15 Comments

Summary:

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted. Among them is Deep Jive: “I was getting listed […]

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted.

Among them is Deep Jive:

“I was getting listed in Google for all manner of sneaky (and NSFW terms), so that people could click on those links with the hacker getting the affiliate cash — but *actually*, said hackers also inserted fake tempates into my wordpress theme.”

There are lots of reasons a hacker may want to inject code into a page:

  • To infect visitors by exploiting a browser vulnerability
  • To place ads they can then get revenue from
  • To embed links to blogs they own, improving their page rank
  • To entice people to click on links that lead them elsewhere

The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly. Which means that the creator of the theme could count how many sites their theme had “infected” based on hits to the embedded URL. Once enough sites had the themes, the creator could start supplying code to the blogs.

In this case, it appears that most of the sites are being used to send traffic to a few sites, which in turn have been morphed into stores.

  1. What are the themes most commonly affected?

    Share
  2. Wow … that is clever!! Could WordPress certify themes?

    Share
  3. Um. Don’t execute untrustworthy code? Did people suddenly go mad and start downloading themes from all over the place, or are the affected themes from semi-trustable sources?

    Share
  4. @Grant yea, I think a lot of people are downloading themes from untrustworthy sources. One of the major problems is that themes.wordpress.net hasn’t allowed theme developers to upload new themes or updates to old themes for nearly 8 months, that means if you want fresh new themes you have to look for them elsewhere.

    Share
  5. FWICT, the XML-RPC vulnerability that wp 2.3.3 fixed seems to be having greater impact than the nefarious theme download hack — old installations being compromised hundreds of times a day. Technorati’s crawler is no longer updating vulnerable blogs bearing symptoms of being compromised. I posted a heads up yesterday and more details last night.
    -Ian
    Technorati

    Share
  6. [...] on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the [...]

    Share
  7. [...] a la reciente ola de ataques a blogs usando viejas versiones de WordPress, que en muchos casos intentan agregar spam links y otras cosillas. Los blogs de ZDnet parecen haber sido una de las víctimas. Si aún están usando una versión [...]

    Share
  8. [...] on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the [...]

    Share
  9. Ha, the dark side of AJAX! Check your WordPress themes — look in the footer file first — for a long string of characters that doesn’t look like HTML, PHP or Javascript. It’s an encrypted string, and anyone can insert it into any theme, and then upload that theme anywhere they like.

    I started noticing this a year or so ago after downloading themes from the ‘free themes’ site. Stick with WordPress.org’s theme view, or learn enough code to sniff out bad stuff.

    Share
  10. [...] Blog Hacks Coming Back to Roost? [via Zemanta] [...]

    Share

Comments have been disabled for this post