Security vulnerability Contact Form DB ?

  • Hello and sorry for my English.
    My site was hacked by he seems a flaw of the plugin.
    For safety I completely deleted my site before reinstalling.
    I also destroyed the database.

    My web host blocked the site from the attack, here’s what they told me. (I’m not an expert …)
    Executing deleted program
    Apparent command: ././crond
    Executable used:/homez.182/biennalelw/www/wp-content/plugins/contact-form-7-to-database-extension/DataTables/.nfs00000000080cd3da00007d78
    Timestamp: 2015-04-10 1:35:04 p.m.

    In the hours that followed after an attempt to restore the site started thirty wordpress files were corrupted.

    It does concern you ?
    (This ggogle a translation I hope this is understandable, I’m French).

    Dom

    https://www.ads-software.com/plugins/contact-form-7-to-database-extension/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Michael Simpson

    (@msimpson)

    That looks like an executable file was created, placed in one of the plugin’s directories, then accessed. It is not clear that there is a vulnerability in CFDB that allows the creation of that file (I doubt it). I’ll look into whether I can put in something to lock down that directory.

    If you have any more information, please provide.

    Thread Starter Dom Martigne

    (@dom-martigne)

    Hello Michael,
    I have no other information.
    I can send you what happened next. When I relaunched the website I launched a scan.
    I test several plug all forms were then affected, and the themes and different files.
    If you want the log of the scan I can send a e-mail address

    Dominique

    Thread Starter Dom Martigne

    (@dom-martigne)

    Google translate !!!!!

    If you want the log of the scan I can send it to a e-mail address.
    (Is-it more lisible ?…)
    You can contact me through my old website : https://martigne.fr/2014/contact.php

    Dominique

    Plugin Author Michael Simpson

    (@msimpson)

    Thank you. Please email to [email protected]

    Plugin Author Michael Simpson

    (@msimpson)

    What I see in the scan is that many files have been changed by the attack on your site. This is not limited to CFDB, but impacts various plugins and themes. CFDB files were corrupted by I don’t think CFDB was the cause (only the victim).

    You should immediately delete all these plugins and themes and re-install them.

    Plugin Author Michael Simpson

    (@msimpson)

    For your information:
    https://serverfault.com/questions/201294/nfsxxxx-files-appearing-what-are-those

    The above link explains the existence of the .nfs00000000080cd3da00007d78 file. Some file was being deleted but it was still in use. Presumably it was being read by some program. So the file is renamed until it can be safely deleted by the operating system.

    Why this is happened is not entirely clear. Perhaps the attack was deleting valid plugin files but in one case that file was simultaneously being accessed by the web server.

    Thread Starter Dom Martigne

    (@dom-martigne)

    I delete all the website and DB afetre the second day …
    the first day juste CFDB was corrupt.
    mais effectivement cela pouvait venir d’ailleurs, cela dépasse mes compétences.
    I hope there will be more problems, good day to you.

    Thread Starter Dom Martigne

    (@dom-martigne)

    For your information, I don’t know if it is important.

    A person, or a machin, try to use this address:
    https://mywebsite.xxx/wp-content/plugins/contact-form-7-to-database-extension/CFDBExport.php

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Security vulnerability Contact Form DB ?’ is closed to new replies.