Lately I’ve been doing a lot more training than ever before, and I think (Jen, tell me if I’m wrong) I’m decent at it. I certainly know I have issues with planning exactly what I’m going to teach, though in the case of WordPress troubleshooting, I’m not teaching people what the right answer is, but actually how to look at the error in order to find the right answer. It’s like a code philosophy class, and the more I give it, the more I think I should go back to school to actually ‘learn’ this stuff.
One thing we’ve been learning about all this stuff, though, is that the hands-on lessons go way better than the lectures (to which every one of you is going ‘Duh, Mika!’ I’m sure), and in the interests of that, I’ve been writing intentionally bad and evil plugins. Actually, Kailey Lampert wrote most of the bad/broken plugins, and I’ve been writing the evil ones. I have a hard time writing broken, as it turns out.
On the other hand, when it comes to writing intentionally nefarious code, it’s pretty easy. Either that or I’m actually really good at it and don’t think I’m not pondering what that means about me.
The following are some of the one’s I’ve not only written, but explained what they do, why and how.
- I Love DC: When installed and activated, you will be redirected elsewhere. Forever.
- I Love San Diego: Changes your password to something you have no idea what it is, and also changes your email so you can’t easily reset.
- Hello D0LLY: Redirects non-logged in users to a different site.
Now it’s intended that all these plugins are simple. They don’t take long to fix your site, and they don’t take long to decyrpt and understand. Every page where you can download them even tells you how to fix them. The point of them is not to make super complex hacks that can never be detected (no such thing), but to explain the process of how one looks through your own site to figure out what happened, and then the plugin file itself to see why it happened at all.
You see, I’m not aiming for these to make someone the world’s best coder. The goal is to help people understand what’s going on and in general, how to un-do it. Personally, I’ve found that these are great ways for me to understand better how naughty people do things, but also the unraveling has proven delightful for people wanting to learn more about code and cleaning up sites. The only worry left with that is hackers might see this and get great ideas of what do to people. I finally decided that since I’m showing you all how to fix this, you’d know what was wrong when you saw it.
If you want to download these hacks, check out Break/Fix over on my ElfTest network, and download away. Every example comes with a walkthrough on how to solve it, so if you need a hand held, it’s there for you.
Comments
5 responses to “Writing Evil Code”
That’s sound’s troubling.
Does this means that WP doesn’t have enough built-in ‘self-defense” measures? looks like it.
Also, is there any screening and code checking done for plugins uploaded to wp.org?
@Eitan Caspi: What do you mean by ‘enough’? WordPress is PHP code. If you install evil code, it enacts the code because you (the trusted human) said it was okay. None of the code I wrote is ‘wrong’ code, that is code that won’t work. It’s just BAD. It’s like shooting your foot. It’s not the GUN’S fault.
To a degree, yes. We vet all plugins that are submitted, but we don’t validate every single changeset. If you see a plugin doing evil things and it’s hosted on .org, we urge you to email plugins AT wordpress.org with a link to the plugin page, and as many details as you can.
I loved the “Zend Framework” hack. It is astonishing to see a lot of decoded output from just few lines. ๐ฎ
When I opened the unphp link my Avast free edition anti virus blocked it saying “Infection: PHP:Agent-PU [Trj]” ๐ I had to disable it to view the decoded output
“Either that or Iโm actually really good at it and donโt think Iโm not pondering what that means about me.”
Without philosophizing too much, I think that the most ethical (or truthful, just, benevolent, etc.) people are those who can “see” the dark side. “You have to be a cheat to spot one” doesn’t mean you actually have to cheat! Revel in your moral compass…it shows through in all of your writings ๐
@akTed: FWIW, the true ethos of the original hackers is not too far from my own. To quote Stallman:
And really that’s what’s fun for me. Figuring out how things are done, unraveling, and showing everyone what I did ๐ That old school, classic hacker. Not the cracker stuff. Yeah, I’ve done my time as a white-hat, with viruses and all, but it’s more fun to create and build up.