Unpleasant surprises Russified Wordpress themes. Read it yourself, warn others.

Looking through the samples of spam sent by bloggers, I came across such sites:

• wptheme.ru
• wptheme.us
• wpbox.ru

Domain names seemed to me suspiciously consonant with the abbreviation of Wordpress. I followed the links, and I see: and the truth, it seems like “white” sites on this topic.

But not everything is so simple. The sites offer download Russified themes for Wordpress. I downloaded several of these topics and got into the code. In the file footer.php, which is responsible for the formation of the “footer” of the pages, I found this encrypted fragment:

<? echo(base64_decode("0JvQvtC60LDQu9C40LfQsNGG0LjRjyA8YSBocm
VmPSJodHRwOi8vd3B3b3JsZC5ydSIgdGl0bGU9ItCc0LjRgCBXb3JkcHJlc3MiIHRhcmdld
D0iX2JsYW5rIj7QnNC40YAgV29yZHByZXNzPC9hPi4g0KLQtdC80LAg0L/QtdGA0LXQst
C10LTQtdC90LAg0L3QsCDRgdCw0LnRgtC1IDxhIGhyZWY9Imh0dHA6Ly93cHRoZW1lc
y5ydSIgdGl0bGU9ItCi0LXQvNGLINC00LvRjyBXb3JkcHJlc3MiIHRhcmdldD0iX2JsYW5rIj
7QotC10LzRiyDQtNC70Y8gV29yZHByZXNzPC9hPi4="));?>

But that's not all. I went to study these infected Wordpress themes further. I open the index.php file (in other topics there were “bookmarks” and other files), which is responsible for the formation of the main page. Batyushki holy, that I see!
')
<?php $str = 'PGEgaHJlZj0iaHR0cDovL3d3dy53cHRoZW1lLnVzIiB0aXRsZT0i0KLQtdC80Ysg0L
TQu9GPIFdvcmRwcmVzcyI+OjwvYT4='; echo base64_decode($str);?>

Guess what I found when I decrypted it? (the link to the answer has been removed to honor the rules of the site, so look for the link to the Parasite Eliminator blog, to the post where the answer is :)