There are numerous sites advertising free templates but you have to watch out. File sharing sites are the most common place to get a free template or from a friend if you read the joomla forums.
Nowadays more and more unsavoury distributors of templates have come on the scene trying to cash in on joomla success and catch unwary users.

Several companies in the past have been known to just put hard coded links into their files. Eg Themza whose method was to call an encoded gif{menu_col.gif} file to place a spam link in the menu and also in the footer. a sample of the code
A big discussion on themza is at http://forum.joomla.org/viewtopic.php?p=1827027 They also do not state they are gpl as they have restrictions on you altering their code. 

A newer trick is

sucuri

Spam Alert

Have you found a lot of hidden spammy links on your Joomla site and don't understand how they got there? Here is a possible explanation.

Recently a case of spamming involving rogue Joomla extensions came to light. The extensions involved were several popular free modules and plugins listed in the Joomla extensions directory, mostly slideshows, twitter widgets and similar extensions. Some examples were:

There have been recent questions over why devlopers should inform the VEL team about exploits they have fixed before the velteam get to know about them. This includes when a developer updates their listing on the JED and neglects to mention the update is due to a coding weakness.


Developers have several responsibilities when it comes to insecure code:-

While checking my site logs, as should be standard practice for everyone, I discovered an unintentional honeytrap.

Q. What is the point of trying to hack an rss feed and is it possible?

{jb_next} Moving the configuration.php from your root of your Joomla installation makes no sense at all if your website or server is insufficiently protected.{/jb_next}