WordPress.org

Ready to get started?Download WordPress

Forums

gtrans
Dont use!!! hidden rogue/packed javascript, phones home, and hidden backlinks (4 posts)

1 star
  1. wpg
    Member
    Posted 1 year ago #

    ROGUE JAVASCRIPT: Hidden by a packer located in gtrans.php

    line 118:

    eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c]);return p}('6 7(a,b){n{4(2.9){3 c=2.9("o");c.p(b,f,f);a.q(c)}g{3 c=2.r();a.s(\'t\'+b,c)}}u(e){}}6 h(a){4(a.8)a=a.8;4(a==\'\')v;3 b=a.w(\'|\')[1];3 c;3 d=2.x(\'y\');z(3 i=0;i<d.5;i++)4(d[i].A==\'B-C-D\')c=d[i];4(2.j(\'k\')==E||2.j(\'k\').l.5==0||c.5==0||c.l.5==0){F(6(){h(a)},G)}g{c.8=b;7(c,\'m\');7(c,\'m\')}}',43,43,'||document|var|if|length|function|GTranslateFireEvent|value|createEvent||||||true|else|doGTranslate||getElementById|google_translate_element2|innerHTML|change|try|HTMLEvents|initEvent|dispatchEvent|createEventObject|fireEvent|on|catch|return|split|getElementsByTagName|select|for|className|goog|te|combo|null|setTimeout|500'.split('|'),0,{}));

    ###########################################

    HIDDEN BACKLINK: Checks useragent against google
    in gtrans.php

    line 125 and 126

    if(stripos($_SERVER["HTTP_USER_AGENT"], 'google') !== false)
    $script = $script . '<p>Powered by GTranslate - multilingual website solutions.</p>';

    ###########################################

    PHONING HOME: Posts obfuscated data to http://tdn.gtranslate.net/tdn-bin/save after loading remote javascript from http://tdn.gtranslate.net/tdn-bin/queue.js

    line 122:

    <script src="http://tdn.gtranslate.net/tdn-bin/queue.js" type="text/javascript"></script>

    ###########################################

    The unpacked javascript looks like it fools the wordpress repository by increasing the downloads. It makes an ajax head call to the download url to automatically increase downloads. This guarantees that it becomes a "popular" plugin in the repo.

    Shame shame shame..

  2. wpg
    Member
    Posted 1 year ago #

    Just to be clear, it looks like ALL of the rogue code was added in changeset 535369 and marked as a "UI update". Might I also mention that all the updates since have been simple bumps with no code changes.

    Also looks like more packed javascript and backlinks between lines 66 and 84. Sigh..

    Reference:
    http://plugins.trac.wordpress.org/changeset/535369

  3. shakedehead
    Member
    Posted 1 year ago #

    I cant believe its been in here for this long. You would think moderators would be all over this. Makes you wonder if theres someone on the inside who is allowing it to remain.

  4. No, it's just no one actually told us correctly :)

    http://codex.wordpress.org/Security_FAQ#Where_do_I_report_security_issues.3F

    Email plugins AT wordpress DOT org any time you see plugins doing this. Closed now.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.