Right On Simey69
I'm 100% certain this is how my facebook account was hacked and sent files to all my friends with a virus. When I get a theme I get it from here no where else do I get themes. So its time to ban anyone who uploads regardless of their knowledge of the poisoned files. That is what virus total is for to scan it before you upload it to a mirror and it don't take that long unless your still on dial up lol.
(03-29-2014 08:27 AM)patelnirpendra aka PPDGOD Wrote: [ -> ]but what if they made new account and started the same
I guess that admin can block by ip
heya. on my way to work, but i will try find a bookmark i had to an online service of sorts that scans wp themes and plugs, for a host of nasties, from malicious code to external reference calls etc, picks up alot. in some cases can scan files against the GIT or repo's, not that helps for commercial stuff, but still something to look into
it was one of these, or sublink within, decent read too:-
* wptavern(dot)com/how-to-find-hacked-wordpress-files
* wpbeginner(dot)com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it
Another annoying one was the random Bieber youtube redirect >.< on some of the plugs.
Thanks bro very usefull and very good... +rep
just want to offer my finding
the change from social.png to other name abc.png
abc can be anything
so
download OP file, unzip all file
in Windows 7 use folder view>pick> Large icons or extra large icons view
if you cannot see the png show any images among the file
you shall suspect something wrong, open with notepad++
use online decoder to decode it
than you can clearly see the virus or infection
"pls give REP if this help you to delete infection"
ran virustotal sometimes may not detect this infection
hope this help to my dear sincere members
Another very useful feature of Notepad++ is "Find in Files". set the directory to your plugin/theme to test, or your whole wp DIR, and search for "INCLUDE" and ".PNG" this will search in the actual files markup.
But they can encode or hide certain things, wed probably never know about.
I agree with you - thanks for this advice!
Most if not all of non-purchased themeforest themes have this in them and the ones that are not are instantly uploaded to 'wplocker' type sites with the infection added. The infections are usually hard to find as mentioned in this thread.
I've uploaded a few themes purchased directly from themeforest only to have them instantly (within the day) sent to those theme sites, with new infection included and instant pm's begging for the updates the day they are out.
Thank you Simey69 greatly appreciate your inervention by letting us know.