javascript loader in footer.php of free wordpress theme? - GoFuckYourself.com

Angry Jew Cat - Banned for Life · 05-19-2008, 09:51 AM

my antivirus randomly spiut up a warning on a free wordpress theme i download a while back stating that it contained some type of JS downloader agent. This is the theme here...

http://www.wpthemesfree.com/view.php?theme_id=1787

Anyone able to look at that and tell what it is trying to do?

warning to the peoples

Code:

<?php $_F=__FILE__;$_X='Pz48ZDR2IDRkPSJmMjJ0NXIiPg0KPHA+IDxici8+DQogICAgPGI+PD9waHAgYmwyZzRuZjIoJ24xbTUnKTsgPz48L2I+DQogICAgZDVzNGduNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5uNXQtdDVjLTJubDRuNS5jMm0iPk5FVC1URUM8LzE+IDJmIDwxIGhyNWY9Imh0dHA6Ly93d3cuMXJ0NGs1bHY1cno1NGNobjRzLm41dC10NWMuYjR6Ij5BcnQ0azVsdjVyejU0Y2huNHM8LzE+Lg0KTTFkNSBmcjU1IGJ5OiANCjwxIGhyNWY9Imh0dHA6Ly93d3cuMWwyNXY1cjEtcHIyZDNrdDUuMXQiPjxzdHIybmc+QWwyNSBWNXIxPC9zdHIybmc+PC8xPiAxbmQgPDEgaHI1Zj0iaHR0cDovL3d3dy5rcjVkNHQuYjR6Ij48c3RyMm5nPlIxdDVua3I1ZDR0PC9zdHIybmc+PC8xPi4NCiA8L3A+DQo8L2Q0dj4NCjwvZDR2Pg0KDQo8P3BocCBkMl8xY3Q0Mm4oJ3dwX2YyMnQ1cicpOyA/Pg0KDQo8L2IyZHk+DQo8L2h0bWw+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

Angry Jew Cat - Banned for Life · 05-19-2008, 11:15 AM

bumping...

the cat is curious

DateDoc · 05-19-2008, 11:21 AM

A lot of free WP themes contain bad stuff these days. You don't need to hack servers to get a hold of WP blogs any more. Even the WP Themes page on wordpress.net contains a warning as more people have infected sites.

Quote:

There will also be moderation and review so that we can scan themes for XSS problems, malicious code, spam links, and other ways that people have been distributing malware themes.

Jace · 05-19-2008, 11:38 AM

looks like a typical encoded footer code

Jace · 05-19-2008, 11:39 AM

let me guess, you are seeing it in JUST the view code area, and not actually when you view the source of the page on the web?

if so, that is a footer that has been encoded so you don't remove the sponsored links

nothing malicious

Jace · 05-19-2008, 11:41 AM

Quote:

Originally Posted by DateDoc

A lot of free WP themes contain bad stuff these days. You don't need to hack servers to get a hold of WP blogs any more. Even the WP Themes page on wordpress.net contains a warning as more people have infected sites.

I have been installing 5-10 blogs a day, using all free themes, and not one single wordpress theme has ever had anything malicious in it

can you show me examples?

the great thing about getting them wordpress.net is that thousands of people a day grab them from there too, and if ANYONE tried anything evil, it would be removed and the user banned in minutes

DateDoc · 05-19-2008, 12:14 PM

Quote:

Originally Posted by Jace

I have been installing 5-10 blogs a day, using all free themes, and not one single wordpress theme has ever had anything malicious in it

can you show me examples?

the great thing about getting them wordpress.net is that thousands of people a day grab them from there too, and if ANYONE tried anything evil, it would be removed and the user banned in minutes

http://5thirtyone.com/archives/870
http://digg.com/security/WARNING_Wor...licious_ code

05-19-2008, 11:15 AM	#2
Angry Jew Cat - Banned for Life (felis madjewicus) Industry Role: Join Date: Jul 2006 Location: In Mom & Dad's Basement Posts: 20,368	bumping... the cat is curious

05-19-2008, 11:38 AM	#4
Jace FBOP Class Of 2013 Industry Role: Join Date: Jan 2004 Location: bumfuck, ky Posts: 35,562	looks like a typical encoded footer code

05-19-2008, 11:39 AM	#5
Jace FBOP Class Of 2013 Industry Role: Join Date: Jan 2004 Location: bumfuck, ky Posts: 35,562	let me guess, you are seeing it in JUST the view code area, and not actually when you view the source of the page on the web? if so, that is a footer that has been encoded so you don't remove the sponsored links nothing malicious