Blackside.php Calls

  • Resolved simonbbs

    (@simonbbs)


    5 years, 11 months ago

    Hey Guys,

    We ran into an issue that we believe is related to calls in TinyMCE.

    The site ended up 522ing for about 20 minutes, and after it was back up we saw hanging calls to these URLs, however, these files do not exist in the site’s files:

    1 /wp-includes/rest-api/endpoints/blackside.php 1 /wp-includes/random_compat/blackside.php 1 /wp-includes/js/tinymce/skins/lightgray/img/blackside.php 1 /wp-includes/js/tinymce/plugins/wpautoresize/wp-side.php 1 /wp-includes/js/tinymce/plugins/paste/blackside.php 1 /wp-includes/js/tinymce/plugins/media/blackside.php 1 /wp-includes/js/tinymce/plugins/lists/blackside.php 1 /wp-includes/js/tinymce/plugins/image/blackside.php 1 /wp-includes/js/tinymce/plugins/hr/wp-side.php 1 /wp-includes/js/tinymce/plugins/compat3x/css/blackside.php

    1: Is this actually related to this plugin, it’s not in the typical plugin file but appears to be one of the inclusions.
    2: Should those files exist on the site? Or should they be external calls?
    3: What does this file aim to do?

    Apologies if those files are not a part of this plugin. Thanks!

    -Simon

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Andrew Ozz

    (@azaozz)

    That looks like “somebody” is trying to find a backdoor script that may have been dropped in WP. To answer your questions:

    1. This is not related to this plugin. The directory path this plugin loads the js files from is wp-content/plugins/tinymce-advanced/.... they were looking in wp-includes/js/tinymce/... which is where the TinyMCE editor scripts are located in WP.

    2. The blackside.php and wp-side.php should not exist. They afre probably names of commonly used “backdoor” scripts that may have been hidden in the above directories. That may happen when one account on a shared hosting is compromised and the attacker gains access to all “neighbor” accounts. Then they usually try to hide some sort of a backdoor so they can exploit all the rest of the accounts.

    3. My guess is it gives “full access” to the server/hosting account when visiting it with a browser.

    Thread Starter simonbbs

    (@simonbbs)

    Hey Andrew,

    Very much appreciate the information, even if it wasn’t plugin related.

    Initially the server team said there wasn’t anything malicious and was likely something in the plugin file, which is why I reached out here.

    I’ll go back to them to try and get more information.

    Thanks so much!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Blackside.php Calls’ is closed to new replies.