1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this code suspicious

Discussion in 'BlackHat Lounge' started by tompots, May 13, 2013.

  1. tompots

    tompots Elite Member Premium Member

    Joined:
    Dec 11, 2011
    Messages:
    4,352
    Likes Received:
    3,955
    Gender:
    Male
    Occupation:
    Full Time Bot Developer
    Location:
    Professional Botters
    Home Page:
    Not sure where to post this, I got a AV alert on one of my sites today and was wondering if anyone that knows php could tell me if there is any thing finny going on here

    Code:
    <?php
        /* Template name: Blank Template
        
        */
    
    ?>
    <!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title><?php
        echo the_title();
    
        ?></title>
        <?php
            if (get_option('sq_user_tracking_code') !== false) 
            {echo get_option('sq_user_tracking_code');}
        
        ?>
        <?php while ( have_posts() ) : the_post(); ?>
    
                        <?php the_content(); ?>
    
                    <?php endwhile; // end of the loop. ?>
        <div style="margin: 5px auto; text-align: center;"><a href="http://wpleadplus.com/?src=urspg">Powered by WP Lead Plus</a></div>
    <?php if (get_option('sq_social_bar_status') == 'enable')
    {
        echo (get_option('sq_social_scripts'));
        echo base64_decode(get_option('sq_social_code'));
    
    } 
    
    
    ?>
    </body></html>
    
     
  2. cgimaster

    cgimaster Power Member

    Joined:
    Jun 30, 2012
    Messages:
    525
    Likes Received:
    311
    Gender:
    Male
    Code is not all there hence we cannot tell if the other parts are malicious but this part is not.

    We would need to know what the echo's are printing to the client.
     
    • Thanks Thanks x 1
  3. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    Which AV are you using? Scanning code with an AV is somewhat laughable to me. Most of the times you will probably get false positives due to certain keywords within the code.
     
    • Thanks Thanks x 1
  4. tompots

    tompots Elite Member Premium Member

    Joined:
    Dec 11, 2011
    Messages:
    4,352
    Likes Received:
    3,955
    Gender:
    Male
    Occupation:
    Full Time Bot Developer
    Location:
    Professional Botters
    Home Page:
    I got the plugin from wordpress I thought that was funny to give a positive.

    This AV plugin
    Code:
    [URL]http://wpantivirus.com/[/URL]
    
    And this is the plugin that the AV alerted on

    Code:
    http://wordpress.org/extend/plugins/wp-lead-plus-free-squeeze-pages-creator/
    
     
  5. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    The "antivirus" scans the code for the following:

    Code:
    	private static function _php_match_pattern()
    	{
    		return '/(assert|file_get_contents|curl_exec|popen|proc_open|unserialize|eval|base64_encode|base64_decode|create_function|exec|shell_exec|system|passthru|ob_get_contents|file|curl_init|readfile|fopen|fsockopen|pfsockopen|fclose|fread|file_put_contents)\s*?\(/';
    	}
    I can assume that "base64_decode" is what triggered it. I'm not sure how or what it's used for as I don't know how the plugin works. I'd look into it but as I'm still learning it would take me some time and I'm a bit busy at this time. I think it's nothing to worry about though. Of course, I may be wrong.
     
    • Thanks Thanks x 1
  6. tompots

    tompots Elite Member Premium Member

    Joined:
    Dec 11, 2011
    Messages:
    4,352
    Likes Received:
    3,955
    Gender:
    Male
    Occupation:
    Full Time Bot Developer
    Location:
    Professional Botters
    Home Page:
    Yes you are correct this code "base64_decode" did trigger it, thanks for the help, I removed the plugin for now to just be safe because it is one of my money sites, here is some + rep to both of you for your help
     
    • Thanks Thanks x 1
  7. cbnoob

    cbnoob Senior Member

    Joined:
    Sep 27, 2010
    Messages:
    967
    Likes Received:
    455
    lol, it's my plugin :D. The base64_decode is used to decode a long string. Don't worry.
     
    • Thanks Thanks x 1