Version 3.0.6 still hacked?

  • Resolved David

    (@integralvision)


    9 years, 3 months ago

    My site was affected by the vulnerability in earlier versions of Fancybox in that iPhone and iPads were being redirected to random porn sites. I deleted the plugin and all returned to normal. I noticed that there was a fixed version available and installed Version 3.0.6. Immediately the iPhone porn redirects appeared again.

    Is this the same vulnerability or is my site caching the hack somehow. I checked the database and could find no reference to Fancybox that seemed relevant and do not have a caching plugin.

    Thanks for any pointers. I will remove the plugin for now.

    https://www.ads-software.com/plugins/fancybox-for-wordpress/

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi,

    The info you provided suggests you removed the plugin but not its settings, meaning the malware could have remained there and be loaded again after activating the plugin’n newest version.

    Keep in mind that by malware in this case I mean an iframe, script or similar code that can’t be loaded unless the plugin is active, which explains why there were no issues while the plugin was deactivated/uninstalled.

    Did you reset the plugin settings at any time? Also when you checked the database did you check for the option “mfbfw”? This is where the plugin stores its settings.

    If you can check again, make sure “mfbfw” in wp_options does not contain any iframes, script tags or similar suspicious code.

    Alternatively you can enable the plugin, go to its settings page and reset setting from there to start fresh.

    Thread Starter David

    (@integralvision)

    Hi Jose

    Thanks very much for the very helpful reply.

    Following your advice, I searched the database for “mfbfw” and, although no mention of iFrames, there was a couple of references to iPhones and iPad cookies. I basically deleted any table rows that contained “mfbfw” and the mobile versions of our website stopped being redirected to porn.

    Just to be sure, I reinstalled Fancybox for WordPress and checked the database. The two entries for “mfbfw” looked totally legit. I then went to the Uninstall Tab and checked the “Remove Settings when plugin is deactivated from the “Manage Plugins” page.” option and Deactivated the Plugin. Searching the database found no references to “mfbfw”. So, reset settings is also an option.

    Thanks you very much for staying on top of this. I only wish I had been aware of this issue in February when it first occurred. If anyone can point me in the direction of a feed that warns WordPress users of such issues I would appreciate it.

    Best regards

    David

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Version 3.0.6 still hacked?’ is closed to new replies.