Plugin hacked

  • Hello,

    I just got a message from my client. The were contacted from another company who had their site hacked. They had used sucuri to identify that loads of html files had been loaded into a scripts folder within the limit-login-attempts plugin folder. The infection got in through an inserted line in limit-login-attempts.php.

    The html files in the new scripts folder were all retail things for Christian Louboutin shoes and similar things. There were about 50 files.

    I went to check the site and the login page had been blocked due to to many attempts – I hadn’t attempted any log in on that site for a few weeks.

    Is there a security flaw on this plugin now? I have deleted it and all the files in the meantime.

    Has anyone else come across this?

    https://www.ads-software.com/plugins/limit-login-attempts/

Viewing 8 replies - 31 through 38 (of 38 total)

  • I use Askimet and it works perfectly. not sure why everyone doesn’t use it…

    Moderator James Huff

    (@macmanx)

    Akismet is an anti-spam plugin. It has absolutely nothing to do with Limit Login Attempts, which protects WordPress from brute-force login attacks.

    Already ladies and gents – I’ve scoured through the code, and I’ve had a couple others scour through the code and the code looks good. Nothing makes it seem viable as a point of entry or a cause/source of a hack (so it’s possible it was a security issue on the server, or in wordpress itself).

    I’ve reinstalled the plugin, and am back to blacklisting the people that attempt to brute force logins against my sites.

    I’m working on a couple upgrades to it as well, as time allows.

    I’ve had a steady flow of login attempts reported while this plugin has been installed on two different servers with wordpress installations. Similar invalid usernames and number of attempts for semivalid usernames. This has gone on for almost a year.

    What does not make sense to me is that one site is a non-published site that only 3 people in the world know about. The only common factor is that this plugin is installed on both sites. Are these attacks real? If so, how come the attacks so closely resemble each other?

    Anyway, tonight I loaded Wordfence on both server installations and ran full scans. Nothing out of place. All good result. And now the Limit Login Attempts plugin is uninstalled and deleted from both to see if the constant level of illegal logins continue.

    I think the original poster was mistaken in thinking that this plugin was the vector for the hack they experienced.

    It seems far more likely that there was some other entry point to their site and that the code for this plugin was modified as a result of that hack. Not that this plugin was the cause of that hack.

    It’s a bit like waking up to find that both your house and your neighbor’s house have both been painted pink in the middle of the night. Then immediately running next door to blame your neighbor for painting your house pink.

    So far no one has found a security vulnerability in this plugin.

    DavidFB

    (@davidfb)

    thereigo
    If a computer of any kind is online, it will get noticed by both search bots and hacker bots. If you use fancy techniques in Google, for example, it will display peoples personal file stashes on servers that are unlinked on the web.

    Just because you have an unlinked server, it still has an IP and is still accessible so will be found.

    I used to have an old server I used solely for monitoring the status of other servers. It got attacked regularly.

    The fact that the plugin logs attempts does not make the plugin the problem.

    DavidFB

    (@davidfb)

    I’d agree with Jon Brown.

    Just because the hack placed the files inside the plugins folder and the scan ID’d that as the “source” does not mean it was a flaw in the plugin. If you have system access, you can place stuff anywhere.

    Lots of hacks mask their activity by hiding in other places. This one apparently uses LLA as the hiding place because it’s a popular plugin.

    Uninstalling LLA will remove that repository location but odds are good it won’t block or solve the hack. Hacks are typically sophisticated enough to use multiple possible deposit locations.

    Thus, uninstalling LLA probably would not block the hack.

    If it’s depositing sales pages, it’s using the site to serve the pages. How is it making them visible on the web? Who is it reporting to?

    As mentioned by others, secure sites like WPEngine install LLA by default. As they also block security problems, plugins that thrash the database or related posts plugins that bog servers, it’s a pretty strong endorsement. I use this plugin happily.

    https://wpengine.com/support/disallowed-plugins/

    WPDogger

    (@wpdogger)

    Jim Brown is correct. Limit Login Attempts prevents hackers from cracking the admin login password. That has nothing to do with HTML files being loaded onto the server. It looks like the servers have been hacked, not this plugin.

    I’ve installed it on over 50 sites and use a secure setup when installing the sites. I’ve never had a site hacked, nor has anyone broken into the admin areas for any of the sites.

Viewing 8 replies - 31 through 38 (of 38 total)
  • The topic ‘Plugin hacked’ is closed to new replies.