Tungstenation Theme Trojan?

  • xionyx

    (@xionyx)


    14 years, 1 month ago

    Hello,

    got an E-Mail from my SpaceHostingProvider that the WP – Theme “Tungestenation” iss infected with ja PHP.Trojan.Small Virus.

    Here is the File:
    wp-content/themes/tungstenation/includes/prelude.php: PHP.Trojan.Small FOUND

    Is it true? because my AntiVir didnt find anything and i couldnt find anything on google as well.

    I have a link with the content of the File on pastebin.
    http://pastebin.com/UJYGKsyQ

    Any Clues?

    Thank you very much in advance

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator cubecolour

    (@numeeja)

    14 years, 1 month ago

    You have base64 encoded junk in there, so it certainly looks like it could be dodgy

    The first thing to look at would be to scan your site at http://sitecheck.sucuri.net/scanner/

    Thread Starter xionyx

    (@xionyx)

    14 years, 1 month ago

    I cant scan the Site right now because my Provider took it down
    If found out that the 64 bit code is

    plupload.silverlight.dll

    but this doenst helped me.

    Moderator cubecolour

    (@numeeja)

    14 years, 1 month ago

    mmm – Sounds extremely dodgy. I’m not a Windows person, but I can’t think if any legitimate reason for any WordPress theme have references to a dll. Add to that that the code was encoded.

    I’ve just found that theme and had a look at it – it seems to have base64 junk in it as downloaded. Read this for an explanation of why googling for free themes is a bad idea: Stop Downloading WordPress Themes from Shady Sites

    Select a free theme from: http://ww.wp.xz.cn/extend/themes/

    or purchase a commercial GPL theme from one of the reputable companies listed at: http://ww.wp.xz.cn/extend/themes/commercial/

    Mii

    (@mii)

    14 years, 1 month ago

    Here’s the decryption:
    http://pastebin.com/B0MBF3Bc

    You could take the unsafe parts out of it, or to be really sure you could just don’t use the theme at all. I can’t find any unsafe stuff in there, but I just took a quick look so who knows.

    Thread Starter xionyx

    (@xionyx)

    14 years, 1 month ago

    I dont use the Theme atm, i’ve installed it just to give it a look with my content.
    At the Moment my Account from the Provider iss suspended i have to wait until i get in tuch with the Provider then i deleted the whole theme if it isnt allready done.

    So MII are you saying its suspicious but not a direct thread?

    Maybe the AntiVir of my Provider was wrong or to carefully

    Mii

    (@mii)

    14 years, 1 month ago

    It probably was carefully. Using styles with encrypted code in it is often dangerous, but also in many cases it’s just to protect the copyright link in the footer and such. It certainly wasn’t too carefully. It probably was just carefully, which all anti-viruses should be. Anti-viruses can’t read encrypted codes so most of them always mark it as a possible thread since they don’t know what’s in it.

    I suggest to take a clear look in it, or make someone with more WordPress experience then me or you look into it.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Tungstenation Theme Trojan?’ is closed to new replies.