Comments on: Decoding a Russian Hacker’s Code

By: De gevaren van Free Premium Templates | WPdevil – Devilish Development

Sat, 03 Dec 2011 13:21:50 +0000

[...] http://ottopress.com/2011/decoding-a-russian-hackers-code/#comments This entry was posted in Development, HowTo by mark. Bookmark the permalink. [...]

By: Otto

Otto — Sat, 08 Oct 2011 19:57:41 +0000

We go through plugin code at the WP plugins directory all the time, and kill/ban/burn/salt-the-earth anybody who tries to upload intentionally malicious code.

Accidental security issues are more common and harder to find, but we try to work with plugin authors to fix issues that we find, as well as issues that get reported on the common security mailing lists. When a plugin is found to have an issue, we immediately disable it to prevent further downloads, then try to work with the author to get a fix and upgrade out for existing users.

For the rare case where a highly popular plugin has a bug, we’ve sometimes gone in pro-actively and fixed it, then forced a new release. This is quite rare though, and we only do it when it’s an obviously critical issue that is in the wild and affecting a large number of sites. Usually plugin authors are happy to put in their own fixes, but sometimes time is more important.

By: GoDaddy Hosting = Epic Failure. Looking for a new hosting service. » Otto on WordPress

Sat, 08 Oct 2011 19:51:41 +0000

[...] recently discovered that a couple of old posts of mine about decoding code used by hackers were no longer loading up. Everything else worked, but not those posts. I couldn’t even pull [...]

By: Jonny

Jonny — Mon, 16 May 2011 17:14:37 +0000

Hey Otto I have a list of theme sites to avoid over at http://wpthemedepot.com/2011/03/dodgy-wp-theme-sites/ I keep it updated whenever I come across sites distributing bad code.

If anyone knows of sites I haven’t listed, feel free to contact me on the site or via twitter, @Furciferrising

Jonny

By: De gevaren van Free Templates | Nieuw en Beter

De gevaren van Free Templates | Nieuw en Beter — Fri, 13 May 2011 00:51:59 +0000

[...] http://ottopress.com/2011/decoding-a-russian-hackers-code/#comments Dit bericht is geplaatst in security, templates, wordpress. Bookmark de permalink. ← testingtest [...]

By: ⓁⓄⓧ

ⓁⓄⓧ — Tue, 10 May 2011 00:48:41 +0000

Quite scaring, what if some developers include that in some wordpress plugins over at wp.org? We are all exposed to such backdoors…

By: Jose Rojas

Jose Rojas — Fri, 29 Apr 2011 15:19:27 +0000

Yeah eval is the dead giveaway… but regardless to that… those random strings look very suspect. Good investigative work.

By: Brian Layman

Brian Layman — Mon, 25 Apr 2011 21:57:26 +0000

Strike that. I forgot to check functions.php on the second clean one. It was full of obfuscated code. So 1 of 5 was clean.

By: Brian Layman

Brian Layman — Mon, 25 Apr 2011 21:52:28 +0000

Feel free to edit “That said only but only one ” to be “That said, only one” and delete this comment. I should never go back and edit what I type. I never do it right, but see what I’m expecting it to say until after I hit publish.

By: Brian Layman

Brian Layman — Mon, 25 Apr 2011 21:48:43 +0000

Oh really! That’s great news.

I did a quick test and it looks like there are a lot more valid results now. I downloaded 5 themes from different sites I found using that search. Two only had valid attributions back to the download site. The other three had links to cell phone purchases and travel sites. That said only but only one of those was obfuscated (eval(gzinflate(str_rot13(base 64_decode(‘FZhSEoRLFlK30rOuCga4UlgF…).

That actually IS much better especially since the clean ones were on the ones from first page of Google. We’re not there yet, but it’s better.