[wp-hackers] Porn links in google cache
Jackson Whelan
jw at jacksonwhelan.com
Fri Jul 15 17:39:50 UTC 2011
The copy of Kaboodle you mention does indeed include spam links in
/kaboodle/functions/admin-functions.php buried at line 5772
I wouldn't trust any free themes that are not downloaded from the WP.org
repository
Good luck with your clean up efforts.
> Date: Fri, 15 Jul 2011 12:56:10 -0400
> From: Justin W Hall<justin at justinwhall.com>
> Subject: Re: [wp-hackers] Porn links in google cache
> To:wp-hackers at lists.automattic.com
> Message-ID:<04306F6C-AEE7-4057-A556-D03D88406C9B at justinwhall.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> New information has come to light. At first, All things pointed to the
> Pharma Attack. I scanned the site, found many of the "base64"
> functions, eval and common strings associated with the problem. As I
> started cleaning things up, I realized that many of the potentially
> new malicious files and potentially compromised files had not been
> modified since I had installed WP and the theme it self... Hmmmmmmm,
> something doesn't add up here. I started sniffing around for other
> potential problems.
>
> As it turns out my client had downloaded his theme from the following
> source for FREE.
>
> http://themecrunch.blogspot.com/2011/05/kaboodle.html
>
> This theme is a Woo network theme and once I was made aware that it
> was downloaded for free I became very suspect. I went over to woo
> themes and as I suspected it is NOT free.
>
> http://www.woothemes.com/2011/04/kaboodle/
>
> I do plan on purchasing the legitimate theme from Woo Themes and
> comparing.
> In the mean time my question... Are rogue / spammy themes common?
>
>
> On Jul 15, 2011, at 12:12 PM, Justin W Hall wrote:
>
>> > What's interesting, is when switching to User agent within Firefox,
>> > I don't see the injected links?!?
>> >
>> > On Jul 15, 2011, at 3:07 AM, Chris Taylor - stillbreathing.co.uk
>> > wrote:
>> >
>>> >> Hi Justin,
>>> >>
>>> >> I got hacked with this last year. It's a nasty one, but (touch wood)
>>> >> my site seems OK at the moment). I wrote a short article about it
>>> >> with
>>> >> some useful links:
>>> >> http://www.stillbreathing.co.uk/2010/11/21/wordpress-pharma-hack/
>>> >>
>>> >> Hope you get it sorted.
>>> >>
>>> >> Chris
>>> >>
>>> >>
>>> >> On Thu, Jul 14, 2011 at 4:20 PM, Justin W Hall<justin at justinwhall.com
>>>> >> > wrote:
>>>> >>> Hey folks-
>>>> >>>
>>>> >>> It's been brought to my attention that when a site a recently
>>>> >>> worked in is viewed via google cache, there is a whole list of
>>>> >>> mostly porn related links that have been added to the bottom of
>>>> >>> the pages that obviously do not exist on the page. My questions:
>>>> >>>
>>>> >>> 1) how does this happen? Host related malware?
>>>> >>>
>>>> >>> 2) what us the best way to go about fixing this.?
>>>> >>>
>>>> >>>
>> >
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> -- Justin W. Hall justin at justinwhall.com Skype: justinwhall
> www.justinWhall.com cell: 803-318-4804
More information about the wp-hackers
mailing list