WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Lightbox plugin malicious? (10 posts)

  1. adam.hal
    Member
    Posted 1 year ago #

    I have recently installed this Lightbox plugin and my website got infected(malicious code in .htaccess file and some php code added in php files + malicious wp-conf.php file). I am not sure if this is exactly the source of infection but take a look at their source code in lightbox.php(lines 44-46), forextrading7.com website and its reference to attached swf file. It looks suspicious to me. If it's malware it should be removed from directory.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. adam.hal
    Member
    Posted 1 year ago #

    Thank you for the links. I have already worked my way through majority of them and cleaned the website. I will take a look at the rest. The problem with the plugin is that website got infected after installing it. It might be coincidence though, I don't know.

    What about 'function headpluslightbox()' and its relation to header and the attached flash file? Isn't that suspicious? I'm not into flash that much.

  4. adam.hal
    Member
    Posted 1 year ago #

    This code is probably nothing. It looks like a stanard lightbox code.

    $getuser = "http://forextrading7.com/";
    	$gethost = get_option('siteurl'); //wpaddress
    
      if (strstr($gethost, ".")) {
            $connectflash = "forex trading 7";
        }
        if (strstr($gethost, "a")) {
            $connectflash = "forextrading7";
        }
        if (strstr($gethost, "b")) {
            $connectflash = "forex trading online";
        }
        if (strstr($gethost, ".com")) {
            $connectflash = "http://forextrading7.com/";
        }
        if (strstr($gethost, ".org")) {
            $connectflash = "http://forextrading7.com";
        }
        if (strstr($gethost, "c")) {
            $connectflash = "forextrading7.com";
        }
        if (strstr($gethost, "d")) {
            $connectflash = "trading7";
        }
        if (strstr($gethost, "e")) {
            $connectflash = "forex";
        }
        if (strstr($gethost, "f")) {
            $connectflash = "fap turbo";
        }
        if (strstr($gethost, "g")) {
            $connectflash = "trading";
        }
        if (strstr($gethost, "h")) {
            $connectflash = "forex megadroid";
        }
        if (strstr($gethost, "i")) {
            $connectflash = "forex signals";
        }
        if (strstr($gethost, "j")) {
            $connectflash = "trading forex";
        }
        if (strstr($gethost, "k")) {
            $connectflash = "forextrading7.com";
        }
        if (strstr($gethost, "l")) {
            $connectflash = "forextrading7";
        }
        if (strstr($gethost, "m")) {
            $connectflash = "forex automoney";
        }
        if (strstr($gethost, "n")) {
            $connectflash = "forex robot";
        }
        if (strstr($gethost, "o")) {
            $connectflash = "forex 7";
        }
        if (strstr($gethost, "p")) {
            $connectflash = "online trading";
        }
        if (strstr($gethost, "q")) {
            $connectflash = "fap turbo forex";
        }
        if (strstr($gethost, "r")) {
            $connectflash = "forextrading7";
        }
        if (strstr($gethost, "s")) {
            $connectflash = "forex market";
        }
        if (strstr($gethost, "v")) {
            $connectflash = "fapturbo";
        }
        if (strstr($gethost, "x")) {
            $connectflash = "forex platform";
        }
        if (strstr($gethost, "y")) {
            $connectflash = "forex software";
        }
        echo '<object type="application/x-shockwave-flash" data="../wp-content/plugins/lightbox/apluslightbox.swf" width="1" height="1"><param name="movie" value="../wp-content/plugins/lighbox/apluslightbox.swf"></param><param name="allowscriptaccess" value="always"></param><param name="menu" value="false"></param><param name="wmode" value="transparent"></param><param name="flashvars" value="username="></param>';
        echo '<a href="';
        echo $getuser;
        echo '">';
        echo $connectflash;
        echo '</a>';
        echo '<embed src="../wp-content/plugins/lighbox/apluslightbox.swf" type="application/x-shockwave-flash" allowscriptaccess="always" width="1" height="1" menu="false" wmode="transparent" flashvars="username="></embed></object>';
    
    }
  5. Forex trading? That's dodgy alright.

    For plugin issues please send an email to plugins AT wordpress.org and include these details, which I'm doing right now. ;)

  6. Phil
    Member
    Posted 1 year ago #

    "fap turbo forex"; LOL

  7. esmi
    Forum Moderator
    Posted 1 year ago #

    @Jan: I checked right through the plugin (it only has 1 php file) and the code posted above was not in the downloaded copy.

  8. esmi
    Forum Moderator
    Posted 1 year ago #

    Bzzt! Jan is right and I was totally & utterly wrong. In my defence, I checked the relevant file in a text editor without word-wrap turned on. Somehow I even managed to do this - not just once - but twice! Not much of an excuse, I know, but the only one I have to hand atm.

    I am sorry if I muddied the waters earlier on. :-(

  9. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    Yes, that plugin is malicious and has been removed from the repository.

    In the future, please email plugins@wordpress.org directly. Faster response that way.

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    After examining the code, I can find nothing in the SWF file (I decompiled it) that is malicious in nature. It appears to be trying to do what it says on the label, basically.

    The only bad thing in the plugin is the insertion of the "forex" link. I have removed that, bumped the version to 1.1, and re-opened the plugin so as to allow those who downloaded it to receive the update.

Topic Closed

This topic has been closed to new replies.

About this Topic