Beware before downloading wordpress themes and plugins [adwatch]

***Gabby*** · (This post was last modified: 03-22-2014 01:49 AM by Gabby.)

Sorry, I have downloaded many themes from here and have not had this to be true!
What is your source to prove this?

***quaramo*** · 03-20-2014, 04:35 AM

here is a source http://[Reported by Members as premium hosting that SUCK! Use MEDIAFIRE or MEGA.NZ :) !!!].net/file/ad06a004f88178d55ea0221676001c3e/codecanyon-3078294-mymail-email-newsletter-plugin-for-wordpress.zip.html
same symptoms --> adwat.ch
I have extensively searched the files, no clue

***r1ckd33zy*** · 03-20-2014, 04:41 AM

Can we all stop the BSing around?!
Can someone just provide a link to a post/thread that has a download link to one of the themes or plugin that is infected? Just a link... is that too hard?

This is the best way we can identify the poster of the malicious file, the malicious script and how to remove it. This would be better than everyone acting like Chicken Little running around saying "the sky is falling".

***pgeraldes*** · 03-20-2014, 06:44 AM

Hi again i will be honest the theme that i downloaded was the7 (3.1.1) but it wasn't from here, it was from another source but i saw this post and i would like to know if someone got a fix for this. I´m starting to get really frustrated not taking this virus from the theme. Here´s a link to the infected theme http://www50.zippyshare.com/v/66482293/file.html
Thanks

***r1ckd33zy*** · (This post was last modified: 03-20-2014 08:05 AM by r1ckd33zy.)

Yeah i looked at the files and could not find anything. I didn't install the theme because for me a 35MB WP theme is very worrying. It looks like a very complicated theme as per the files. When i have time i will try installing the theme and see if i can recreate the claims being made.

***pgeraldes*** · 03-20-2014, 08:15 AM

(03-20-2014 08:05 AM)r1ckd33zy Wrote: Yeah i looked at the files and could not find anything. I didn't install the theme because for me a 35MB WP theme is very worrying. It looks like a very complicated theme as per the files. When i have time i will try installing the theme and see if i can recreate the claims being made.

I already scan with all wordpress malware plugins, clamav, maldet and nothing found, scan database, and i couldn't find anything, the strange thing about the malware is that it´s not a cicling thing the adds appears occasionally. I tried to figure it out with firebug and the only thing that i could see is that the malware puts this script
"<script type="text/javascript">
var adwatch_id = 234224;
var adwatch_advert = "int";
var exclude_domains = ['affiliates.playboy.com', 'elperutienetalento.com', 'skeezybabes.com', 'wp-admin', 'kamapisachi.info', 'nude', 'sex', 'porn', 'naked', 'F***', 'cock', 'penis', 'tits', 'boobs', 'pussy', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com'];
</script>
<script type="text/javascript" src="http://adwat.ch/js/easylink.js"></script><style type="text/css">PICK AN ELEMENT NOW - or type CSS selector(advanced) {
font-size: 30px !important;
color: #444 !important;"

on the page before the add appear but i tried to search all strings on all wordpress pages and i couldnt find nothing.
A little help would be very helpfull.
Thanks

***miren*** · 03-20-2014, 08:20 AM

Try to scan with Sucuri Security plugin for Wordpress

***MeisterGTV*** · 03-20-2014, 08:27 AM

Hi guys, I've been annoyed by this issue as well, it started coming out when I installed a shared version of Foobox somewhere and is still re-occurring after I deactivated and deleted the plugin.

I downloaded my theme and all plugins installed on my site to one folder and then I used Windows Grep to do a quick search for adwatch_id = 234224; check on "Quick (no regular expressions)" - and scanned the folder where I downloaded the theme and all plugins, it then returned some PNG files. - I dont know if this might be it, but it could be that the code is encrypted on certain PNG files or an exploit embeds the code on them.

***r1ckd33zy*** · 03-20-2014, 08:53 AM

(03-20-2014 08:15 AM)pgeraldes Wrote:
(03-20-2014 08:05 AM)r1ckd33zy Wrote: Yeah i looked at the files and could not find anything. I didn't install the theme because for me a 35MB WP theme is very worrying. It looks like a very complicated theme as per the files. When i have time i will try installing the theme and see if i can recreate the claims being made.
I already scan with all wordpress malware plugins, clamav, maldet and nothing found, scan database, and i couldn't find anything, the strange thing about the malware is that it´s not a cicling thing the adds appears occasionally. I tried to figure it out with firebug and the only thing that i could see is that the malware puts this script
"
PICK AN ELEMENT NOW - or type CSS selector(advanced) {
font-size: 30px !important;
color: #444 !important;"

on the page before the add appear but i tried to search all strings on all wordpress pages and i couldnt find nothing.
A little help would be very helpfull.
Thanks

Are you sure this script is not being injected from a source external to your website. For example, some free webhost are known to inject ads on sites being hosted by them or some web browser plugins/extensions can do this also.

***intrepid*** · 03-20-2014, 09:08 AM

(03-19-2014 10:45 AM)brandimage Wrote:
(03-19-2014 09:15 AM)sreekuttan.dev@gmail.com Wrote: Tried to upload virustotal but it shows nothing suspicious at all.. Any fix? share here please.
Use the following plugins to scan for malicious code. Both are free!

TAC (Theme Authenticity Checker)

Magic Button :
http://wordpress.org/plugins/tac/

Exploit Scanner

Magic Button :
http://wordpress.org/plugins/exploit-scanner/

TAC is recently updated but Exploit Scanner hasn't been updated in more than 1 year but I'm sure it still works. I use Wordfence to scan themes and plugins for malware and it is regularly updated and sends you email notifications.

Get Wordfence

Magic Button :