Shortcodes Ultimate is Hacked

In addition, I did a clean install (delete & re-install), then the same problem happens…

Рш @stp_mtl,

I compared with the original code of the plugin, it did get changed.

Could you post here a link to the changed code?

There was an issue with the inmotion hosting. It was false positive last time.

Hi
Thanks for your fast reply.
I’ve shared a file to your gmail address.
It is a long file, but the start is already different than the original plugin file. Basically, the function starts with:
function(e,t,n){“use strict”;var r=e(“../lib/oop”),i=e(“./text_highlight_rules”).TextHighlightRules,s=function(){this.$rules={start:[{token:”comment.doc.tag”,regex:”@[\\w\\d_]+”},s.getTagRule(),{defaultToken:”comment.doc”,caseInsensitive:!0}]}};r.inherits(s,i),s.getTagRule=function(e){return{token:”comment.doc.tag.storage.type”,regex:”\\b(?:TODO|FIXME|XXX|HACK)\\b”}},s.getStartRule=function(e){return{token:”comment.doc”,regex:”\\/\\*(?=\\*)”,next:e}},s.getEndRule=function(e){return{token:”comment.doc”,regex:”\\*\\/”,next:e}},t.DocCommentHighlightRules=s}),ace.define(“ace/mode/css_highlight_rules”,[“require”,”exports”,”module”,”ace/lib/oop”,”ace/lib/lang”,”ace/mode/text_highlight_rules”],function(e,t,n){“use strict”;var r=e(“../lib/oop”),i=e(“../lib/lang”),s=e(“./text_highlight_rules”).TextHighlightRules,o=t.supportType=”align-content|align-items|align-self|all|animation|animation-delay|animation-direction|animation-duration|animation-fill-mode|animation-iteration-count|animation-name|animation-play-state|animation-timing-function|backface-visibility|background|background-attachment|background-blend-mode|background-clip|background-color|background-image|background-origin|background-position|background-repeat|background-size|border|border-bottom|border-bottom-color|border-bottom-left-radius|border-bottom-right-radius|border-bottom-style|border-bottom-width|border-collapse|border-color|border-image|border-image-outset|border-image-repeat|border-image-slice|border-image-source|border-image-width|border-left|border-left-color|border-left-style|border-left-width|border-radius|border-right|border-right-color|border-right-style|border-right-width|border-spacing|border-style|border-top|border-top-color|border-top-left-radius|border-top-right-radius|border-top-style|border-top-width|border-width|bottom|box-shadow|box-sizing|caption-side|clear|clip|color|column-count|column-fill|column-gap|column-rule|column-rule-color|column-rule-style|column-rule-width|column-span|column-width|columns|content|counter-increment|counter-reset|cursor|direction|display|empty-cells|filter|flex|flex-basis|flex-direction|flex-flow|flex-grow|flex-shrink|flex-wrap|float|font|font-family|font-size|font-size-adjust|font-stretch|font-style|font-variant|font-weight|hanging-punctuation|height|justify-content|left|letter-spacing|line-height|list-style|list-style-image|list-style-position|list-style-type|margin|margin-bottom|margin-left|margin-right|margin-top|max-height|max-width|min-height|min-width|nav-down|nav-index|nav-left|nav-right|nav-up|opacity|order|outline|outline-color|outline-offset|outline-style|outline-width|overflow|overflow-x|overflow-y|padding|padding-bottom|padding-left|padding-right|padding-top|page-break-after|page-break-before|page-break-inside|perspective|perspective-origin|position|quotes|resize|right|tab-size|table-layout|text-align|text-align-last|text-decoration|text-decoration-color|text-decoration-line|text-decoration-style|text-indent|text-justify|text-overflow|text-shadow|text-transform|top|transform|transform-origin|transform-style|transition|transition-delay|transition-duration|transition-property|transition-timing-function|unicode-bidi|vertical-align|visibility|white-space|width|word-break|word-spacing|word-wrap|z-index”,u=t.supportFunction=”rgb|rgba|url|attr|counter|counters”,a=t.supportConstant=”absolute|after-edge|after|all-scroll|all|alphabetic|always|antialiased|armenian|auto|avoid-column|avoid-page|avoid|balance|baseline|before-edge|before|below|bidi-override|block-line-height|block|bold|bolder|border-box|both|bottom|box|break-all|break-word|capitalize|caps-height|caption|center|central|char|….

The file you shared with me is actually differs from the original one. But, I’m unable to find any vulnerabilities in it. Most probably, the file was modified by a third-party plugin or even by your hosting.

Please contact your hosting provider and make sure their anti-virus haven’t changed the file.

Hi
Thanks for checking it out.
I will check with inmontionhosting.
On the other hand, would changing the file’s owner permission from read&write to read only help?

Thanks

would changing the file’s owner permission from read&write to read only help?

It depends. The file may be changed on behalf of another user with read/write permissions.

Hi @stp_mtl,

have you contacted the hosting? Can I mark this topic as resolved?

Vladimir Anokhin, The same problem turned up in a scan of my website last night. I have Shortcodes Ultimate 5.2.0 installed on two different wordpress sites, and both have the malicious code present in the file shortcodes-ultimate/assets/js/ace/mode-php.js.

Contrary to your claim that our files have been modified from its original form, the file is identical to the file downloaded as part of a fresh copy of your plugin from https://www.ads-software.com/plugins/shortcodes-ultimate/

Note that when I rename the whole “ace” folder, the plugin’s functionality doesn’t appear to be affected. What is Ace for, exactly?

• This reply was modified 6 years, 3 months ago by henebry.