Not sure if plugin is clean, any help would be highly appreciated

bekti

Newbie
Joined
May 4, 2015
Messages
37
Reaction score
8
Hello everyone, I found a gravity forms plugin here on blackhatworld the virus total returned that it was clean, I also scanned it with my antivirus which found nothing. I embeded a form on my personal website where I test nulled themes plugins, etc. and ran various online scanners on the site and they returned that the website is clean. I also ran exploit scanner on the plugin and it found this code:

[TABLE="class: widefat fixed, width: 1145"]
[TR]
[TD]wp-content/plugins/gravityforms/common.php:5271
Often used to execute malicious code[/TD]
[TD]= preg_match( '/^[0-9 -\/*\(\)]+$/', $formula ) ? eval( "return {$formula};" ) : false;[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/common.php:5869
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $key, base64_decode( $text ), MCRYPT_MODE_ECB, mcrypt_create_iv( $i[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/form_detail.php:108
Often used to execute malicious code[/TD]
[TD]var r = eval(expr);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:383
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]$state_array = json_decode(base64_decode($state), true);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/jquery.json-1.3.js:144
Often used to execute malicious code[/TD]
[TD]return eval("(" + src + ")");[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/jquery.json-1.3.js:156
Often used to execute malicious code[/TD]
[TD]return eval("(" + src + ")");[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/gravityforms.js:807
Often used to execute malicious code[/TD]
[TD]result = eval(expr);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/form_display.php:1586
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]$state = json_decode(base64_decode($_POST["state_{$form_id}"]), true);[/TD]
[/TR]
[/TABLE]

Since i don't know much coding (only css, html and some c++) could anyone tell me if any of the code looks suspicious?

Sincerely, Bekti:)
 
I would look for base_64 code located somewhere in that plugin it, it could be malicous. Try and locate and decode it using free online de-cryption tools.
Hello everyone, I found a gravity forms plugin here on blackhatworld the virus total returned that it was clean, I also scanned it with my antivirus which found nothing. I embeded a form on my personal website where I test nulled themes plugins, etc. and ran various online scanners on the site and they returned that the website is clean. I also ran exploit scanner on the plugin and it found this code:

[TABLE="class: widefat fixed, width: 1145"]
[TR]
[TD]wp-content/plugins/gravityforms/common.php:5271
Often used to execute malicious code[/TD]
[TD]= preg_match( '/^[0-9 -\/*\(\)]+$/', $formula ) ? eval( "return {$formula};" ) : false;[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/common.php:5869
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $key, base64_decode( $text ), MCRYPT_MODE_ECB, mcrypt_create_iv( $i[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/form_detail.php:108
Often used to execute malicious code[/TD]
[TD]var r = eval(expr);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:383
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]$state_array = json_decode(base64_decode($state), true);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/jquery.json-1.3.js:144
Often used to execute malicious code[/TD]
[TD]return eval("(" + src + ")");[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/jquery.json-1.3.js:156
Often used to execute malicious code[/TD]
[TD]return eval("(" + src + ")");[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/js/gravityforms.js:807
Often used to execute malicious code[/TD]
[TD]result = eval(expr);[/TD]
[/TR]
[TR]
[TD]wp-content/plugins/gravityforms/form_display.php:1586
Used by malicious scripts to decode previously obscured data/programs[/TD]
[TD]$state = json_decode(base64_decode($_POST["state_{$form_id}"]), true);[/TD]
[/TR]
[/TABLE]

Since i don't know much coding (only css, html and some c++) could anyone tell me if any of the code looks suspicious?

Sincerely, Bekti:)
 
Last edited:
It could very well be malicious, you need to trace the base64 encoded strings and decode them in order to see what's being executed by the eval function.
 
I will check back when I decode that stuff I thought it seemed kind of fishy. If the plugin turns out to be malicious I will report the thread and the user who shared this stuff. Thank you guys! :)
 
Back
Top