Last Updated on
Today while running a speed test at tools.pingdom.com for one of the sites that I have been working on, something strange happened. There were many strange image files that were getting loaded. (Picture below)
So what is the problem?
Not only that, the name associated with the files was my biggest concern – “base64”, which is a well know malware that have been known on many WordPress sites.
Now, base64 by itself means something else, but any base64 that have been associated with WordPress that I have came across are nothing but trouble.
Now what to do?
So the first thing I did was heading to mySQL and search for “base64” and found bunch of posts that as expected were hacked. Within these posts, there were links created and linking to pictures that had nothing to do with the site. For example, take a look at the picture below.
After cleaning most of the data fields that contained base64, I came across to a file that belong to a plugin that was installed on February 13th, 2014, which happened to be little before those infected posts were created. “That seemed strange and what a co-incidence……” I thought….
So, what to do next?
Well, since there is a support forum for the plugin, I thought why not ask the guy who made it, then the following answer came back.
The file encodes in base64 some of the messages sent to the server.
Not a satisfactory answer. Even if that is what the Java Script suppose to do, there are still so many elements that makes this very fishy. For example, the plugin Author has only created one plugin and despite the popularity, the author’s website has no content at all what so ever! In fact, there are just fake content to fill up the site.
As you might know, Expedia got in to a trouble by hiring a marketing firm that created a free WordPress theme that had a link back to Expedia’s site. (There was a very well written case study about this in case you are interested)
So, maybe someone is doing the same tactic with this plugin and generating all kinds of links?
What do you think? Is this what I think it is?