Free Wordpress Themes AAAAA+++++ GOOD BUYER

12 Aug 2011

related: wordpress , spam , PHP

Searching for free shit on the internet sucks.

Searching for free Wordpress themes sucks harder.

paddsolutions.com is an example of a not-so-trustworthy source of free themes. If you were to download one of their themes, say tungstenation, extract it, and grep for “base64”, you might find this interesting tidbit in the PHP:

1
2
3
4
5
6
$ find . -print0 |xargs -0 grep base64
./includes/prelude.php:<?php $_F=__FILE__;$_X=‘Pz48P3BocA0KDQokcDFkZF9nMzRkID0gJyc7DQoNCmYzbmN0NDJuIHAxZGRfdGg1bTVfY3I1ZDR0cygp
…
WdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>
…
k7’;eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>

Maybe you convert that base64 data back to ASCII with a deconverter. Maybe the result looks like this:

1
2
3
4
5
6
7
8
9
?><?php

$p1dd_g34d = “;

f3nct42n p1dd_th5m5_cr5d4ts() {
    gl2b1l $p1dd_g34d;
    $cr5d4ts = 'D5s4gn5d by <1 t1rg5t=”_bl1nk" t4tl5=“B5st SUV” hr5f=“http://s3v.r5v45w4t2nl4n5.n5t/”>B5st SUV</1> 4n c22p5r1t42n w4th <1 t1rg5t=“_bl1nk” t4tl5=“A3d4 SUV” hr5f=“http://s3v.r5v45w4t2nl4n5.n5t/13d4-s3v/”>A3d4 SUV</1>, <1 t1rg5t=“_bl1nk” t4tl5=“Inf4n4t4 SUV” hr5f=“http://s3v.r5v45w4t2nl4n5.n5t/4nf4n4t4-s3v/”>Inf4n4t4 SUV</1>, 1nd <1 t1rg5t=“_bl1nk” t4tl5=“L5x3s SUV” hr5f=“http://s3v.r5v45w4t2nl4n5.n5t/l5x3s-s3v/”>L5x3s SUV</1>’;
…
$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie’,'aouie123456’);$_R=ereg_replace(’__FILE__’,“’”.$_F.“’”,$_X);eval($_R);$_R=0;$_X=0;

Oh, look at that. It has spam links. In l33t speak. And then some code to un-l33t-speakify itself. And then executes itself. Lovely.