Do you read through the source code of themes and templates you install on your CMS? Do you feel that you can read and understand the php code in a template? Did you even know that themes and templates have php code that has complete access to your server as the Apache user?

What if you found out that your template was doing a few of these things?

1> Cloak your pages so that it looks normal to everyone except the search engine bots. They get shown a page of spammy links.

2> Implement an Ajax based function that sends any form data entered (for example, login and passwords from the comments) to an external web site.

3> Cloak your pages so that they look fine to you, but it someone enters the page on a search engine they get a different page with the evil template developer's adsense

4> Watch the IP addresses that view the pages (phone home) and make a good guess as to which addresses are probably the owner. Cloak the pages so that the site owner sees their own content, but everyone else see's the template developer's content.

I put together a list of 10 of these scenarios on my blog (Promote-my-site.com) and would be interested to see some discussion of whether people think this is a serious threat.

Interesting. I just happened to check my stats and saw an ip address from Latvia accessing my site consistently. I am using a free template from Joomlart, which I had considered safe. Do you think it could be phoning home?

Interesting. I just happened to check my stats and saw an ip address from Latvia accessing my site consistently. I am using a free template from Joomlart, which I had considered safe. Do you think it could be phoning home?
That could be, although it's more likely a scraper grabbing content to then randomize and put on a splog somewhere. But one thing a theme could do is install a backdoor so that when a certain IP accesses the site they get different information, such as a list of the email addresses in jos_users.

Or maybe you've just got a fan in Latvia.

If you're really freaked out, PM me and we'll arrange for me to take a quick look at your template. I'd be interested to find one of these evil templates in the wild.

What I did was blocked that ip, I dont really think I have fans in Latvia. Are you familiar with joomlart, they are "recommended" by joomla I guess. Do you think they would risk their business by inserting a backdoor to a site?

I'm not necessarily freaked out, but curious about this sudden amount of traffic from latvia, so I am hoping joomlart can be trusted.

Thanks for the advice, if i feel there is something suspicious going on from now I'll PM you.

thanks

What I did was blocked that ip, I dont really think I have fans in Latvia. Are you familiar with joomlart, they are "recommended" by joomla I guess. Do you think they would risk their business by inserting a backdoor to a site?

No, but the possibility exists that they were hacked and somebody put a backdoor into their template. Or more likely the two have nothing to do with each other and you were just a victim of a probe.