lucasmorgan
Forum Replies Created
-
Yeah this vulnerability is real but it’s not the explicit fault of UM, there’s a vulnerability(they need to fix or have already fixed) in the file upload of user accounts I believe:
‘
https://www.ads-software.com/support/topic/malware-files-being-uploaded/This is probably going to be fixed by the time most people read this, but be super careful and make sure you have everything updated!
Yeah this vulnerability is real but it’s not the explicit fault of UM, there’s a vulnerability in the file upload of user accounts I believe:
‘
https://www.ads-software.com/support/topic/malware-files-being-uploaded/This is probably going to be fixed by the time most people read this, but be super careful and make sure you have everything updated!
Just realized I’ve had this same exploit happening to me through UM for the last several days, maybe 5-10 days at most, that I’ve noticed.
The first signs were myself being redirected to other spammy websites when visiting my homepage. These spammy websites were trying to convince me to turn on chrome notifications for these sites, and I of course closed these tabs with out interacting with them.
Then today someone else I know emailed me letting me know they got the same results.
I also get these redirect attempts when I visit the wp-admin portal to login to my dashboard.I’ve run the WordFence scan at high sensitivity, and it found a plethora of mainstream WP files infected. 10-15 or so. Here are some examples of infected files:
location: wp-content/plugins/um-recaptcha/uninstall.php
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: ${“\x47\x4c\x4fB\x41\x4c\x53”}. The infection type is: A backdoor known as qd5f27f0.location: wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: ${“\x47\x4c\x4fB\x41\x4c\x53”}. The infection type is: A backdoor known as qd5f27f0.location: wp-super_cache.php
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “cr”.”eat”.”e_fun”.”cti”.”on”. The infection type is: Pattern commonly seen in PHP malware.and the kicker, which brought me to this thread actually:
Filename: wp-content/uploads/ultimatemember/temp/ZdCQEGllparORuQ7TMjwLlWw7pVcbzJmVXtCUiT7/stream_photo_9c8d90bc587c22ae9aef83fcdb2a02d0_5b69a8f8885c8.php
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <?php eval($_POST[. The infection type is: A backdoor known as EP.the stream_photo_….php file opens as an image, spoofed of course. it has code inside. the image was of an 8bit cat. I did a reverse google image search and this did not turn up anywhere else on the internet. Image uploaded here if you want to check it out.
https://ibb.co/kWi2GUThe only readable code in the spoofed image php file was this bit. Screenshot below:
https://ibb.co/etW6bUit uses the php function file_put_contents() to write base64 encoded text to a new file, called n.php. This file was actually in a couple of the temp folders as well next to the error log.
This is a screenshot of what n.php looked like:
https://ibb.co/dEpjwUthere was also an error log in 2 of the temp folders, I presume from the hacker making mistakes or certain parts of the code not executing as expected? It looked like this:
https://ibb.co/hSqk39hope this helps – would love to know more about this and also get this fixed asap.