Anyone know why Social Media Widget was removed?

@mindctrl, wow, that’s not what I understood from his message. Where do you see that?

This malicious code has embedded itself throughout my site, in core components, other plugin folders, theme files etc. If we update to the latest version, is it gonna clean up that mess or am I completely screwed. I was using this plugin on about 25 sites!! This is a nightmare.

@mindctrl – they can’t actually update your WordPress for you, you can read more about that here if you like: WordPress and infected plugins.

@karenalenore – while this plugin was bad, I did not see an actual back door in it when I looked, and I haven’t heard of anyone else getting hit like that. The code does embed itself on every page, that is true, but it should go away once you remove the plugin. Did you remove it yet? I would be happy to take a look and see if you have anything else going on if you are still having symptoms. Just let me know.

@karenalenore yeah I’m with @mvandemar, not seeing any evidence of this being used for what you’re saying. Are you sure that is the source and you don’t have other issues in your site? You might want to open a ticket in the hacked or malware tracks for help.

Thanks

If your site’s been hacked these are the recommended resources:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thanks all. I bet I have both problems going on simultaneously. It’s hard to sort one problem from the other… Some sites have corrupted server files and folders with the injected code and some other sites have front end injected code. No two sites are alike. I was dying to figure out the common thread as they are on different servers, different accounts, use different plugins, etc.

Thanks for the resources. I’m going to go through this one site at a time and see if I can get them clean. (There goes a whole day of productivity. blah.)

I was dying to figure out the common thread as they are on different servers, different accounts, use different plugins, etc

First thing I would point out is that you are a common thread there. There are certain pc viruses that will steal passwords from your ftp client config, assuming they are stored there, and infect your sites that way. I would highly recommend that any non-Mac, non-Linux users (ie. all Windows users) who have ftp access to your sites run thorough anti-virus scans on their machines.

Also, if an account has more than one site on it (ie. multiple sites accessible from the same ftp login) then it usually only takes a back door on one of them to infect the rest on that particular account. So, I would look for common traits between accounts as well, not just sites, if you happen to have that kind of setup going on with any of them.

All,

First, we are sorry that this is the first communication from us since this all started. Shortly after the spam injection commenced, our www.ads-software.com account was locked and we were unable to log in or post. We have only now regained access to the plugin and our account after discussions with Otto.

We are greatly sorry for allowing this spam injection to occur. We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety. We had no idea that the malicious code was in fact malicious or could do something like this. We only went by what was told to us by those we trusted with the plugin code. We will not make this mistake again.

We hope you can come back to SMW now that this has been cleaned up, but we understand we have a long way to go to build trust back up with the WordPress community. As of version 4.0.1, SMW is safe and spam-free, and will remain that way.

If you need to get in touch with us, you may email us at [email protected]

@perezbox

Hi Tony!

Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer.

But there are natural circumstances where an author may not be at fault. For example, if his password had been used by malicious persons without his knowledge, then we wouldn’t hold the plugin author responsible for that, but would work with them to clean up the plugin, secure their account, and advise them on how not to let it happen again.

In this case, the original author of the plugin and the current maintainer of the plugin have made it clear what has occurred here. Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him. Though he did check in the malicious code, it’s clear from our communications that he was unaware of its nature. Both me and Scott have examined the current plugin code and determined that it has no malicious intent (after we removed the problem code), and it would be unfair to the users of the plugin as well as the current maintainer to have an absolute “zero-tolerance” policy for all cases.

People make mistakes. In this case, the current owner of the plugin put his trust in the wrong place. I’m confident that he won’t do that again, and regardless we’ll be watching the plugin for changes. Anybody else is free to do so as well, it is easy to subscribe to the plugin changes via email, and get notified of every commit to a plugin’s code.

So the plugin is back up for now, and as long as it stays clean, it’s fine. ??

@mindctrl: I think you misunderstood my original post. We have no ability to “force” code onto other people’s sites. However, we do control the plugin directory, and have the ability to change plugins and bump their version numbers. In this case, we removed the problem code from the plugin, and bumped the version number from 4.0 to 4.0.1. When we did that, sites running the plugin would have received an upgrade notice. However, those sites would still have to click the update button to get the new code.

@mvandemar I recognize that I am that thread. I’ve scanned my machines, change passwords and all but don’t see how that happened from my end.

On my Rackspace accounts, each site that used this widget showed malware and once I removed it, they seem to be scanning clean for the moment.

On my Hostgator accounts, we have both problems. I’m still dealing with tech support to get those clean.

One thought, I use managewp.com to manage my sites and run updates. I’ve been in contact with them and they assure me there is now way these problems could have originated with them. Anyone else have thoughts on that one? Should I look towards the hosts as the problem beyond this plugin’s ill doings?

I appreciate the active discussion here to commiserate my suffering, even if I have to do the work in the end. ??

@karenalenore – I love Hostgator, and one of the reasons is their security. I have cleaned a ton of sites for clients and never have I found an issue with them, so I would definitely not worry about it being them.

If they are having trouble getting you cleaned, if you want I can scan one of your accounts for you, send you a list of all back doors I find. It might not tell you how the site got hit initially, but it could help them discover what they are missing on the other accounts. My site is in my profile, and there is a contact form there.

Hi Otto

That makes sense, every circumstance is different.

Thanks

Tony

@karenalenore – One thing you should check is if you’re using any kind of caching plugins. If you’re doing disk or opcache caching of pages/posts and didn’t clear the cache after removing the plugin, the whole thing or remnants of the widget will remain in place until they expire or you delete them.