Hacked through your plugin

So I got no answer on this right?

Ok.. if you prefer to ignore the support and wait till my message disappear on the long list of support, is up to you.

Just an update regarding this, as soon as I deleted the plugin, and cleaned my DB and .htaccess file, I had no more intrusions in my DB THROUGH your plugin. It must have some kind of vulnerability that someone has spotted and used it against the people that has this plugin installed.

Thanks
Kind regards

can you advise how they managed to do this?

Just interested as i have redirection plugin on many sites. and would be very interested how this has happened.

Often hacks will change htaccess files but if you think the redirection plugin is to blame please advise how you found this to be the case.

Well, pretty easy to spot and confirm it was this plugin.

First: the exact same url’s created and indexed by google (now im having to deal with over 5000 pages indexed) all of them created out of no where in the redirection plugin, trying to redirect to a selling tshirts website.

If you delete them manually from the plugin, you just have to wait 20 minutes and the they come back up again in the module.

Second: to confirm it, as soon as i deleted the plugin, all its db and correct the htaccess file, it stopped redirecting and creating new ones. And now y got over 5000 404 error pages indexed and showing as meta tirtles some sort of selling sport tshirts, which has nothing to do with my business.

As i said at the begining of this thred, i was so happy with this plugin until this have happened, wich is a high vulnerability (somewhere in the code. Sorry to do not be able to be more specific on where the vulnerability ocurs). But more over, now that the author of the plugin is ignoring me ai got it more clear… I will never ever install this plugin again, and i would not recomend anyone to install it.

You can beleive me or not on all this im telling you, but i seriously hope you dont get f**** just like it happend to me, because now it is a serious manual job to resolve this.

Thanks
Kind regards

Is it possible there was some other vulnerability, or another “way in” which just allowed the hackers/bot to get access to the redirection plugin?

Heck, I don’t know…

Either way, maybe try reporting this to someplace like Wordfence:

https://www.wordfence.com/contact/

Even if you don’t use their product, you can give them the details. They will likely test it themselves and if nothing else they send out alerts to a pretty wide email list. Something like that might likely get the developer’s attention.

Thanks for reporting this though!

I would love to do so, the problem is that right now, I sorted out my site, so there is no way I can provide them with much information.

As you mentioned it could be some other vulnerability that combined with redirection plugin it makes wordpress so vulnerable against this type of attack, but as you might notice, the author of the plugin is not even trying to help, the users of his plugin, or defend its plugin integrity.

Once more I just hope none of you get ***** and hopefully someone (the plugin author, wordpress or god) will fix this so no one else gets affected by it. Right now i reduced the 404 error pages indexed by google to 4000, which is 1000 less than a few days ago.. Hope i can finish with this by the end of the next week.

Thanks
Kind regards

If you know of a vulnerability in a plugin the proper way to report it is by sending an email to plugins [at] www.ads-software.com.

If this plugin was being exploited there should be evidence of that in the log files or if something else was the cause there also should be evidence of that in the log files as well. So you would want to review those and then if it is this plugin, provide details of what exactly was being accessed in the plugin, directly to the developer and or to that email address, so that the vulnerability can be confirmed and fixed.

Hi White,

Don’t get me wrong.. But I had no time to play around grabbing information to send, I was so into fixing my web. I will try to find logfiles etc, but to be fair I think my hosting provider cleaned up everything, and not really sure where to look at.

The only clue I can give you is that the hack came from this IP address (now blocked on my .htaccess) 104.31.64.169 and the hosting guys fix it and they categorically said “Yes it is definitely it came through this plugin, and some sort of vulnerability”. The proof is that since they deleted the plugin all together (db and files) and clean it up, it never happened again.

PD: Is it just me the one that thinks is unacceptable the attitude of the plugin author on regards to this issue?

Thanks
Kind regards

Do you happen to have a copy of that original .htaccess file from before you deleted it?
Did it have other text in additiona to the usual:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

This is the only suggestion of a vulnerability that I was able to find in 10 pages of the Redirection support threads. It is quite likely that access was gained through some other plug-in, or a vulnerability elsewhere, and the hacking agent simply utilized this plug-in once inside. You should change or delete your review, unless you can provide the documentation to back up your claim that it was a vulnerability in this plug-in.

Hi Jjanthony,

With all respects, you can be sure I’m not going to delete, amend this post. I still have the faith it will help some others, preventing them to get hacked. Being the first affected by it does not mean it is not true.

How can you “tell” what the hacking agent did, having no clue and information about this whatsoever? Clearly by throwing this comment tells me you are an angry plugin owner or a friend of him. If that is the case you should better tell him to pay attention to his support tickets and do not simply ignore them.

If by any chance you have nothing to do with the plugin, I really do not understand why you want to hide/burry this serious problem, instead of supporting the matter. This is a community and all that I wrote here was to help the plugin owner and users to make it better.

FYI it is been now a few weeks and finally managed to delete all the urls indexed in google thanks to the vulnerability of this plugin. Yes, I still insist on this as, previously mentioned, the hosting provider told me with no doubt about it, THIS PLUGIN HAS A VULNERABILITY THAT SOME BOT IS EXPLOTING.

And once and last, if the plugin owner is interested in shorting this out he should be here providing support and fixing his plugin or at least defending it’s “innocence”.

Kind regards,
Have a good day

[ No bumping please. ]

FYI it is been now a few weeks and finally managed to delete all the urls indexed in google thanks to the vulnerability of this plugin. Yes, I still insist on this as, previously mentioned, the hosting provider told me with no doubt about it, THIS PLUGIN HAS A VULNERABILITY THAT SOME BOT IS EXPLOTING.

Really?

*Looks at topic and plugin*

It’s been explained to you already what you should do if that’s the case but you seem to have an axe to grind with this plugin.

The only thing that you’ve repeatedly demonstrated is that your site was compromised.

And once and last, if the plugin owner is interested in shorting this out he should be here providing support and fixing his plugin or at least defending it’s “innocence”.

No.

Look, you’re not owed any support for a free plugin. If you never hear from the author then that’s fine. He doesn’t owe you a reply.

You’re making accusations without doing the work needed to back that up. Someone attempted to explain that to you, and you accused another forum member of a cover up. That’s not going to convince anyone.

If you’re willing to help and provide information besides “it must be this plugin” then great. Maybe there is a problem here with this plugin. But open attack vectors aren’t kept secret by “the bad guys” and I don’t see a flood of “I’m hacked topics” in this support forum despite 500,000+ active installations.

Unless you can provide real data, it’s likely not the plugin. Your site was compromised and I hope you’ve successfully deloused your installation.

You can be sure, I have no axe to grind with this plugin, what do have is a direct problem with plugin owners not answering support.

Despite that you think that because is free he needs to give no support, even if that is the case in this community, I still insist is not ethical, is not proactive, and it is definetely not good for the comunnity.

What im not owed for a free plugin is to claim collateral damage, which im not doing regardless of all the trouble it cuased, but support is the minimum we all, the whole comunity deserve for a plugin, even if it is free. Im not asking him to solve my issues, I′m just demanding some help from the plugin owner.

Are you seriously asking me if im willing to help?? it is funny that you now put in doubt my willing in this matter… Why dont you do that to whom you really need to? Dont worry about the flood, it will come. I′m not Nostradamus, it is just common sense.

By the way, even if the you guys where right and the hack did not directly come through this plugin (which for the info I got, it does), having a plugin that can be exploited trough someone elses hacked system (and yes, you can be sure the exploit comes from THIS PLUGIN), I dont think that ignoring the fact that it can be exploited makes a good plugin out of Redirection. More over, thinking once more about the lack of support and will to improve his own plugin.

Thanks for your last phrase, and I′m getting there in terms of fixing the whole problem.

Kind regards

Are you seriously asking me if im willing to help??

No. I’m seriously asking you to provide useful data and make your case. You’ve not done that and this topic really isn’t being productive.

having a plugin that can be exploited trough someone elses hacked system

No. Once you’re hacked then the exploit can be anywhere. When someone can run arbitrary code on your site, blaming the target because you’ve been hacked really doesn’t matter. The root cause is that you were hacked and I’d make the case that all of your problems were in your now deleted .htaccess file. That’s where that sort of thing lives.

Look Jan, take this as you want… im not arbitrary blaming him for no reason..

I do have backups of the .htaccess file, I do have backups of when the web was hacked, backups of data base and files… so please stop this… All the problems wherent in the .htaccess file, that was ANOTHER consecuence of the hacking. If you werent solving the issue here with me and my hosting company dont make assuptions, as you will probably be wrong.

I will be more than happy to provide files and database once the plugin owner wants to take action on this, simple as that. And I wish he does it and prooves that im wrong, in which case I will appologize ammend the tread etc, but im quite convinced I′m right.

PD: I did took steps proposed in this thread like wordfence thing etc. So it is not a problem of proactivity.

Thanks
Kind regards

Someone’s a little defensive lol. I think probably the only one angry is the guy who got his site hacked, which is frustrating, but there is still a lack of evidence as to what exactly caused it, so no need to slander the plug in or the author. You brought the possibility to his attention, but it’s all a big “maybe” so I stand by my request (which I think is in the interest of all honesty and integrity) that you amend your review.