WordPress hacking

So, I wanted to set up a blog for my Streamdales campaign — nathreee will be doing session write-ups and I’ll be posting background information and stuff like maps. Of course I wanted to use WordPress.
(As an aside, that’s how I found out that my current webhoster was running a PHP version from 2007 on the server that has one of my sites. I sent them a mail asking after it, and they failed to answer within a week — they fail. So I did some research and found a hoster who even advertises their phpinfo()-page. Last Thursday morning I registered a new domain with them, paid through e-banking and was up and running in five minutes!)

I spent quite a bit of time looking for a WordPress theme that suited the style I envisioned. It’s a fantasy campaign after all, so a hyper-modern theme just wouldn’t fit. After a lot of searching I found a theme that was sort-of what I was looking for, so I downloaded it and installed it on my local machine. (Running Ubuntu on your desktop means never having to search of a LAMP-stack, ever.)
And then I customised the crap out of it. New header image, removing one side-bar, making the content area wider and creating new background images for those, using the Google Font APIs to create an attractive entry header, etcetera. If you see the themes together, you can see the similarity, but they’re quite distinct.

And then I saw why the theme was free. It included links in the footer of the page, which linked to various Facebook pages for slimming products and shady financial firms. With an euphemism, this is called a ‘sponsored theme’. Basically, it’s SEO gaming at it’s worst: you use unsuspecting bloggers to promote your clients’ pages.
It’s not only spammy, it’s also a security risk. There was a chunk of obfuscated code in the functions.php file that was executed — and you just don’t know what your site is doing. For all you know, it’ll become part of a spam-bot network. And removing the function call that produces the links resulted in a red bar at the bottom of the page informing the viewer that this site had violated the terms of use.

I don’t mind people getting paid for their work. In fact, I try to pay for what I use — the only reason I have food and a roof over my head is because other people pay me for the work I do.
But if you get paid by introducing a security risk in my site and link-spamming, you’re at the bare-rock bottom of the ecosystem and you will not get any sympathy from me. And if you try to be ‘clever’ by obfuscating your code? Of course, that means war!

The fun thing about PHP obfuscation is that you get a giant string that’s Base64-encoded, gzipped, rot13’d — and then it’s ‘eval’ed. The solution is simple: change the ‘eval’ into ‘echo’ and you get the code that would be executed. That’s what I did, and I got another eval-statement. By iteration 9, I built a tool to do this automatically. It took some time, but it was a fun puzzle. I was actually a bit dissapointed that it stopped at iteration 23.
All the variables had been obfuscated too: instead of ‘$text’, you’d get something like ‘$am____p’. And some of these variables had values that were only one character long, and they’d get concatted elsewhere to form function names.
By then, I was unstoppable. I analysed the code, found the functions that did productive things (like producing the actual footer or providing the ‘read more…’-code for entries), and stripped the rest.

The rest of the code was very interesting too, to say the least. I found code that actually opened a socket to a website with a nonsensical name (a twelve-character random string, it seemed) to do some sort of AJAX-like call to retrieve the links that should be spammed. It also contained identifying information for the wordpress installation itself. The site would return the links and those would be spammed in the footer.
So: not only does every page hit on your site also result in a request to another site (slowing things down and costing you bandwidth), you also allow someone who you don’t know to have control over (part of) the content of the pages you serve.
As I stated before: I want people to get paid for their work, but I gleefully deleted this code. Then I packaged it all up as a new theme, and that’s what I installed.

I’m pretty pleased with the result — though I might change the headings and other text around, depending on whether we’ll be blogging in English or Dutch.