/ PHP

Thoughts On Nulled Code Canyon & Themeforest Scripts & Themes

If you are like most, free [something] is better than paid [something]. I get not wanting to drop $56 on a Wordpress theme, seeing as how Wordpress isn't that great to start with, but be careful when looking to obtain these premium themes via some alternate method.

CodeCanyon and ThemeForest are part of the Envato marketplace, where developers of various types go to sell code they have written for platforms such as Shopify, Wordpress, Drupal, Magento, and other platforms that allow for customized themes or plugins to enhance the user experience. The problem people face is that the code quality and the overall flexibility of these themes can't be determined until you actually give it a try. There are demos, but there is only so much information you can extract from seeing a demo version of something you want to customize to your needs.

This pushes the hand of some people to look for alternative methods in their quest for their premium theme of choice. However as my friend Richard Ward at GeekDime points out, some of these premium themes that are offered for 'free', actually contain malicious code that can act as a backdoor for hackers that want to use your server for a variety of different reasons.

Read this article for more information regarding the reason for these backdoors and how it can affect your server, the safety of your site, and what types of methods people are using to hide this code inside your 'free' theme or script.

If you have obtained one of these scripts or themes and are wary of its integrity, copy the contents of the following script and paste them into a text file. Name this file 'phpcheck.sh' and ensure you do not add a file extension such as '.txt' or otherwise. Make sure that you know the full path to the PHP code in question such as:

/home/me/Desktop/dirtytheme

#! /bin/bash
#  ____ ____ ____ _________ ____ ____ ____ ____ ____ ____
# ||P |||H |||P |||       |||N |||U |||L |||L |||E |||D ||
# ||__|||__|||__|||_______|||__|||__|||__|||__|||__|||__||
# |/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|/__\|/__\|
#
# PHP Nulled Script Scanner v2.1 by @m3th4mp (http://www.geekdime.com)
#
# This script attempts to detect backdoors and hidden code in PHP scripts downloaded from suspicious sources.
# Checks for some common and uncommon strings found in unsafe scripts that may lead to ads, backdoors, etc.
# It uses recursive grep searching to output the suspected filename and line.
#
# This script is not foolproof and all output should be examined by someone with at least an intermediate
# knowledge of their system. If something doesn't look right, backup the suspected file to an offline
# storage device and delete original the file from your web server. A lot of times, these shady files can
# be reverse engineered to provide a unique insight into the vulnerability.
#
exec >> scanner.txt
echo "PHP Nulled Script Scanner v2.1"
echo "By @m3th4mp http://www.geekdime.com"
echo ""
read -p "Enter The Path To Your PHP Files (The Root Directory): " phplocation
echo "Checking for shell execution strings..."
grep -Rn "shell_exec" $phplocation
echo "Done."
echo ""
echo "Checking for base64 strings..."
grep -Rn "base64_decode" $phplocation
echo "Done."
echo ""
echo "Checking for base64 reverse strings..."
grep -Rn "edoced_46esab" $phplocation
echo "Done."
echo ""
echo "Checking for fopen strings..."
grep -Rn "fopen" $phplocation
echo "Done."
echo ""
echo "Checking for fclose strings..."
grep -Rn "fclose" $phplocation
echo "Done."
echo ""
echo "Checking for phpinfo strings..."
grep -Rn "phpinfo" $phplocation
echo "Done."
echo ""
echo "Checking for system strings..."
grep -Rn "system" $phplocation
echo "Done."
echo ""
echo "Checking for uname strings..."
grep -Rn "php_uname" $phplocation
echo "Done."
echo ""
echo "Checking for chmod strings..."
grep -Rn "chmod" $phplocation
echo "Done."
echo ""
echo "Checking for readfile strings..."
grep -Rn "readfile" $phplocation
echo "Done."
echo ""
echo "Checking for eval strings..."
grep -Rn "eval" $phplocation
echo "Done."
echo ""
echo "Checking for passthru strings..."
grep -Rn "passthru" $phplocation
echo "Done."
echo ""
echo "Scan completed."
echo ""
exec 2>&1

After you save this file you will need to make it executable on your system. In a terminal window run

cd /path/to/phpcheck.sh && chmod +x phpcheck.sh

Then run ./phpcheck.sh to evaluate the script or theme in question. This script creates a text file with its findings. If you don't know what it means or are confused, paste the contents of this output in the comments below and I will offer you a more detailed description of what it has found.