Good intentions? | Lee't See

Archive for the ‘Good intentions?’ Category

Posted by Posted on Oct - 25 - 2010

Watch out what wordpress theme you use

There are a bunch of great, fantastic wordpress themes out there. But watch out because not all of them are innocent piece of codes. Recently my antivirus and spyware detector started to scream upon accessing some wordpress based sites. Now the problem is, that I had at least 20 tabs open, and I have no idea what site caused the issue.

The report was the following:

http ://premiumthemeclub.com/wp-content/themes/UX/library/js/jquery.anythingslider.js JS/TrojanDownloader.HackLoad.AE trojan connection terminated – quarantined”

http://premiumthemeclub.com/wp-content/themes/UX/library/js/jquery.easing.1.2.js JS/TrojanDownloader.HackLoad.AE trojan connection terminated – quarantined

“http://premiumthemeclub.com/wp-content/themes/UX/library/js/jquery-1.3.2.min.js JS/TrojanDownloader.HackLoad.AE trojan connection terminated – quarantined”

Unfortunately I can’t detect from the info I have what actually caused this. It can be a theme installed on a site, or some piece of code in my history, I have no idea. It was caused by “firefox.exe” and “opera.exe” So obviously not real help to trace it down there.

But if you stick to templates from wordpress I am pretty sure this can’t happen. Sometimes it’s better to chose a simple design, over a very elegant one, but with malicious code. What you can do to protect yourself a little bit is to check the php code of the theme. There are some themes with encoded footer. It looks like a block of code, you will recognise it:

“WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited.
*/$Q4B4A2639A3042AC58A17D9256DBA8280=”DQovKg0KRW5jb2RlciA
6IE5FVC1URUMgUEhQLUVOQ09ERVIgViAxLjANCldFQiA6IGh0dHA6Ly93
d3cubmV0LXRlYy5iaXovDQpXQVJOSU5HOiBUaGlzIGZpbGUgaXMgcHJvdG
VjdGVkIGJ5IGNvcHlyaWdodCBsYXcuIFRvIHJldmVyc2UgZW5naW5lZXIgb
3IgZGVjb2RlIHR….. ”

In good case this should be only the copyright info of those who made the template. BUT… unfortunately these days, you cannot trust anybody, and with a code encrypted like this anything can be passed through.

So what can you DO about?

The only solution for this is to stop using these templates that uses this kind of footer, or anywhere in the code actually.

But wait.. the game is not over yet… there are other ways to get something bad to your site, and not even notice it: for example wordpress plugins. They also can be harmful, so take good care from where you download your “woow fantastic, great, the best” plugins.

If you noticed something wrong with your site, clean it up as soon as possible.

Categories: Good intentions?, Highly suspicious

Posted by Posted on Oct - 23 - 2009

Mistery solved

For a while there was a 4×4 Nissan I saw from time to time in the city, and strangely the driver usually waved his hands at me . It was a strange thing because I didn’t knew anybody with that kind of car. I was puzzled for weeks. Somehow it was obvious, that I knew this person, I couldn’t imagine who he was … I was thinking maybe its some sort of dog person, who knows me and my doberman, PrezLee, because usually it happened when I walked the dog. For a long time I didn’t managed to view the persons face. But actually a www address on the back of the car made me realize that indeed I know this person :D And yes, after I saw the url, I saw the persons face to :) It was just funny…Indeed I know the guy. And its NOT a dog person :)))