[WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites

***Batmans*** · 11-15-2016, 06:45 AM

Thanks for the great tip. Can never know too much about this subject/hacking.
Thanks for sharing your experience and saving others from going down that road.

BATMAN

***gho5t*** · 11-15-2016, 06:49 AM

(11-15-2016 06:10 AM)Gadzookz Wrote: Adding this to your htaccess file can defend against alot of nastiness:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(and#x22;|and#x27;|and#x3C;|and#x3E;|and#x5C;|and#x7B;|and#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Thanks for decoding with an explanation and for the htaccess additions! :)

***Gadzookz*** · 11-15-2016, 05:11 PM

(11-15-2016 06:49 AM)jendaceo Wrote:
(11-15-2016 06:10 AM)Gadzookz Wrote: Adding this to your htaccess file can defend against alot of nastiness:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(and#x22;|and#x27;|and#x3C;|and#x3E;|and#x5C;|and#x7B;|and#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Thanks for decoding with an explanation and for the htaccess additions! :)

no problem.

***Gambit Thief*** · 11-15-2016, 08:18 PM

reps added for the great information.

***donfunds*** · 11-15-2016, 09:36 PM

Thanks for this piece... But after scanning virus total I only get results showing some files are infected... How do I know the exact file... It doesn't say... Virus total just display malicious site

***DrunkenPanda*** · 11-16-2016, 01:09 AM

(11-15-2016 05:11 PM)Gadzookz Wrote:
(11-15-2016 06:49 AM)jendaceo Wrote:
(11-15-2016 06:10 AM)Gadzookz Wrote: Adding this to your htaccess file can defend against alot of nastiness:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(and#x22;|and#x27;|and#x3C;|and#x3E;|and#x5C;|and#x7B;|and#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Thanks for decoding with an explanation and for the htaccess additions! :)

no problem.

Thanks for helping the community. Max Reps Added Perfect 10

***CanhCam Guy*** · 11-16-2016, 03:51 AM

(11-15-2016 09:36 PM)donfunds Wrote: Thanks for this piece... But after scanning virus total I only get results showing some files are infected... How do I know the exact file... It doesn't say... Virus total just display malicious site

Upload theme to themecheck ,it will say exactly where to fix!

***NoJob*** · 11-16-2016, 04:57 AM

This is an excellent thread and members here should always be aware of possible problems with downloads. Thanks and reps to the OP!
Cheers,
NoJob

***berlinerin*** · (This post was last modified: 11-16-2016 05:06 AM by berlinerin.)

Question please:
is an Html-Side securer than wp?

Are there any wp-plugins for real security?
So... tell me.. what can I do?

Without coding

***DrunkenPanda*** · 11-16-2016, 05:08 AM

(11-16-2016 05:03 AM)berlinerin Wrote: Question please:
is an Html-Side securer than wp?

Are there any wp-plugins for real security?
So... tell me.. what can I do?

Without coding

Yes, HTML site secure than wp

Wordfence is a good plugin to safeguard your site but my advise is don't download themes from unknown members.. There are some reputed members who run GB which absolutely cost nothing so join them