[wp-hackers] Porn links in google cache

Justin W Hall justin at justinwhall.com
Fri Jul 15 16:56:10 UTC 2011 

New information has come to light. At first, All things pointed to the  
Pharma Attack. I scanned the site, found many of the "base64"  
functions, eval and common strings associated with the problem. As I  
started cleaning things up, I realized that many of the potentially  
new malicious files and potentially compromised files had not been  
modified since I had installed WP and the theme it self... Hmmmmmmm,  
something doesn't add up here. I started sniffing around for other  
potential problems.

As it turns out my client had downloaded his theme from the following  
source for FREE.

http://themecrunch.blogspot.com/2011/05/kaboodle.html

This theme is a Woo network theme and once I was made aware that it  
was downloaded for free I became very suspect. I went over to woo  
themes and as I suspected it is NOT free.

http://www.woothemes.com/2011/04/kaboodle/

I do plan on purchasing the legitimate theme from Woo Themes and  
comparing.
In the mean time my question... Are rogue / spammy themes common?


On Jul 15, 2011, at 12:12 PM, Justin W Hall wrote:

> What's interesting, is when switching to User agent within Firefox,  
> I don't see the injected links?!?
>
> On Jul 15, 2011, at 3:07 AM, Chris Taylor - stillbreathing.co.uk  
> wrote:
>
>> Hi Justin,
>>
>> I got hacked with this last year. It's a nasty one, but (touch wood)
>> my site seems OK at the moment). I wrote a short article about it  
>> with
>> some useful links:
>> http://www.stillbreathing.co.uk/2010/11/21/wordpress-pharma-hack/
>>
>> Hope you get it sorted.
>>
>> Chris
>>
>>
>> On Thu, Jul 14, 2011 at 4:20 PM, Justin W Hall <justin at justinwhall.com 
>> > wrote:
>>> Hey folks-
>>>
>>> It's been brought to my attention that when a site a recently  
>>> worked in is viewed via google cache, there is a whole list of  
>>> mostly porn related links that have been added to the bottom of  
>>> the pages that obviously do not exist on the page. My questions:
>>>
>>> 1) how does this happen? Host related malware?
>>>
>>> 2) what us the best way to go about fixing this.?
>>>
>>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


-- 
Justin W. Hall
justin at justinwhall.com
Skype: justinwhall
www.justinWhall.com
cell: 803-318-4804

More information about the wp-hackers mailing list