Beat diabetes) beatdiabetes.us footer link, hack activity

Thank you guys.
So we have a list of “infected” plugins.
If you didn’t already installed those plugins you have to make action A
if you already installed those plugins you have to make action B.
So:
Infected/offending Plugin List
WP RANDOM POST WIDGET
twitter-fb-like-google-1-and-fb-share
wp-fanbox-widget-easy
wp-delete-duplicate-posts
https://www.ads-software.com/support/topic/the-plugin-wp-delete-duplicate-posts-puts-beatdiabetesus-link-in-the-footer?replies=2

Please report all the new plugins infected at [email protected] as suggested by esmi user

action A (thanks to Sergio)
edited the php of the plugin and at the end i deleted this few lines:
`add_action(‘wp_footer’, ‘cre’);

function cre(){

echo ‘<style type=”text/css”>.hello </style>’;

echo ‘ <small class=”hello”>Beat diabetes</small>’;

echo ‘ <small class=”hello”>Diabetes diet</small>’;

}`

if saved the links will disappear from the footer without remove the plugin.

Action B (thanks to Sergio)
if you unzip that plugin on your computer and open the .php with notepad you will see at the end of the file these lines:

add_action('wp_footer', 'cre');
 function cre(){
 echo '<style type="text/css">.hello </style>';
 echo ' <small class="hello">Beat diabetes</small>';
 echo ' <small class="hello">Diabetes diet</small>';
 }

these lines add to the footer the links to beat diabetes and diabetes diet..
you have to delete these lines, upload the plugin with your ftp client and activate it.

Mark, is anyone investigating what caused the infection, whether this is intentional from plugin authors, etc? Because fixes/patches will probably be lost when plugins are updated…

that is an excellent question which i was asking myself and which needs to be addressed

It was looked into and so far it looks like one user who has since complained about their plugins being removed.

If you want to report a plugin you MUST send the full url to [email protected]. Names aren’t good enough because so many plugins have very similar names.

https://www.ads-software.com/extend/plugins/wp-random-posts-widget/ looks okay and there is no “WP RANDOM POST WIDGET”.

Mark,

The https://www.ads-software.com/extend/plugins/wp-random-posts-widget/ is a very good example. It was there but now it’s cleaned up.

When you look at the diff of the earlier revision you get this output.

https://plugins.trac.www.ads-software.com/changeset/432971/wp-random-posts-widget/trunk/wprandompostwidget.php

wp-random-posts-widget/trunk/wprandompostwidget.php
r431177	 r432971
214	214	// Delay plugin execution to ensure Dynamic Sidebar has a chance to load first
215	215	add_action('widgets_init', 'widget_ara_randomposts_init');
216
 	216	 add_action('wp_footer', 'cre');
 	217	function cre(){
 	218	echo '<style type="text/css">.hello </style>';
 	219	echo '???<small class="hello"><a href="https://beatdiabetes.us/">Beat diabetes</a></small>';
 	220	echo '???<small class="hello"><a href="https://beatdiabetes.us/category/diabetes-diet/">Diabetes diet</a></small>';
 	221	}
217	222	?>

The account for this plugin is furlan365 so either SVN got hacked or one user is logging in with multiple SVN accounts. Or someone is cleaning the spam up.

Edit: Shooting off an email as I’m not sure this is the most effective place to discuss this.