Appears UM got hacked on my site

  • Earlier today the site I manage went down with an Error 500. I was given a Fatal Error in line 2 of the includes/core/class-cron.php file. When I went to inspect it against a clean version of your plugin, I found several extra lines of code before your code started.

    I’m not saying your plugin is at fault. Maybe a hacker got in another way. I do have the infected plugin zipped on my Dropbox if you want it.

    I figure it isn’t wise to make it public. Would you like to see the plugin to check for security flaws?

    Just offering and as I said, I am not blaming the plugin, but this is where I found the bad code

    Let me know what you want to do with it.

    Bryan

Viewing 15 replies - 1 through 15 (of 17 total)

  • All my sites with ultimate member are being hacked as well. To be exact, remote files are being uploaded like “uploads/.ini.php” along with other ‘image files’ not to mention they must have full directory control since they were able to CHMOD the wp-config.php file to 777 from 444 and add data to it. Error logs show: wp-content/plugins/ultimate-member/assets/dynamic_css/dynamic_profile.php on line 5 and line 6. Suggest everyone lock down or keep a watchful eye out until the developers discover what is going on and have a chance to resolve it.

    Thread Starter Bryan Cady

    (@bobcatou)

    On further inspection, I found corrupted code in the index.php file in the root directory and unknown php file in the /includes/images/smiles directory in the core code.

    Is Ultimate member looking into this?

    Look for all recently modified files and remedy accordingly. The longer the infection goes undetected the worse the infection it appears. Four UltimateMember sites hacked thus far, lucky I have monitoring software installed. No idea if they are aware of the situation but I trust they will look into it as soon as possible. I can provide server logs.

    Thread Starter Bryan Cady

    (@bobcatou)

    I actually pulled a backup and restored. I didn’t want to take any chances. Luckily it isn’t used for conversation. More for just letting groups from a choir see schedules, notes and song files.

    What monitor did you use? I had WordFence and it didn’t catch it.

    Bryan

    Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @bobcatou and @endurox,

    We’ve overhauled our files upload and increased security, the update will be live very soon.
    Please make sure to update to the latest version when it will be available.

    Regards.

    Thank you! Excellent work.

    Not really. How long has this issue been around now? Since 2015?!

    https://www.cvedetails.com/cve/CVE-2018-0587/

    Now that everybody is getting hacked, you are “overhauling” security. Great! How about an immediate fix everyone can implement, like deleting that dreaded um-image-upload.php?

    You do not realize how serious this is, do you?

    Thread Starter Bryan Cady

    (@bobcatou)

    For people who have been hacked through their upload flaw. https://pluginvulnerabilities.com has given me a temporary fixed until the authors update their code. This will disable the upload capability of UM though.

    Below is what they told me.
    ______________

    One quick temporary fullproof solution to prevent that functionality from being abused, if you can live with not being able to upload images through that functionality, is to add the lines

    $ret[‘error’] = __(‘Functionality disabled’);
    exit(json_encode($ret));

    right after the line

    function ajax_image_upload() {

    in the file /includes/core/class-files.php. That will cause the function to exit before going through the upload process.

    Thank you for taking the time to post a potential solution Bryan. Very thoughtful and considerate not to mention much appreciated.

    Man, looked into my upload folder and found random string php files in there. it’s a good thing i had php disabled in those directories.

    I also found a random string php file inside my html folder… time to restore to a backup.

    Sorry but this plug-in is a gaping security hole.

    • This reply was modified 6 years, 3 months ago by johaan89.
    • This reply was modified 6 years, 3 months ago by johaan89.
    Thread Starter Bryan Cady

    (@bobcatou)

    I use WordFence on all my sites now. There is a setting in there that will disallow any php script from running in the uploads folder.

    You can also accomplish this in the .htaccess file.

    We installed the plugin upgrade on Friday only to continue to have problems with corrupt files

    Thread Starter Bryan Cady

    (@bobcatou)

    With the last hack, did you clean it up or pull from a from a known good backup?

    My hack had lots of areas with bad files so I had to do a complete restore.

    I’d start a new thread too so this issue gets moved back to the top.

    Hello experts,

    My sites are automatically redirecting to tuniaf.con and tityx.com . I have deleted and replaced all files from public_html folder and replaced with new wordpress files. I previously used “Ultimate Member” plug-in in one of my sites but now I have deleted “Ultimate Member” plug-in files. But still facing the same problems. It’s very disappointing ?? . Can someone suggest something??

    Best Regards

    Thread Starter Bryan Cady

    (@bobcatou)

    Show hidden files and look in your .htaccess file.

    Run wordfence scan too

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Appears UM got hacked on my site’ is closed to new replies.

Tags