• Resolved boblebad

    (@boblebad)


    Hi

    I woke up this morning finding out that a few hours earlier my site got a new “plugin” installed. If it wasn’t for Sucuri repoting the action i wouldn’t have discovered it, because i didn’t show on the list of plugins.

    I have the file and i need someone to tell me what it does.

    The problem is that i have a very clean site with only WP, Divi and Sucuri. I had the Customizer Reset plugin from wpzoom. I deleted that just for safety. I didn’t need anymore anyway.

    Everything was updated to newest version. There hasn’t been installed other plugins on it. Just a clean site with Divi.

    ### This is not about that i have been hacked ###

    I just need to find out what this “plugin” does, so i can find out how it came onto my site. There has/had to be a crack in the security. Where it came from so the hole can be closed.

    So there’s three ways that it can have entered. WordPress 5.9, Divi, (+ the other auto-installed WP themes) and the Cuztomizer Reset plugin.

    Of course Sucuri as well. I am in contact with them, and also Elegant Themes.

    So what about WordPress, who deals with hacks and security and can take a look at the file and maybe see how it got onto the site, what it exploited – and of course to close the hole if it’s in WordPress itself ?

    All the best
    Carsten

    • This topic was modified 2 years, 9 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 15 replies - 1 through 15 (of 34 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    WE really do not want you to post, or post a link to, malicious (or potentially malicious) code here. I suggest you contact Sucuri through their own web site, though if you’re not a paid customer, they probably will not check and explain the code.

    Also, another possible vector is your hosting, either internally, through incomplete separation of sites on a shared host, or via ftp/sftp or other login option.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    I just need to find out what this “plugin” does

    That part doesn’t really matter. It’s doing bad things and that’s academic at this point.

    so i can find out how it came onto my site.

    That’s the part that matter. How’d it get onto your site?

    As Steve wrote, you may want to contact Sucuri or other sites/services like that. We don’t permit that conversation in these forums because it’s not safe and ultimately isn’t the problem that needs looking at.

    The site was hacked and those doors need to be closed.

    https://www.ads-software.com/support/article/faq-my-site-was-hacked/

    When you have successfully deloused your site then consider giving this a read too.

    https://www.ads-software.com/support/article/hardening-wordpress/

    Thread Starter boblebad

    (@boblebad)

    If you let me missread as you missread me ??

    I translate what you’re saying; You don’t care if this is the cause of WordPress itself.

    I have a super clean site, so i know what has been going on there. That’s why i’m here.

    There’s 3 ways as i wrote. WordPress is one, and it needs to be checked if it came through a crack in the security. That’s why i want soneone from WordPress to have a look at it.

    And just to be clear; I wouldn’t even send it to anyone other than one at WP.

    Why do i want to know what it does ?

    To find out how it came onto my site. As written; There are 3 ways. What it does tells something about how it came on board.

    And forgive for asking; How do you want me to close my site of from it when i don’t know where it came from, remembering how little that site has installed where it could enter from ?

    I know the two links. I have read a lot more on security through .htaccess and have a good deal sealed that way. And again Sucuri gossiped about the installation of the so called plugin.

    And thank you for your replies ??

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Assuming that it’s a “crack in security”, how would looking at a file added to your system tell us how it got there?

    “I translate what you’re saying; You don’t care if this is the cause of WordPress itself.” That’s an assumption, and you know what they say about “assume”. ?? That’s not at all what Jan or I meant. If you want to gin something up, OK, but that’s not what we said, what we implied, or what you should infer.

    For the record, to report a vuln in WP core, https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/, or a plugin, https://developer.www.ads-software.com/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

    They are not discussed publicly in these forums.

    Thread Starter boblebad

    (@boblebad)

    Hello @sterndata

    You’re missing the point here. This is a very clean site with only 3(4) parties involved.

    Either WordPress has a problem, Elegant Themes with Divi or wpzoom with thier Customizer Reset plugin. Sucuri of course can be the problem(4), but that would be really bad.

    So it’s a pretty clear-cut case to what needs to be investigated.

    And for you not to acknowledge that there’s a problem here, is like suddenly i stood in your house, you knew that every door and window was closed and locked, and the police telling you; Just sit back and relax, you let me out the door again.

    Wouldn’t you want to know how in the name i got in, so you could stop it from happening again ?

    Regarding what it would help me to know what i does to figuring out how it got in.

    Knowing what it does, will give me a much higher chance finding out what the name of this thing is from the lists with the names from all sorts of hacks/viruses.

    That will then make it a lot easier to find out how it got in, because of other lists which tells how many of these hacks/viruses are related to a specific point of entry.

    And regarding you links, they point point to the wrong site:”For security issues with the self-hosted version of WordPress, submit a report at the WordPress HackerOne page.”

    I have already written them and they have nothing to do with this.

    And last, i don’t want to discuss what this thing does here, i want someone at WordPress to have a look at it and see if it could have found a crack in WP and got in – You know; it has happened before.

    I want that hole locked, to stop people/sites getting hacked this way.

    Moderator James Huff

    (@macmanx)

    No one is dismissing you here.

    The right way to go about this is to follow the steps at https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

    Please read the page carefully, as it sounds like you had chosen the wrong option.

    Thread Starter boblebad

    (@boblebad)

    Hello @macmanx

    I have taken a screenshot of the section describing reporting security issues: https://ibb.co/QYr0tF7

    Inserting the text here does not show what is links in the text, but here we can read what it says and where to go. I have WordPress at a hosting company here in Denmark.

    —-

    If you are here to report any sort of security issue with a site hosted on <strong>WordPress.com</strong>, then please submit a report at the Automattic HackerOne page. If the issue you’re trying to report is on WordPress.com and is not a security issue, then please use their support forums instead.
    
    If you’re having an issue with your own self-hosted www.ads-software.com site that is <strong>not </strong>a security issue, then please use the www.ads-software.com support forums.
    
    For security issues with WordPress <strong>plugins</strong>, follow the information on Reporting Plugin Security Issues.
    
    For security issues with the <strong>self-hosted</strong> version of WordPress, submit a report at the WordPress HackerOne page. Include as much detail as you can. Please always use HackerOne instead of Core Trac, even if the vulnerability is only in trunk, or a beta/RC release, because there are some sites that run those in production.

    ——

    I hope you see the same thing as i, and that the choices i have here is pointing to HackerOne, as the other three relates to other scenarios.

    Thread Starter boblebad

    (@boblebad)

    Ohh, and under the “I have been hacked” section, you point to a plugin which has not been tested with the last three major releases:

    “This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

    Moderator James Huff

    (@macmanx)

    Under https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues choose the 4th option:

    For security issues with the self-hosted version of WordPress, submit a report at the WordPress HackerOne page. Include as much detail as you can. Please always use HackerOne instead of Core Trac, even if the vulnerability is only in trunk, or a beta/RC release, because there are some sites that run those in production.

    which links to https://hackerone.com/wordpress?type=team

    Moderator James Huff

    (@macmanx)

    Thanks for the feedback on the “I’ve been hacked.” section, I’ll pass that along.

    Everything else under that section is still valid.

    Thread Starter boblebad

    (@boblebad)

    Hello @macmanx

    Two things.

    1: I’m not a Hacker and i’m not a company who wnats to do something https://ibb.co/xDh8qwN

    2: Here’s the response i got back when i contacted them about my problem through contact form.
    ——

    Hi Carsten,

    I’m sorry to hear that you have been having trouble and need some assistance. Unfortunately, you were misrouted to HackerOne Support and we will not be able to assist with this experience.

    HackerOne is a vulnerability disclosure company that established a bug bounty platform that connects businesses with security researchers. Companies hire? hackers through the platform as a reward for identifying vulnerabilities in their systems and products. The platform enables secure intelligence report sharing, payment, and a reputation system for ?ethical ?hackers.? ?

    Kindest Regards,
    Matt
    ——

    So i don’t know what’s up or down, but something is clearly not the way it’s layed out.

    Moderator James Huff

    (@macmanx)

    It sounds like you contacted HackerOne’s support, not WordPress’s security team via their bug bounty program.

    At https://hackerone.com/wordpress?type=team click the red “Submit report” button.

    Thread Starter boblebad

    (@boblebad)

    Hello again @macmanx

    Yes, and the image showed what i can chose between. I’m not a hacker, and i’m not a company who’s going to support them either. So i can’t really see how this fits with i want to submit an incident ?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    @boblebad

    What you’re reporting here is that somehow, bad code ended up on your site. This is understandably frustrating, however WordPress doesn’t run your site. You are correct that you could have been hacked through a bad plugin, or others may be correct that it was put there by some other method.

    Looking at the bad plugin will give you no concrete information. You would need to look at the assorted server logs for that, and to do that, you need to contact your hosting service itself.

    HackerOne is indeed not the correct place to report this, and we have no team here on www.ads-software.com that can examine your site for you. We make free software, we don’t control or otherwise have any power over your site.

    If you do find a problem in WordPress itself, then the HackerOne is the place to report it, if you have found an actual bug to report.

    If instead you find that the problem is through a plugin or theme, then [email protected] would like to hear from you about that issue.

    However, if your site was indeed “pristine” then it’s unlikely that one of these are the attack vectors used. It’s more likely that you were hacked through your hosting service. Maybe the FTP door is open and a guessable password was used. Perhaps there is a flaw at the server level, or it’s on a shared hosting service that doesn’t have good intra-user security. There are many possibilities. Without asking your host itself and having them look at the server logs to find how it happened, you’ll probably be unable to find the source.

    Sorry if that isn’t the answer you wanted to hear.

    Moderator James Huff

    (@macmanx)

    Thanks for clarifying, Otto!

    In this case then, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

Viewing 15 replies - 1 through 15 (of 34 total)
  • The topic ‘Need fake plugin hack file checked’ is closed to new replies.