WordPress.org

Ready to get started?Download WordPress

Forums

Tungstenation Theme Trojan? (7 posts)

  1. xionyx
    Member
    Posted 2 years ago #

    Hello,

    got an E-Mail from my SpaceHostingProvider that the WP - Theme "Tungestenation" iss infected with ja PHP.Trojan.Small Virus.

    Here is the File:
    wp-content/themes/tungstenation/includes/prelude.php: PHP.Trojan.Small FOUND

    Is it true? because my AntiVir didnt find anything and i couldnt find anything on google as well.

    I have a link with the content of the File on pastebin.
    http://pastebin.com/UJYGKsyQ

    Any Clues?

    Thank you very much in advance

  2. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 2 years ago #

    You have base64 encoded junk in there, so it certainly looks like it could be dodgy

    The first thing to look at would be to scan your site at http://sitecheck.sucuri.net/scanner/

  3. xionyx
    Member
    Posted 2 years ago #

    I cant scan the Site right now because my Provider took it down
    If found out that the 64 bit code is

    plupload.silverlight.dll

    but this doenst helped me.

  4. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 2 years ago #

    mmm - Sounds extremely dodgy. I'm not a Windows person, but I can't think if any legitimate reason for any WordPress theme have references to a dll. Add to that that the code was encoded.

    I've just found that theme and had a look at it - it seems to have base64 junk in it as downloaded. Read this for an explanation of why googling for free themes is a bad idea: Stop Downloading WordPress Themes from Shady Sites

    Select a free theme from: http://wordpress.org/extend/themes/

    or purchase a commercial GPL theme from one of the reputable companies listed at: http://wordpress.org/extend/themes/commercial/

  5. Mii
    Member
    Posted 2 years ago #

    Here's the decryption:
    http://pastebin.com/B0MBF3Bc

    You could take the unsafe parts out of it, or to be really sure you could just don't use the theme at all. I can't find any unsafe stuff in there, but I just took a quick look so who knows.

  6. xionyx
    Member
    Posted 2 years ago #

    I dont use the Theme atm, i've installed it just to give it a look with my content.
    At the Moment my Account from the Provider iss suspended i have to wait until i get in tuch with the Provider then i deleted the whole theme if it isnt allready done.

    So MII are you saying its suspicious but not a direct thread?

    Maybe the AntiVir of my Provider was wrong or to carefully

  7. Mii
    Member
    Posted 2 years ago #

    It probably was carefully. Using styles with encrypted code in it is often dangerous, but also in many cases it's just to protect the copyright link in the footer and such. It certainly wasn't too carefully. It probably was just carefully, which all anti-viruses should be. Anti-viruses can't read encrypted codes so most of them always mark it as a possible thread since they don't know what's in it.

    I suggest to take a clear look in it, or make someone with more WordPress experience then me or you look into it.

Topic Closed

This topic has been closed to new replies.

About this Topic