Warning for downloading themes and plugins

Discussion in 'Feedback & Suggestions' started by aallaabbaammaa, Sep 24, 2012.

  1. aallaabbaammaa

    aallaabbaammaa Well-Known Member

    Joined:
    May 4, 2011
    Messages:
    256
    Likes Received:
    1,147
    Trophy Points:
    93
    I recently downloaded a theme to test for a client project. I always do that before I buy a theme.

    2 problems appeared:

    The first was that I had to remove all mentions of the site I downloaded the theme from
    Code:
    wpdb.org
    inside the theme's styles.css file. This was easy because all mentions were at the top of the file (just replaced all links with fake ones).

    The second problem was that these assholes had injected a redirect code that when triggered (at random intervals) opened a new window of a site called
    Code:
    freedownloadmusic.com
    , or something like that. The solution was to open the theme folder, then the includes folder, and delete everything inside the functions-init.php file.

    Although this was just a test install for me, I would like to warn all people here not to download and/or install wp themes or plugins from that site, to avoid this kind of problems. More importantly, just don't share them here, because you don't have to fuck-up someone else's site.

    Oh, and if you feel like it, pay a visit to their fb page, and show your appreciation for spreading malicious code through their shares.

    Thanks for reading....
     
    Last edited: Sep 24, 2012
    #1
  2. maxidl

    maxidl Well-Known Member

    Joined:
    Apr 4, 2010
    Messages:
    363
    Likes Received:
    832
    Trophy Points:
    93
    Downloading themes or plugins for FREE especially the paid ones is always a very risky business.
     
    #2
  3. Gallus

    Gallus Well-Known Member

    Joined:
    Sep 8, 2010
    Messages:
    684
    Likes Received:
    334
    Trophy Points:
    63
    True aallaabbaammaa, always a risk when we are getting stuff for "free".
    There is a plugin on the forum created by a member I believe.
    Code:
    wp-plugin-infected-check.zip
    I haven't tried it yet as I have been using W0rdfence which has spotted a few naughty plugins.
     
    #3
  4. nenz

    nenz Member

    Joined:
    Dec 25, 2010
    Messages:
    69
    Likes Received:
    13
    Trophy Points:
    8
    Gallus, do you have a link to this plugin? I did a search but can't find it. Thanks! :)
     
    #4
  5. worldzaki

    worldzaki Banned

    Joined:
    Jul 5, 2010
    Messages:
    260
    Likes Received:
    21
    Trophy Points:
    18
    Location:
    IM
    #5
    nenz likes this.
  6. brian1

    brian1 Active Member

    Joined:
    Apr 11, 2011
    Messages:
    82
    Likes Received:
    29
    Trophy Points:
    28
  7. aallaabbaammaa

    aallaabbaammaa Well-Known Member

    Joined:
    May 4, 2011
    Messages:
    256
    Likes Received:
    1,147
    Trophy Points:
    93
    The problem in this case is that the infection is not in a plugin, but hardcoded on the theme. Also, I installed Theme Authenticity Checker (TAC) a very popular plugin to check the theme, and it passed with flying colors!! My point is that some coders hide their code behind innocent declarations such as "jquery", so even if you see the redirect url on your index.php (right-click, view source on your homepage) it is very difficult to find the code.

    So, my advice is to just stay away from sites that spread crap with their downloads. And of course, first run your themes and plugins locally (xampp e.t.c.)
     
    #7
    soyo likes this.
  8. boyishefast

    boyishefast Active Member

    Joined:
    Nov 15, 2010
    Messages:
    192
    Likes Received:
    41
    Trophy Points:
    28
    i should have stated this earlier. There was this one time when a reputable member added some kind of a plugin which would show an embeded youtube video in a very cool shape. However what i wanted to say is that it was somekinda trojan and when i tried to visit my site, i was asked to fill surveys etc
     
    #8
  9. bigspanner

    bigspanner Well-Known Member

    Joined:
    Sep 6, 2010
    Messages:
    2,608
    Likes Received:
    2,434
    Trophy Points:
    113
    Just come forward and name the member. It serves no purpose for the community when member is in anonymity.
     
    #9
  10. Spammerluv

    Spammerluv Well-Known Member

    Joined:
    Jan 9, 2011
    Messages:
    218
    Likes Received:
    461
    Trophy Points:
    63
    Location:
    Spam Box
    I've learnt my lessons the hard way. Now I only download Information products from BHT. For plugins and themes I use BHT as great review site. If I find something worthwhile here I purchase it. Costs something, but saves the headache later on!
     
    #10
  11. bigspanner

    bigspanner Well-Known Member

    Joined:
    Sep 6, 2010
    Messages:
    2,608
    Likes Received:
    2,434
    Trophy Points:
    113
    All info products, especially pdfs, should be scanned too. Adobe allows javascripts to be embedded in their pdfs, and malicious codes can be embedded in the process. Even Microsoft .doc is known to be vulnerable to injection of viruses in them.

    For password-protected zip or rar files, no scanner can scan the contents but it will still return "no viruses found" after the scan. Always unzip all password-protected zip or rar files (or any type of archives) before scanning the folder. Or zip it up again without the password and send to virustotal for a scan.
     
    #11
    Spammerluv likes this.
  12. drax

    drax Super Moderator Super Moderator

    Joined:
    Jul 19, 2010
    Messages:
    3,732
    Likes Received:
    8,921
    Trophy Points:
    113
    Location:
    BHT Forum
    It's not enough to scan the zipped file. It should be unzipped and at least any execuables should be separately scanned.
     
    #12
  13. Aries2k

    Aries2k Member

    Joined:
    Jul 20, 2012
    Messages:
    46
    Likes Received:
    59
    Trophy Points:
    18
    Occupation:
    Wantrepreneur
    Location:
    S. London UK

    I've only ever downloaded free themes from here and I'm suffering from the "download free music bullshit " redirect. So It's merely a case of deleting the functions code.....? I'm guessing not :(
     
    Last edited: Sep 25, 2012
    #13
  14. Aries2k

    Aries2k Member

    Joined:
    Jul 20, 2012
    Messages:
    46
    Likes Received:
    59
    Trophy Points:
    18
    Occupation:
    Wantrepreneur
    Location:
    S. London UK
    #14
  15. bigspanner

    bigspanner Well-Known Member

    Joined:
    Sep 6, 2010
    Messages:
    2,608
    Likes Received:
    2,434
    Trophy Points:
    113
    That's Anton79. OMGosh! This is surreal.
     
    #15
  16. sjc999

    sjc999 V.I.P. Lifetime V.I.P. Lifetime

    Joined:
    Aug 28, 2010
    Messages:
    1,130
    Likes Received:
    1,589
    Trophy Points:
    113
    Location:
    Everywhere and Nowhere, Baby
    I think it would be a good idea to have a Suspect/Infected Downloads section. If a plugin is found to be a problem it could then be moved there rather than deleted. That way we can all see what we might have downloaded in that past that has been found to have a problem. People could also then post exploit analysis and 'cure' information.
     
    #16
    s90125 likes this.
  17. bigspanner

    bigspanner Well-Known Member

    Joined:
    Sep 6, 2010
    Messages:
    2,608
    Likes Received:
    2,434
    Trophy Points:
    113
    It's a good idea but highly dependent on contributions from both users and plugin doctors.
     
    #17
  18. Rsocks

    Rsocks New Member

    Joined:
    Oct 7, 2016
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Gender:
    Male
    Free cheese only in a mousetrap.
    Hacked premium themes - all contain a malicious code.
     
    #18

Share This Page