people trying to import files – malware
-
getting lots of reports from Wordfence showing outside users inappropriately trying to access the import link. some were successful. please harden security
-
If you look at the changelog for our plugin, you’ll see that quite a while ago, in version 1.8.25, we made a couple corrections to account for what was causing Wordfence to throw that warning. So please make sure you are using at least version 1.8.25 or above. If you are, and are still seeing similar warnings, then my guess is the warning is still referencing version 1.8.24 or below. If that’s the case, then it’s probably just your security plugin letting you know there was a potential issue in version 1.8.24. I can guarantee you that was closed in version 1.8.25, so there’s no chance of the issue they mention if you’re using >= 1.8.25.
We are currently running version 1.8.31 of the ultimate-faqs plugin, and have observed PHP malware being uploaded to a site under development from a questionable source IP. Two files were uploaded to wp-content/plugins/ultimate-faqs/faq-sheets. I’m including the sanitized apache log entries below. We don’t currently have WordFence running in the site – the malware files were flagged by the ISPProtect malware scanner.
<IP Redacted> – – [26/Apr/2020:03:34:22 -0500] “GET /wp-admin/admin-ajax.php?action=ufaq_search HTTP/1.1” 200 38741 “-” “Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0”
<IP Redacted> – – [26/Apr/2020:10:46:19 -0500] “POST /wp-admin/admin.php?page=EWD-UFAQ-Options&DisplayPage=ImportPosts&Action=EWD_UFAQ_ImportFaqsFromSpreadsheet HTTP/1.1” 302 471 “https://<host redacted>/wp-admin/admin.php?page=EWD-UFAQ-Options&DisplayPage=ImportPosts” “Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1”
<IP Redacted> – – [26/Apr/2020:10:46:21 -0500] “GET /wp-content/plugins/ultimate-faqs/faq-sheets/xo01w5.php.zz4xlsx HTTP/1.1” 200 375 “-” “Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1”
<IP Redacted> – – [26/Apr/2020:10:46:21 -0500] “POST /wp-content/plugins/ultimate-faqs/faq-sheets/xo01w5.php.zz4xlsx HTTP/1.1” 200 375 “-” “Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1”
<IP Redacted> – – [26/Apr/2020:13:03:43 -0500] “POST /wp-admin/admin.php?page=EWD-UFAQ-Options&DisplayPage=ImportPosts&Action=EWD_UFAQ_ImportFaqsFromSpreadsheet HTTP/1.1” 302 471 “https://<host redacted>/wp-admin/admin.php?page=EWD-UFAQ-Options&DisplayPage=ImportPosts” “Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”
<IP Redacted> – – [26/Apr/2020:13:03:45 -0500] “GET /wp-content/plugins/ultimate-faqs/faq-sheets/wyot40.php.exkexlsx HTTP/1.1” 200 386 “-” “Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”
<IP Redacted> – – [26/Apr/2020:13:03:46 -0500] “POST /wp-content/plugins/ultimate-faqs/faq-sheets/wyot40.php.exkexlsx HTTP/1.1” 200 386 “-” “Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”- This reply was modified 4 years, 7 months ago by bjackson1.
Hi b,
Thank you for this. We’ve done testing and have added extra security to the import feature, which should now avoid any issue relating to the log you posted. Please make sure to update to the new version we just released.
No problem, glad to help! I’ve updated to the new version.
Thanks,
-Brian
We had the same problem. Our hosting provider pulled our site offline and informed us that we had malware on our website.
The FAQ was the problem. We used 1.8.30. Do you have anymore information regarding this? I’m an IT guy myself so to understand it better can you give some more information?
Just to confirm and double check, am I safe again with 1.9.2?
Hi joris,
Definitely safe with 1.9.2. Wordfence might just be scanning the back tagged versions that are available here and noting that issue. All of that was closed and corrected and does not exist in 1.9.2.
I can confirm multiple sites infected on a server I run, and so far 3of 3 (still counting … /wp-content/plugins/ultimate-faqs/faq-sheets/ is where the infected files have landed.
So….might want to consider why your plugin out of all the others on multiple sites are coming up like this, rather than saying every-things just fine.
I’ve got 300 sites, I have firewalls on all, as well as a server firewall and Cloudflare…in two years this is my first time having a hacked site…and I have several…but they all have ultimate faqs plugin in common.
I do admit that it was 1.8.x version, so anyone older than the newest.
- This reply was modified 4 years, 5 months ago by matthew40.
Hi matthew,
So you’re saying your sites that are having issues are or were still on versions of the plugin from before our update to close this? Or, have you cleaned up the site, updated the plugin to the most recent versions, and then had new issues after that?
If the former, you need to make sure to update. We’ve already said/admitted there was a possible issue and that you needed to update. If you didn’t update and then had issues, there isn’t much to say or do, as you/we would already know why it happened (because you didn’t update).
If it’s the latter, then please provide any info you can to help us recreate this. If this at all involves any sensitive information or possible holes, either for your site or the plugin, please email us at [email protected] and don’t post sensitive info here.
Thank you
- The topic ‘people trying to import files – malware’ is closed to new replies.