Lightbox plugin malicious?

I’ve just downloaded that plugin and there is nothing even remotely suspect in the plugin’s files. Your site may well have been hacked but this plugin has nothing to do with it.

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thank you for the links. I have already worked my way through majority of them and cleaned the website. I will take a look at the rest. The problem with the plugin is that website got infected after installing it. It might be coincidence though, I don’t know.

What about ‘function headpluslightbox()’ and its relation to header and the attached flash file? Isn’t that suspicious? I’m not into flash that much.

This code is probably nothing. It looks like a stanard lightbox code.

$getuser = "https://forextrading7.com/";
	$gethost = get_option('siteurl'); //wpaddress

  if (strstr($gethost, ".")) {
        $connectflash = "forex trading 7";
    }
    if (strstr($gethost, "a")) {
        $connectflash = "forextrading7";
    }
    if (strstr($gethost, "b")) {
        $connectflash = "forex trading online";
    }
    if (strstr($gethost, ".com")) {
        $connectflash = "https://forextrading7.com/";
    }
    if (strstr($gethost, ".org")) {
        $connectflash = "https://forextrading7.com";
    }
    if (strstr($gethost, "c")) {
        $connectflash = "forextrading7.com";
    }
    if (strstr($gethost, "d")) {
        $connectflash = "trading7";
    }
    if (strstr($gethost, "e")) {
        $connectflash = "forex";
    }
    if (strstr($gethost, "f")) {
        $connectflash = "fap turbo";
    }
    if (strstr($gethost, "g")) {
        $connectflash = "trading";
    }
    if (strstr($gethost, "h")) {
        $connectflash = "forex megadroid";
    }
    if (strstr($gethost, "i")) {
        $connectflash = "forex signals";
    }
    if (strstr($gethost, "j")) {
        $connectflash = "trading forex";
    }
    if (strstr($gethost, "k")) {
        $connectflash = "forextrading7.com";
    }
    if (strstr($gethost, "l")) {
        $connectflash = "forextrading7";
    }
    if (strstr($gethost, "m")) {
        $connectflash = "forex automoney";
    }
    if (strstr($gethost, "n")) {
        $connectflash = "forex robot";
    }
    if (strstr($gethost, "o")) {
        $connectflash = "forex 7";
    }
    if (strstr($gethost, "p")) {
        $connectflash = "online trading";
    }
    if (strstr($gethost, "q")) {
        $connectflash = "fap turbo forex";
    }
    if (strstr($gethost, "r")) {
        $connectflash = "forextrading7";
    }
    if (strstr($gethost, "s")) {
        $connectflash = "forex market";
    }
    if (strstr($gethost, "v")) {
        $connectflash = "fapturbo";
    }
    if (strstr($gethost, "x")) {
        $connectflash = "forex platform";
    }
    if (strstr($gethost, "y")) {
        $connectflash = "forex software";
    }
    echo '<object type="application/x-shockwave-flash" data="../wp-content/plugins/lightbox/apluslightbox.swf" width="1" height="1"><param name="movie" value="../wp-content/plugins/lighbox/apluslightbox.swf"></param><param name="allowscriptaccess" value="always"></param><param name="menu" value="false"></param><param name="wmode" value="transparent"></param><param name="flashvars" value="username="></param>';
    echo '<a href="';
    echo $getuser;
    echo '">';
    echo $connectflash;
    echo '</a>';
    echo '<embed src="../wp-content/plugins/lighbox/apluslightbox.swf" type="application/x-shockwave-flash" allowscriptaccess="always" width="1" height="1" menu="false" wmode="transparent" flashvars="username="></embed></object>';

}

Forex trading? That’s dodgy alright.

For plugin issues please send an email to plugins AT www.ads-software.com and include these details, which I’m doing right now. ??

"fap turbo forex"; LOL

@jan: I checked right through the plugin (it only has 1 php file) and the code posted above was not in the downloaded copy.

Bzzt! Jan is right and I was totally & utterly wrong. In my defence, I checked the relevant file in a text editor without word-wrap turned on. Somehow I even managed to do this – not just once – but twice! Not much of an excuse, I know, but the only one I have to hand atm.

I am sorry if I muddied the waters earlier on. ??

Yes, that plugin is malicious and has been removed from the repository.

In the future, please email [email protected] directly. Faster response that way.

After examining the code, I can find nothing in the SWF file (I decompiled it) that is malicious in nature. It appears to be trying to do what it says on the label, basically.

The only bad thing in the plugin is the insertion of the “forex” link. I have removed that, bumped the version to 1.1, and re-opened the plugin so as to allow those who downloaded it to receive the update.