<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
This is just a tiny portion of the PHP shell someone tried to get into the WordPress GitHub repository via a pull request. Funny thing is this code isn’t GPL compatible so it’d never get in.
As for the warning itself, no date of copyright was established, and the owner is not identified. And, since the code’s purpose is malicious, the owner would likely run into other issues should he attempt to assert his copyright.
While investigating the whole WP/HQ Sand Box spamming thing, I came across something interesting. Our ‘buddy’, user robinruet several months ago, along with a recent post that was deleted spamming for takabd.com (don’t visit it, and do not +1 it). More recently, another user, WPgooglerankingBooster, was spamming for the same site. The current product they are peddling is something that will get you blacklisted from Google.
It is sad that the first post for 2012 is exposing a spammer and security flaw, but it must be done. Today’s lesson in poor Internet etiquette and poor security awareness is WordPress.org user robinruet, promoter of Invenesys’ WP Sand Box plugin. Around the turn of the new year, robinruet went through the WordPress.org forums and replied to several support topics with the same post promoting the WP Sand Box plugin. These posts were all off topic, and on several occasions robinruet somehow managed to set the issue as resolved. The good news is his posts were deleted, along with his two plugins.
But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.
A year ago, I published my discovery of a backdoor within the BlogPress SEO plugin. The only reason I looked at the plugin was author tried to get me to review it. Little did he know I’d actually look at the code before installing it.
Since that time, the plugin received a ton of bad publicity, the author lashed out against Joost de Valk, and now, a year later, it appears the saga ends. The domain name blogpressseo.com expired back in October, and no one has renewed it yet. My only hope is the people behind BlogPress SEO didn’t move on to using a different name for the same plugin.
If you have not heard about the unauthorized SVN commits to the WordPress.org plugin repository for the plugins AddThis, WPTouch, and W3 Total Cache, you may want to read the post on the WordPress.org blog first. This event has prompted a WordPress.org password reset for all registered users. While these are three high profile examples that happened in the last 48 hours, a similar incident happened back in February. Continue reading