Plugin installed itself AND activated itself on my site

Hi there,
I can provide what support I can. It doesn’t look like the version has been changed since april when I bumped the tested up to version. I haven’t been doing any weird testing either. The only thing I can say is that this plugin *does* allow admins to execute php code in posts and pages, so if someone were to try to compromise your install this plugin could help them do it (if they could get in to install it). Not sure what else to tell you besides that — cloud firewalls aren’t necessarily 100% effective and such, and I’d check your posts and pages for [php] or &lt;php&gt; and [/php] or </php> tags, that would indicate someone had installed the plugin to run php code.
-Michael.
P.S. Yes, the use of this plugin is rather small — in fact I really wrote it for myself and a friend, and just put it on www.ads-software.com to allow anyone who might need a similar plugin to use it.

Thanks for the reply. It installed and activated 5x over 3 days. First thing I did was search the db for your insert codes ##do_top## etc and found nothing.

It finally quite once I installed an activity monitor to see how or who was installing it. Nothing since I did that.

It was the oddest thing. I’ve been involved with wordpress since 2.9 or even earlier. I’ve built over 100 wordpress websites.

The only way in would have been through FTP and then database modifications. All passwords were changed immediately.

I think the whole event is over, but I’m monitoring it.

Good to hear I’m not alone on this.

While I DO NOT think the plugin has anything to do with this issue, this seems to be a good place for others to at least find that it’s happening.

I found those same entries in my options table.

Interestingly, it stopped re-activating once I had installed the Activity Monitor plugin to watch.

@lilmike
We currently also don’t think that 2MB autocode caused the exploit.
We think either it’s a 0-Day Exploit in the current WordPress version
or more likely a vulnerability in a widely used Plugin.

@formerfatguy
Maybe you can compare your plugins to the following list of plugins we use on our side.
If you find a match with your used plugins we maybe could locate the weak point.

Activated Plugins:

• Adminimize
• Artbees Themes Captcha
• BackupBuddy
• Contact Form 7
• Cookie Notice
• CP Blocks
• Custom Product Tabs for WooCommerce
• Duplicate Post
• Duplicator
• Easy Theme and Plugin Upgrades
• Enable Media Replace
• Envato Market
• Google Analytics Opt-Out
• InfiniteWP – Client
• Ninja Forms
• Ninja Forms – Layout & Styles
• Relevanssi
• Safe Redirect Manager
• Simple Login Screen Customizer
• Tracking Code Manager
• WooCommerce
• WooCommerce Multilingual
• WooCommerce Product Faq Manager
• WP GDPR Compliance
• WP Google Maps
• WP Super Cache
• WP-Piwik
• WPBakery Page Builder (Modified Version)
• WPML Media
• WPML Multilingual CMS
• WPML String Translation
• WPML Translation Management
• WPML Widgets
• YITH WooCommerce Catalog Mode
• Yoast SEO
• +some self Written Plugins

Theme:

• Jupiter 5 ( from artbees )

I had the same issue on one of my websites, again on Sat 13 October. The plugin appears to have been installed remotely, via an IP address I traced backed to the Ukraine.

The IP address was identical to that which I discovered was accessing a backdoor that’d been placed our our server. The URI of the backdoor file was /public_html/wp-content/plugins/wp-cache.php. This file was was also placed in obfuscated form at /public_html/wp-cache.php.

The wp-cache.php file is actually based on this backdoor code (b374k), which provides full shell access to the server, including directory traversal: https://github.com/b374k/b374k This essentially owns the system.

We’re still trying to determine how this file got onto our system, which we thought was well secured (2FA logins, running on PCI compliant hosting infrastructure, and other security measures).

@sandypit From your list, we also had the following plugins installed at the time:

– Duplicate Post
– WP GDPR Compliance
– WooCommerce

@formerfatguy : Were any of the above installed on your site?

I’d really like to figure out exactly what PHP code was added, if any. I have backups of the databases, but cannot find reference to the content in the plugin settings – only that it was added to the top of each page (toptype).

• This reply was modified 6 years ago by bumblingplatypus.

@bumblingplatypus
That’s intresting, we didn’t found dropped or modified files at the time of the attack.
I’ve also just searched for the wp-cache files like you mentioned, but apparently nothing here. Sadly we have no new Informations.

Same here

@bumblingplatypus (@sandypit )

Compared to your list, we have the following too:

* Contact Form 7 (installed not active)
* Envato Market
* WooCommerce (still 3.3.5)
* WP GDPR Compliance
* InfiniteWP – Client
* Cookie Notice
* Enable Media Replace
* WPBakery Page Builder (Original)

At least WooCommerce has some known issues priour 3.4.6

Thanks for letting us know, @adrian27k. “WP GDPR Compliance” would appear to be a common plugin amongst us.

I’m doubtful the known WooCommerce vulnerabilities in the timeframe we’re talking about would have been sufficient to facilitate the introduction of a backdoor onto our site – especially since we had only several highly trusted admin users, whose accounts were protected through 2FA (with auditing of login, user action, etc). We’ve seen no evidence in the logs that any of those user’s accounts were compromised or performed any suspect actions.

@bumblingplatypus

You might be right. I’ve spotted something in WP GDPR Compliance. Will have to test this first.

@adrian2k7 If you do find something, I’d suggest alerting the plugin authors (but not posting details of the exploit in public until they’ve had chance to patch).

Seriously hard to contact the authors…

I suggest everyone to disable the plugin for now…

@adrian2k7 Did your tests confirm anything definitive? Yes, agreed, I already removed the plugin from my sites as a precautionary measure. I’d suggest full removal rather than just disabling, as deactivation alone may not prevent code from being executed.

I was not able to install a plugin, at least this doesn’t seem to be possible with plain WordPress (didn’t found some entry point for this and don’t want to spend hours with this). Maybe you need another plugin for this (WooCommerce??), which provides some mechanism of “anonymous plugin installation”.

But I was able to manipulate my WordPress (as anonymous user). And from the code it should be possible to doooo a lot with this.

Hi @adrian2k7 , thanks for the information.

So, let me get this straight: You _were_ able to breach a security boundary, by performing administrative actions as an unauthenticated and/or unauthorized user?

If that’s the case, then this will need reporting, and the plugin pulled from the WP directory. If you confirm, I’ll try to inform the necessary people.

In my case, I believe the “M2B autocode” plugin may have been installed through a manipulation of wp-cron, so might be worth investigating if a vulnerability in wp-gdpr-compliance could leverage that.

Folks, this has been interesting, but public discussions of vulnerabilities (or speculation of such) isn’t a good idea. Our policy is that one contact the developers privately as well as the plugins team.

Please see https://developer.www.ads-software.com/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

I’m not going to remove any posts here, but I am going to close this topic. Please follow the responsible reporting guidelines.