• Resolved c

    (@igneous)


    I’ve been getting this JS injected into my site for the past couple weeks, and have had an incredibly hard time tracking it down. I have been editing my theme/removing ads/turning off plugins/running malware scans on my server, etc. Finally today I turned off jetpack and it seems to have completely gone away. Its been very hard to target, because the ad wouldnt load each time you open the site. Sometimes it would take hours and multiple types of browsers before I could see it happen again. I would love to look through my jetpack code to see what they hacked, but this plugin has so much stuff in it, I dont know where to start. I also dont want to waste hours doing this. Is this a somewhat common hack? Any tips for looking through the jetpack code?

    https://www.ads-software.com/plugins/jetpack/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor csonnek

    (@csonnek)

    Happiness Rocketeer ??

    Without more specifics into the problem, I really can’t speak to whether or not it’s common. Jetpack is a widely used plugin, but any hacks specific to the plugin are rare. I’ve been doing support for Jetpack over three years and I’ve not seen an incident of hacking that was solely due to Jetpack; most times it’s a MySQL injection or other vulnerability in WordPress, whether in the software itself or by poor user security practices.

    What version of Jetpack are you using? What version of WordPress? Have you deleted and reinstalled a fresh copy of Jetpack downloaded directly from our plugin page on www.ads-software.com? Have you turned on a default WordPress theme to rule out a theme vulnerability? Are all your other plugins up to date and have you tried turning them all off? Have you changed your database, hosting, and user passwords after the first incident?

    Since you mention it’s been hard to target, have you tried a paid service like Sucuri or WordFence to pinpoint and remove bad code? I’d recommend that direction, then with that data on the vulnerability, you’ll be able to reach out to the developer of the theme or plugin that was indeed open to that type of attack.

    Let me know if you have any questions.

    Thread Starter c

    (@igneous)

    Everything including wordpress is on its latest version, wordpress was upgraded after this started happening.

    I’ve been fighting this for weeks now, and I’m 99% sure that it’s jetpack now. I’ve had jetpack disabled for a day now and this has yet to happen again. I’ve run every malware scan and plugin possible and none of them picked up on it. Is there anyone at wordpress/jetpack I can send my jetpack plugin files to take a look? I’ve been looking through some of the files, but there’s so many of them. Plus I dont entirely know what to look for. I want to DL jetpack and get it installed again because I love this plugin, but I would like to know where the issue came from inside jetpack.
    Thanks

    Plugin Contributor csonnek

    (@csonnek)

    Happiness Rocketeer ??

    Please try deleting Jetpack specifically from the Plugins section of your blog’s Dashboard. If your Jetpack files were infected, this will replace them with clean copies.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    lakelounge

    (@lakelounge)

    Sorry to post to this ?old“ thread but i have some similar problems i guess. My Mailqueue has hundreds of mails, trying to send to domains like @qq.om or @pp.cm. did malware-scans, research for infections, run iThemes Security and Wordfence tests. After a long time of frickeling around i had a look into my access.log of the web server (haven’t done this earlier because i thought it was a mail problem) and found nearly 300 loggings in 2 minutes of this:

    103.214.169.108 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.169.108 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.247.85 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.247.85 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.180.73 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.180.73 - - [04/Nov/2016:23:59:58 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 200 31895 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    
    

    which brought me to the idea to disable Jetpack-Plugin and from this minute, the loggings and the spam-sending from my server stops.

    sounds similar?

    i have to try to reactivate the plugin these days and see if spam-sending starts again …
    anyone an idea?
    thanks for any help or questions …

    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    @lakelounge Thanks for the report. We had added a honey pot to catch spammers and avoid those issues, but it looks like some spammers found a way through. We’ll work on getting this fixed.

    Until this is fixed, you can either remove the Email sharing button from your site, or implement ReCaptcha as I recommended in the other thread where you commented:
    https://www.ads-software.com/support/topic/jetpack-sharing-email-can-be-abused-for-spam/#post-8160632

    lakelounge

    (@lakelounge)

    thanks a lot, i have already done this … works perfectly. the requests still hit my server but no more spam mails in the queue … unfortunately i can’t do a tcpdump because i do not have the permission at my server … otherwise i could look into the network traffic to see what the guys are posting.
    Actually there are mostly 4 hits per IP-address:

    103.214.168.28 - - [05/Nov/2016:13:35:10 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.168.28 - - [05/Nov/2016:13:35:10 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.168.28 - - [05/Nov/2016:13:35:10 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.168.28 - - [05/Nov/2016:13:35:10 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.171.165 - - [05/Nov/2016:13:35:14 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.171.165 - - [05/Nov/2016:13:35:14 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.213.251.246 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.213.251.246 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.184.13.47 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.184.13.47 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.171.165 - - [05/Nov/2016:13:35:14 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.214.171.165 - - [05/Nov/2016:13:35:14 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.228.131.135 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.228.131.135 - - [05/Nov/2016:13:35:15 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.184.13.47 - - [05/Nov/2016:13:35:15 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.184.13.47 - - [05/Nov/2016:13:35:15 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.213.251.246 - - [05/Nov/2016:13:35:15 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    103.213.251.246 - - [05/Nov/2016:13:35:15 +0100] "GET /informationen/karte/?shared=email&msg=fail HTTP/1.1" 200 34209 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.247.85 - - [05/Nov/2016:13:35:16 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    118.193.247.85 - - [05/Nov/2016:13:35:16 +0100] "POST /informationen/karte/?share=email&nb=1 HTTP/1.1" 302 336 "https://www.fuenfseenland.de/informationen/karte/?share=email&nb=1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    
    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    @lakelounge If you still get hits from bots, it might be best to just block those IP addresses altogether, or use a service like CloudFlare that will notice the patterns and block these types of requests. For example, if you use CLoudFlare, you could create a Page Rule to redirect the bots to a YouTube video before the request hits your server:

    https://i.wpne.ws/i2D4

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Jetpack hacked’ is closed to new replies.