/#ancreSubmit/
https://www.{{{Blocked by Omni Potens, reason: reports from LEGIT GB STARTER}}}/
https://www.unphp.net/
https://www.virustotal.com/

Hope this helps!

[kriendor]

thanks buddy really good info !

[SlumdogGeordie]

Same happened to me. I downloaded and installed from a BBHF (Get) before reading the posts and when I returned to the thread to add 'deserved' reps, read the posts and found that there were 27 viruses in the program I had just installed.

I was fortunate in that I uninstalled immediately, cleaned my disk and most of the viruses did not get activated, but the one you mention above did - a total balls-ache and a BIG lesson learned.

Thank you jendaceo for the warning - +5 added.

[Gadzookz]

Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/

https://wordpress.org/support/topic/code...ions-file/

I have found this code in many shares, and even on some shares found here at BBHF. Do your own checking.

[gho5t]

(11-15-2016 02:50 AM)Gadzookz Wrote:  Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/

https://wordpress.org/support/topic/code...ions-file/

I have found this code in many shares, and even on some shares found here at BBHF. Do your own checking.

Yep, this is EXACTLY what I posted to the OP. :)

[hey011]

(11-15-2016 03:05 AM)jendaceo Wrote:  

(11-15-2016 02:50 AM)Gadzookz Wrote:  Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/

https://wordpress.org/support/topic/code...ions-file/

I have found this code in many shares, and even on some shares found here at BBHF. Do your own checking.

Yep, this is EXACTLY what I posted to the OP. :)

thank you for your warning, good to know some things,

I would like to understand if, before uploading to your website those files, you first scanned them on virustotal...

because I often download from null24(dot)net
and scan everything before uploading it to my websites,
but never had one problem known to me....

[hey011]

because you deserve it, reps added

[Gadzookz]

(11-15-2016 03:05 AM)jendaceo Wrote:  

(11-15-2016 02:50 AM)Gadzookz Wrote:  Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/

https://wordpress.org/support/topic/code...ions-file/

I have found this code in many shares, and even on some shares found here at BBHF. Do your own checking.

Yep, this is EXACTLY what I posted to the OP. :)

You are right. Forgive me. I didn't fully read your post. Repped.

[gho5t]

(11-15-2016 03:50 AM)hey011 Wrote:  

(11-15-2016 03:05 AM)jendaceo Wrote:  

(11-15-2016 02:50 AM)Gadzookz Wrote:  Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/

https://wordpress.org/support/topic/code...ions-file/

I have found this code in many shares, and even on some shares found here at BBHF. Do your own checking.

Yep, this is EXACTLY what I posted to the OP. :)

thank you for your warning, good to know some things,

I would like to understand if, before uploading to your website those files, you first scanned them on virustotal...

because I often download from null24(dot)net
and scan everything before uploading it to my websites,
but never had one problem known to me....

What do you guys use to scan for infected theme/plugin files? Do these services actually hunt for exploits found in PHP code?

[CanhCam Guy]

Thanks for warning us Brother!
I never trust in themes from nulled sites...and never install them on my business hosting.
Everyday on our forums...some "GOOD" guys spam freebies sections with so many themes they get from nulled-sites like null24,themelock...and they say they're clean...I did report again and again but never see anything happen from OUR MODs.