• Unwanted files were placed in the home directory of this plugin.
    I have several protection plugins installed, and everything is up-to-date, yet I find a.php, b.php, etc in this plugin’s folder, making me suspect that a weakness exists in this plugin.

    The hacker’s access (From Ukraine):
    (our IP and domain names changed)

    error log:
    proxy_error_log:2017/06/12 09:51:29 [error] 3248#0: *335 connect() failed (111: Connection refused) while connecting to upstream, client: 91.200.14.147, server: XXX.com.tr, request: “POST /wp-content/plugins/easyrotator-for-wordpress/b.php HTTP/1.1”, upstream: “https://xxx.x.xxx.xxx:7080/wp-content/plugins/easyrotator-for-wordpress/b.php”, host: “XXX.com.tr”

    access log:
    access_log.processed.1:91.200.14.147 – – [11/Jun/2017:09:06:15 +0300] “POST /wp-content/plugins/easyrotator-for-wordpress/b.php HTTP/1.0” 200 296 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36”
    access_log.processed.1:91.200.14.147 – – [11/Jun/2017:09:06:15 +0300] “POST /wp-content/plugins/easyrotator-for-wordpress/b.php HTTP/1.0” 200 259 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0”

    • This topic was modified 7 years, 5 months ago by tkalfaoglu.
    • This topic was modified 7 years, 5 months ago by tkalfaoglu.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author DWUser

    (@dwusercom)

    Hi @tkalfaoglu,

    Thanks for using EasyRotator for WordPress, and I appreciate you writing. Obviously we take any potential security concerns very seriously.

    Do you have any details about how the files were placed on your server or their contents, or any other information about what led you to suspect that EasyRotator itself is the source of the issue you’ve described? Once there’s more information about how the files arrived and their content, it will be easier to attempt to research what’s going on and provide additional guidance on your situation.

    You can browse the latest plugin code at https://plugins.trac.www.ads-software.com/browser/easyrotator-for-wordpress/tags/1.0.14 . (There are no a.php or b.php files included with the plugin, and all code has been carefully written to use best practices and vetted against common security issues.)

    Looking forward to hearing more details about your situation, and hopefully being able to shed some more light on the problem you’ve run into.

    Sincerely,
    Drew O’Neill

    Thread Starter tkalfaoglu

    (@tkalfaoglu)

    hello there. there were several files uploaded, like a.php, b.php, etc.
    they contained mainly code for mass mailings or remote shell like utilities. They were only present in your plugin’s directory, and I witnessed the same thing in 4 different wordpress installations on our server. Hope this helps, -tk

    Plugin Author DWUser

    (@dwusercom)

    I think the best would be if you can send the relevant files in a support ticket on our website ( https://www.dwuser.com/ ). We can then review the files.

    Sincerely,
    Drew O’Neill

    I don’t have this plugin on my site, but found it odd that it was searched out 6 times on my site from a Latvia ip address. It was looking for up.php.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Virus’ is closed to new replies.