[wp-hackers] Porn links in google cache

Jackson Whelan jw at jacksonwhelan.com
Fri Jul 15 17:39:50 UTC 2011 

The copy of Kaboodle you mention does indeed include spam links in 
/kaboodle/functions/admin-functions.php buried at line 5772

I wouldn't trust any free themes that are not downloaded from the WP.org 
repository

Good luck with your clean up efforts.

> Date: Fri, 15 Jul 2011 12:56:10 -0400
> From: Justin W Hall<justin at justinwhall.com>
> Subject: Re: [wp-hackers] Porn links in google cache
> To:wp-hackers at lists.automattic.com
> Message-ID:<04306F6C-AEE7-4057-A556-D03D88406C9B at justinwhall.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> New information has come to light. At first, All things pointed to the
> Pharma Attack. I scanned the site, found many of the "base64"
> functions, eval and common strings associated with the problem. As I
> started cleaning things up, I realized that many of the potentially
> new malicious files and potentially compromised files had not been
> modified since I had installed WP and the theme it self... Hmmmmmmm,
> something doesn't add up here. I started sniffing around for other
> potential problems.
>
> As it turns out my client had downloaded his theme from the following
> source for FREE.
>
> http://themecrunch.blogspot.com/2011/05/kaboodle.html
>
> This theme is a Woo network theme and once I was made aware that it
> was downloaded for free I became very suspect. I went over to woo
> themes and as I suspected it is NOT free.
>
> http://www.woothemes.com/2011/04/kaboodle/
>
> I do plan on purchasing the legitimate theme from Woo Themes and
> comparing.
> In the mean time my question... Are rogue / spammy themes common?
>
>
> On Jul 15, 2011, at 12:12 PM, Justin W Hall wrote:
>
>> >  What's interesting, is when switching to User agent within Firefox,
>> >  I don't see the injected links?!?
>> >
>> >  On Jul 15, 2011, at 3:07 AM, Chris Taylor - stillbreathing.co.uk
>> >  wrote:
>> >
>>> >>  Hi Justin,
>>> >>
>>> >>  I got hacked with this last year. It's a nasty one, but (touch wood)
>>> >>  my site seems OK at the moment). I wrote a short article about it
>>> >>  with
>>> >>  some useful links:
>>> >>  http://www.stillbreathing.co.uk/2010/11/21/wordpress-pharma-hack/
>>> >>
>>> >>  Hope you get it sorted.
>>> >>
>>> >>  Chris
>>> >>
>>> >>
>>> >>  On Thu, Jul 14, 2011 at 4:20 PM, Justin W Hall<justin at justinwhall.com
>>>> >>  >  wrote:
>>>> >>>  Hey folks-
>>>> >>>
>>>> >>>  It's been brought to my attention that when a site a recently
>>>> >>>  worked in is viewed via google cache, there is a whole list of
>>>> >>>  mostly porn related links that have been added to the bottom of
>>>> >>>  the pages that obviously do not exist on the page. My questions:
>>>> >>>
>>>> >>>  1) how does this happen? Host related malware?
>>>> >>>
>>>> >>>  2) what us the best way to go about fixing this.?
>>>> >>>
>>>> >>>
>> >
>> >  _______________________________________________
>> >  wp-hackers mailing list
>> >  wp-hackers at lists.automattic.com
>> >  http://lists.automattic.com/mailman/listinfo/wp-hackers
> -- Justin W. Hall justin at justinwhall.com Skype: justinwhall 
> www.justinWhall.com cell: 803-318-4804

More information about the wp-hackers mailing list