Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites.

Enter the Darknet.

A simple Google search got me a theme ZIP file pretty quickly.  Now, it was time to see what malicious happenings this thing would cause.

Unpacked, here’s the structure of the ZIP file.

├── functions.php
├── home.php
├── images
│   ├── arrow.png
│   ├── bg-pattern.png
│   ├── bg.png
│   ├── blockquote.png
│   ├── blue
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── favicon.ico
│   ├── footer-twitter.png
│   ├── footer-widgets.png
│   ├── gradient.png
│   ├── green
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── icon-dot.png
│   ├── list-after-post.png
│   ├── list.png
│   ├── logo.png
│   ├── logo-texture.png
│   ├── logo-vert-left.png
│   ├── logo-vert-right.png
│   ├── red
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── rss.png
│   ├── social-icons.png
│   └── twitter-nav.png
├── page_landing.php
├── page_landing2.php
├── README.txt
├── screenshot.png
└── style.css

Right off the bat, page_landing2.php sticks out to me. Let’s take a look.

Oh. Would you look at that fun. Time to see what this is doing.

First, I don’t like trying to read the garbled code, so I “prettify” it.

Ok, so let’s decode the above to make it readable.

There are a few interesting pieces here.

These interest me because they are making a call to a website to get additional payload/scripts. Let’s see what they are. =)

The first one, pastebin link, shows me this garbled shit. What I really care about is the compressed base64 at the end.

So, now I look to deobfuscating the compressed/base64 garbage… Here’s part of the file, my screencapture died when my computer automatically locked; [FIXME]

NOTE: Click on the image for a higher resolution. It’s like 62k pixels tall, lol.


What I’m interested in is the top of this file.

So again, uncompressing the base64 encoding of that gives me the following file.

Going back for a minute the the previous garbled shit $plsym variable which contains the compressed/base64 is decompressed and unencoded and saved as a perl file.

At this point, I have everything I need to begin to follow this even deeper into the dark underworld. There are a few domains (which I didn’t highlight in this article, but you can find them in the screenshots) and some passwords.

Stay tuned… in the next update, I show you what happens when I infiltrate their command servers. Much fun!

Disqus WordPress Plugin Vulnerability

A vulnerability has been discovered in the Disqus plugin for WordPress allowing for Remote Code Execution. The Disqus plugin is used on nearly 2 million WordPress blogs.

Who is Vulnerable?

A remote attacker could successfully execute remote code provided the following version of software are true:

  • PHP <= 5.1.6
  • WordPress <= 3.1.4
  • Disqus Plugin <= 2.75

How it Works

A specially crafted comment on a WordPress post, such as {${phpinfo()}}, followed by opening the comment synchronization URL, is all that is needed to execute remote code.

How do I Fix It?

Log into your WordPress administration panel and update the Disqus plugin.

Make sure PHP is up-to-date with the latest version.

Feeling Blue

I’m not really feeling blue.  Blue just happens to be my favorite color.  When someone asks me Rich, what is your favorite color?, I respond with #336699.

You’ll notice I have been working on the website color.  This is a child theme I’m creating based on the WordPress Twenty Twelve theme.  So far, I’m liking it.  I have not decided which colors to use for link hover — it is red for now.

Add a Login/Logout Menu Item to WordPress Navigation Menu

This will add a Login or Logout (depending on state) to your WordPress navigation menu. I have one on mine now; makes it easy to quickly log in/out to test things.

Put the following in your child theme’s custom functions PHP file.

add_filter( 'wp_nav_menu_items', 'add_loginout_link', 10, 2 );
function add_loginout_link( $items, $args ) {
     if (is_user_logged_in()) {
$items .= '<li><a href="'. wp_logout_url() .'">Log Out</a></li>';
elseif (!is_user_logged_in()) {
$items .= '<li><a href="'. site_url('wp-login.php') .'">Log In</a></li>';
return $items;

Portable WordPress

Here is an all-in-one solution for a portable WordPress.  The creator packs MySQL, PHP, Apache and WordPress together and allows you to drop this folder onto a thumbdrive or network share, etc.  It’s nice and small (<30MB) and works well.

WordPress Portable:

It also gives you a system tray icon with a right click context menu.










New Linux Server Build

I finished up a new linux server build tonight. Migrated WordPress, DNS, mail, FTP and a handful of other services to this new server as well as installing LXDE GUI front-end.



ttyrec Playback using jsttyplay and WordPress

So I spent a little bit of time tonight tinkering on Linux. I got interested in tty recording/playback after seeing some nethack things. I figured if I could find something that works well for playback of tty recordings it would be helpful on my blog. Enter: jsttyplay

This is a nice little tool using Perl and JavaScript to handle playback of terminal sessions recorded using ttyrec.

Here’s a demo of how to get things setup, including making a video and editing the HTML to play it.

I plan to start work on making a WordPress plugin for this so I can embed these a bit easier.

All the demos are at


If you don’t have ttyrec, install it with your system’s package manager; in my case, I have Debian so I will use apt-get.

apt-get install ttyrec


Select TTY recording to play.


WordPress Top 10 Plugin: Place Counter in Byline

I was annoyed by how the Top 10 plugin didn’t give me a better control of placement of the Visits/Visited string, so I got to work figuring out where to move things around.

First, I found that the data is printed via a PHP function called echo_tptn_post_count()

I edited my child-theme’s content.php file and modified the following (bold):

<?php if ( is_singular() ) { ?>
<?php if(function_exists('echo_tptn_post_count')) { $foo=echo_tptn_post_count(); } ?>
		<?php echo apply_atomic_shortcode( 'entry_title', '[entry-title]' ); ?>
		<?php echo apply_atomic_shortcode( 'byline', '<div class="byline">' . __( 'Published by [entry-author] on [entry-published]  [entry-comments-link before=" | "] '.$foo.' [entry-edit-link before=" | "]', 'live-wire' ) . '</div>'); ?>

When I viewed the post, I saw it was screwing up and echo’ing the $tptn variable above my entry title!

I went and had a look at the echo_tp_tn_post_count() function in top-10.php in the wp-content/plugins/top-10 directory and changed the following (bold):

function echo_tptn_post_count() {
global $post,$tptn_url,$tptn_path;
$id = intval($post->ID);

$output = '<script type=text/javascript src='.$tptn_url.'/top-10-counter.js.php?top_ten_id='.$id.'></script>';
#echo $output; return $output;

Now, it prints right in the byline after the comments (and it only does this on posts…).


This probably wasn’t the RIGHT way to do it, but I figured it out.

Social Cross Posting WordPress Plugins

This is just a little tiny test.


If you are here, it is because you followed a link from either Google+, Facebook, or Twitter. For some reason, the posting to Google+ doesn’t allow me to control the circle nor does it allow me to control any text input. The title of the post is the google plus post’s content plus a link. Hrm.