YOP Poll WordPress Plugin And Base64

Today while running a speed test at tools.pingdom.com  for one of the sites that I have been working on, something strange happened. There were many strange image files that were getting loaded. (Picture below)

base64 files

base64 files found

So what is the problem?

Not only that, the name associated with the files was my biggest concern – “base64”, which is a well know malware that have been known on many WordPress sites.

Now, base64 by itself means something else, but any base64 that have been associated with WordPress that I have came across are nothing but trouble.

 

Now what to do?

So the first thing I did was heading to mySQL and search for “base64” and found bunch of posts that as expected were hacked. Within these posts, there were links created and linking to pictures that had nothing to do with the site. For example, take a look at the picture below.

base64 image found on the site

base64 image found on the site

After cleaning most of the data fields that contained base64, I came across to a file that belong to a plugin that was installed on February 13th, 2014, which happened to be little before those infected posts were created. “That seemed strange and what a co-incidence……” I thought….

yop-poll base64 infection

yop-poll base64 infection

So, what to do next?

Well, since there is a support forum for the plugin, I thought why not ask the guy who made it, then the following answer came back.

Hi digitalreadymarketing,

The file encodes in base64 some of the messages sent to the server.

Best wishes,

YOP Team

base64 answer

base64 answer

 

Not a satisfactory answer. Even if that is what the Java Script suppose to do, there are still so many elements that makes this very fishy. For example, the plugin Author has only created one plugin and despite the popularity, the author’s website has no content at all what so ever! In fact, there are just fake content to fill up the site.

yop poll wordpress page

yop poll wordpress page

 

top poll author

top poll author

 

www.yop-poll.com

www.yop-poll.com

 

As you might know, Expedia got in to a trouble by hiring a marketing firm that created a free WordPress theme that had a link back to Expedia’s site. (There was a very well written case study about this in case you are interested)

So, maybe someone is doing the same tactic with this plugin and generating all kinds of links?

What do you think? Is this what I think it is?

Watch This Video - Easy To Rank Keyword Database


Easy To Rank Keywords for Niche Sites

DRM robot Learn More >>

Comment 1

  1. YOP Team April 1, 2014

Leave a Reply