1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not sure if plugin is clean, any help would be highly appreciated

Discussion in 'BlackHat Lounge' started by bekti, Dec 27, 2015.

  1. bekti

    bekti Newbie

    Joined:
    May 4, 2015
    Messages:
    38
    Likes Received:
    7
    Hello everyone, I found a gravity forms plugin here on blackhatworld the virus total returned that it was clean, I also scanned it with my antivirus which found nothing. I embeded a form on my personal website where I test nulled themes plugins, etc. and ran various online scanners on the site and they returned that the website is clean. I also ran exploit scanner on the plugin and it found this code:

    wp-content/plugins/gravityforms/common.php:5271 Often used to execute malicious code = preg_match( '/^[0-9 -\/*\(\)]+$/', $formula ) ? eval( "return {$formula};" ) : false;
    wp-content/plugins/gravityforms/common.php:5869 Used by malicious scripts to decode previously obscured data/programs trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $key, base64_decode( $text ), MCRYPT_MODE_ECB, mcrypt_create_iv( $i
    wp-content/plugins/gravityforms/form_detail.php:108 Often used to execute malicious code var r = eval(expr);
    wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:383 Used by malicious scripts to decode previously obscured data/programs $state_array = json_decode(base64_decode($state), true);
    wp-content/plugins/gravityforms/js/jquery.json-1.3.js:144 Often used to execute malicious code return eval("(" + src + ")");
    wp-content/plugins/gravityforms/js/jquery.json-1.3.js:156 Often used to execute malicious code return eval("(" + src + ")");
    wp-content/plugins/gravityforms/js/gravityforms.js:807 Often used to execute malicious code result = eval(expr);
    wp-content/plugins/gravityforms/form_display.php:1586 Used by malicious scripts to decode previously obscured data/programs $state = json_decode(base64_decode($_POST["state_{$form_id}"]), true);
    Since i don't know much coding (only css, html and some c++) could anyone tell me if any of the code looks suspicious?

    Sincerely, Bekti:)
     
  2. webwhizz

    webwhizz BANNED BANNED

    Joined:
    Apr 3, 2011
    Messages:
    724
    Likes Received:
    659
    I would look for base_64 code located somewhere in that plugin it, it could be malicous. Try and locate and decode it using free online de-cryption tools.
     
    Last edited: Dec 27, 2015
  3. Dvarmin

    Dvarmin Regular Member

    Joined:
    Dec 21, 2012
    Messages:
    346
    Likes Received:
    234
    It could very well be malicious, you need to trace the base64 encoded strings and decode them in order to see what's being executed by the eval function.
     
  4. bekti

    bekti Newbie

    Joined:
    May 4, 2015
    Messages:
    38
    Likes Received:
    7
    I will check back when I decode that stuff I thought it seemed kind of fishy. If the plugin turns out to be malicious I will report the thread and the user who shared this stuff. Thank you guys! :)