BEWARE of fake social.png's that come with PIRATED plugins!

[Genesis]

Just came across an incidence of a malicious executable social.png that got loaded with a plugin that created a lethal infection of a Word Press Website. Lesson learned from it is to NEVER use pirated plugins. It is not worth it. Also, it may have ramifications for servers.

The person who went through this experience is above average WordPress literate, is careful with plugins (claims she only uses plugins from reputable sites), and has WordFence loaded on her WordPress. Wordfence found the social.png, but by the time she learned about it her Website had already been infected. The Data Center picked up on it though and the account was suspended. Looks as though it is so lethal Wordfence could not stop it. The social.png replicates itself and is very difficult to root out.

Here is a description of what it is about:
http://stackoverflow.com/questions/...nge-false-social-png-in-many-wordpress-themes

And the threat to servers:
http://blog.fox-it.com/2014/11/18/c...at-inside-popular-content-management-systems/

This WordPress plugin claims to be able to catch it:
https://wordpress.org/support/topic...njecting-malicious-code-in-theme-options-file

 

[GigaGreg]

Wow that is some nasty thing. Hope she get her hosting back. I don't get why people do this to other people. It doesn't make sense.

 

[Genesis]

You're right. It's pretty awful. She's just sent me a link to this PDF document. It's not only Word Press, but Joomla and Drupal that are vulnerable as well.

https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

 

[GigaGreg]

I have never thought about downloading priated plugins, I have downloaded many priated themes and styles. This CryptoPHP is a big issue for our websites.

 

[Genesis]

She's now worked out how it happened. A lesson to all of us:

The article helped me to see what happened. The include command was in the functions.php file of the Modern Blogger Pro theme, which is one of a few themes I loved and purchased thinking that I would see which one fit best for my general blog, then use another on my photo blog, and another on my music blog. This particular theme was the ONLY one not bought from StudioPress, but a 3rd party as a "trial" for much less. Lesson learned!

If you check the PDF file above however there's a list of the Websites that flog these kind of scripts and that one should be beware off.

We found the following list of 20 websites being used to distribute the CryptoPHP backdoor:
anythingforwp.com
awesome4wp.com
bestnulledscripts.com
dailynulled.com
freeforwp.com
freemiumscripts.com
getnulledscripts.com
izplace.com
mightywordpress.com
nulledirectory.com
nulledlistings.com
nullednet.com
nulledstylez.com
nulledwp.com
nullit.net
topnulledownload.com
websitesdesignaffordable.com
wp-nulled.com
yoctotemplates.com

The following websites host the actual plug - in and theme files used for direct download:
bulkyfiles.com
linkzquickz.com

 

[GigaGreg]

I have sent the pdf file to one well known Wordpress blog. Maybe they will write something about it.

 

[Genesis]

I have sent the pdf file to one well known Wordpress blog. Maybe they will write something about it.

Great idea! :good:

 

[jaran]

Always testing your plugin or any themes at localhost before uploading at your webserver. Dont be fool to trust 100% any script or seller before you tried itself.

 

[Hazem]

[No message]

 

[GigaGreg]

Apparently its dead serious and very very hard to remove which is shocking.

 

[matosma]

how can i remove this malware ? any idea !

 

[admin]

Is this something we should be warning our users about? Possibly a blog post?

 

[GigaGreg]

DJB, we should, because we have no idea from what sources they are downloading plugins or if they are using nulled or priated plugins.

 

[Genesis]

how can i remove this malware ? any idea !

That's just the thing matosma. It's almost impossible to remove it. ELI from Word Press Plug-in site reckons he has it covered, BUT there is a good chance when one works with removing the infected files that the Website can break. Refer his plugin and the support discussion below, particularly his two most recent posts at the bottom of the discussion:

https://wordpress.org/support/topic...njecting-malicious-code-in-theme-options-file

In the example I mentioned the admin of that server, who is a very reasonable guy, didn't want to take a risk to unsuspend the Website so as to allow the owner to download backups. Or to get rid of the infected files. Recommendation is that the person needs to start the script from scratch with unpirated plugins.

 

[Genesis]

Is this something we should be warning our users about? Possibly a blog post?

OK I'll work on it Chris. I may even ask this lady who got caught this way if she'd care to write a blog post for us about her experience.

 

[admin]

Is this something we should be warning our users about? Possibly a blog post?

OK I'll work on it Chris. I may even ask this lady who got caught this way if she'd care to write a blog post for us about her experience.

Excellent Idea.

 

[ogah]

maybe some .js also have malicious.
many time i found in my server access log some people accesing js and some try passing form that not found in my server, i guess that people looking for hole of my website.
this is example they looking for
/components/com_sexycontactform/assets/js/sexy-mousewheel.js

//components/com_jdownloads/jdownloads.js

//components/com_creativecontactform/assets/js/creative-mousewheel.js


and this maybe they try to upload malicious image
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

 

[Genesis]

Is this something we should be warning our users about? Possibly a blog post?

OK I'll work on it Chris. I may even ask this lady who got caught this way if she'd care to write a blog post for us about her experience.

Excellent Idea.

Didn't get to asking her, thought it may be too much given that she has just started to put her Website together from scratch again. So created the blog post myself from the contents of this thread.

 

[seliol]

Thanks for the warning!
I haven't downloaded any pirated plugins, but I do use a couple free plugins made by users, so now I will be extra careful.

 

[Ruhul]

What'd I learnt here is to never use WPA plugins from any third party sites. instead get your favorite plugin from WordPress.com/plugins and whenever download a theme always see its files before uploading to your main site. However its always good to test theme/ plugins on your on computer localhost before uploading onto your main site.