Suppose your friend wanted to install a video camera on your car. The video camera would only be able to see the treads of your tires as part of a study. He could only tell from this feed the depth of the treads of your tires. Nothing more, nothing less. Would you be particularly offended by this? Odds are probably not, this information is pretty benign. But what if this was a complete stranger who wanted to put the camera on your car? You’d probably be very wary of it, and inspect the camera to make sure it did exactly what he said it does. Fair enough, as the information is still pretty benign and he was pretty honest about it to begin with.

Now consider you walked outside, and one day found a video camera watching your tires just sitting there. You’ve had the car for years, you don’t know where the information is going, and you have no idea how the camera got there. And to boot, it looks like someone attempted to hide the camera — poorly. Perhaps by covering it with some clear tape or something. You’d be pretty pissed that someone did this, right?

I’ve been having issues from time to time with this blog. Randomly, the sidebars on the right load very slowly as compared to the rest of the document. I got really curious as to why the other day when it was happening again, and so I decided to figure it out. I had a suspicion that it was the mysql database, but I wanted to make sure. So I started an strace on the http daemon, and refreshed the page. I really was quite pissed at what I saw next. There was an outgoing http connection I’d never seen to a website I’d never heard of before. The connection was made moments after a gigantic glob of data was read from a php file on the filesystem. It started with eval(gzinflate(string_rot13(base64_decode(…………)))) and at this point, I knew I was in trouble. It was hidden code I wasn’t supposed to see running on my website.

See, when I first got this blog, I started by finding a nice theme. I did eventually come across the one you see now, and I liked it. A tad bit land-of-the-rising-sunny for me, but whatever, it did look nice. So I installed it. There were some plugs down the bottom of the page, one my friend even asked me about. He said, “dude, what’s with the plug for Burt’s Bee’s?”. I said, “I dunno, but the author of the document put it there, and he did ask that I not remove it, so I left it.” I swear I did the honest thing!

But then I see the camera pointing at my tires that I’d never authorized. The outgoing HTTP connection, that is. I quickly edited /etc/hosts and changed the hostname it was looking for to address 127.0.0.1. I refreshed the page. What happened? The footer and all the plugs (Burt’s Bees included) disappeared. The outgoing connection was actually quite legit. I wrote a quick php script myself to parse the output of the several layers of evaluations of random blocks of data. SEVENTY-ONE EVALUATIONS LATER, I attained the source code. It is a large user-agent tracking system. I’ve left the source code [right here].

So, I hate to inform you, but if you’ve visited this site in the past month or so, you have had some of your more public information read in by some stranger on the internet. No worries, the information was completely benign, simple stuff like your browser version and operating system type, hence the reference to tire tread. It’s stuff that I really wouldn’t have cared too much about the author collecting… if only he had just ASKED!. So now I found out that the entire footer of the page was actually coming from his server, which could mean simply one thing – Burt’s Bees is PAYING for this kind of shady advertising. That’s a horrible business practice!

In response, I’ve removed the offending code and published it in the link above. I’ve also blackhole routed any traffic from the offending website. The name of the theme, by the way, is SoulVision, and I actually did get it from a reputable repository of quality wordpress themes. As someone in the security field, I recognize that this could have been much worse than it was, and I realize just how lucky I am that it wasn’t. I guess my moral for the day is to always verify code that’s going into production on a locked down server. Oh, that, and I’ll probably never buy Burt’s Bees. Ever. End ‘o discussion on ethics.