Two instances of hacked sites after enabling

  • Hi all, I don’t want to be alarmist, but perhaps you can offer some advice.

    A couple of months back I enabled WPSC on a client site, and within 48hrs or so it was ‘hacked’ within embedded scripts in dozens of posts, that hijacked links on the site to redirect visitors off to ‘cutwin.com’, which I believe is an affiliate scheme of some sort.

    Today, I’ve just finished clearing up another instance of this on another site, where links were doing the same thing – embedded scripts in posts linking off to cutwin.com. I had literally 2 hours ago enabled WPSC on it.

    Neither site had had problems in the past, and in fact the latter is running through Sucuri firewall. On the second site in particular, WP and plugins were bang up-to-date – in fact I’d just been upgrading everything today, with only 4 weeks since the last round of upgrades.

    Both sites are running in a reseller account (UK based, reputable), where each website is siloed, so if one is affected, others aren’t.

    I don’t doubt the plugin – I know it’s used by hundreds of thousands of sites. I also have complete confidence in the authors and Automattic. It just seems too much of a coincidence that the two sites (out of dozens we manage) where I’ve seen ‘cutwin.com’ in embedded scripts, had recently had WPSC enabled on them. In both cases, the plugin was installed straight from the repository via ‘Plugins > Add New’

    Have you seen anything like this before, or heard of cutwin.com embedded scripts? Could the directory that is created to hold the cached files, be set up with weak permissions on our host? – I didn’t get chance to check the permissions on the folder, I was too busy cleaning up the hack and it got overwritten. Any advice welcome…

    • This topic was modified 6 years, 12 months ago by crdunst.
Viewing 6 replies - 1 through 6 (of 6 total)

  • I have just had the same issue on a site and after a scan it linked it clearly to WPSupercache files. How did you go about removing the cutwin.com links that had been inserted. They seem to remain after deleting WPSupercache, however, don’t show when logged into WordPress and viewing the site.

    Cheers

    Thread Starter crdunst

    (@crdunst)

    On the instances that I cleaned up, the links themselves weren’t changed, instead <script> tags were inserted in posts. When the page was rendered, those scripts were changing links in the page – in the main nav, sidebar etc.

    Fortunately we had database backups to roll back to remove the scripts themselves. Then we re-uploaded a full fresh copy of WordPress (as backdoors had been dropped in the installation).

    If you don’t have a database backup, you can always as a temporary measure do a find/replace in the DB on the start of the <script tag to something innocuous such as a <br. Then re-upload a fresh copy of WordPress, delete post revisions, and work through those posts to manually remove the now-changed script snippets.

    Disappointed I didn’t get even a token response from Automattic, but we’re no longer using WPSC on any client sites.

    I feel your pain, good luck.

    • This reply was modified 6 years, 10 months ago by crdunst.

    Thanks, that seems to be the same on my site – every page, post, and image. I’m just rolling back to try and see whether I have a database backup that is a clean starting point. Cheers for coming back to me

    It’s not WP Super Cache. I’ve had it installed on my sites since 2007. There’s something else on your site that allowed the hackers to get in, and Supercache just cached the files.

    Thread Starter crdunst

    (@crdunst)

    Hi Donncha, thanks for coming back to me. If it was one site, I’d probably agree with you. In fact the first time it happened I didn’t suspect WPSC – I know it’s in safe hands. When it happened the second time, both cases immediately after installing WPSC, both related to ‘cutwin’, the odds of that happening are extremely small. Also one of the sites was running through a third-party firewall specialist (Sucuri), so it’s even less likely to have been hacked another way.

    Both sites were mature and stable i.e. not migrated from another host, or new to their hosting account where permissions could be set up incorrectly. Both sites were kept up-to-date in terms of updates.

    Not seeing the issue before doesn’t mean it’s not an issue! There’s also another poster above seeing the same thing.

    Perhaps there’s a flaw when WPSC is first enabled, or when the cache is empty – I don’t know, just throwing it out there. If you think about the odds of that happening on two sites directly after enabling the plugin, it’d be a heck of a coincidence.

    Regrettably I’ve lost confidence in the plugin, but take this information and do with it as you wish – I’m just trying to give you some feedback.

    Regards.

    Thanks @crdunst for the extra detail. You’re not the only ones having problems with cutwin.com links, and judging by some of the other threads I came across it can be hard to get rid of them sometimes.

    https://www.ads-software.com/support/topic/sql-injection-cutwin-com/
    https://www.ads-software.com/support/topic/removing-cutwin-traffictrade-scripts/
    https://www.ads-software.com/support/topic/cutwin-javascript-infection-not-detected-by-wordfence/
    https://www.ads-software.com/support/topic/javascript-inserted-at-end-of-a-page-hack/

    Supercache is only caching what the blog serves so it’s not surprising that a scanner found the malware in those files.

    I do believe it was a coincidence that your sites got hacked just after installing WP Super Cache but I will do an audit of the code.

    Meanwhile you should probably continue to run some sort of scanner on your site if no other plugin has been changed since then as the malware might get back in.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Two instances of hacked sites after enabling’ is closed to new replies.