Bye bye Hacker

  • Resolved user7381

    (@user7381)


    6 years, 8 months ago

    We got a lot of Trouble updating to Version 1.7.4 this morning.
    Every Page was Redirecting to the Startpage and there was a message with “bye bye Hacker”. We couldn’t log in to the Admin-Area.

    I think our Hoster 1und1 loads index.html before index.php.
    This plugin should check if this is the case. (Set an entry to .htaccess an make the hole Option optional.) Otherwise the site is broken !

Viewing 11 replies - 1 through 11 (of 11 total)

  • I have the same issue – after updating to 1.7.4 just a white page that says “bye bye Hacker”. Glad I was updating on a staging server and not my clients live site.

    Us too. Multiple sites autoupdated to this. redirect-editor.php has this code:

    		function bye_hacker()
		{
$index_block_directory_scanz = fopen("index.html", "w");

     $text = "bye bye hacker";
     fwrite($index_block_directory_scanz, $text);
     fclose($index_block_directory_scanz);
		}
		if(site_url() . "wp-content/plugins/" )
	    echo bye_hacker();
	 	 
if(site_url . "wp-content/themes/")	 
	echo bye_hacker();

    this adds an index.html file to the root. Reverting to the previous version should fix.

    This happened on four sites of mine.

    Rolling back to version 1.7.3 didn’t fix it.

    I didn’t notice at first that this hacked code creates an index.html in the site’s root directory and also in wp-admin directory.

    Rolling back to 1.7.3 and removing the two index.html files fixed it, and turned off automatic updates

    These guys are “security experts” – someone is having a laugh with them…

    Plugin Author zuda

    (@zuda)

    We are so sorry that our new feature that was tested on live sites on different hosts, malfunctioned for you. We would love to find out what was the cause of the malfunction, but in the meantime, have sent out a patch removing the index.html.

    On all the sites we tested this blocked directory traversal, we look forward to learning how this went wrong and would be happy to give all of you ten minutes free of our time doing security for you.

    Again, we are so sorry about this issue and look forward to identifying where it went wrong.

    Thread Starter user7381

    (@user7381)

    Maybe it’s because of DirectoryIndex in .htaccess
    Default behaviour of Apache could be overwritten.

    Problem: DirectoryIndex index.htm index.html index.php
    Ok: DirectoryIndex index.php index.htm index.html

    @centicon Delete the index.html in / and /wp-admin/

    @user7381 – yes thanks I already did that.

    Only caused me 2 hours of being stressed out trying to figure out if this was some kind of malicious attack on 35 sites I manage.

    I alerted @zuda last night via Twitter – it shocked them I think but they acted fast and have fixed it. https://twitter.com/Zen_Moments/status/1019316656911405056

    Fortunately it turned out to be just a cock up.

    • This reply was modified 6 years, 8 months ago by centicon.
    • This reply was modified 6 years, 8 months ago by centicon.
    • This reply was modified 6 years, 8 months ago by centicon.
    Plugin Author zuda

    (@zuda)

    We were absolutely shocked as root under no circumstances should have been affected. We will be adding more coders into this free open source project to ensure stability, functionality, and new features go smoothly. We only know of a dozen sites that were affected out of over 3000 that use our software, but that is still too many for our liking.

    How root was affected is a mystery no one has been able to solve yet. Again, we apologize for this error, but have no idea how it affected you. We will be examining your sites to see if there was a configuration difference we hadn’t planned for, or something that could’ve caused this. We still wish we could see this happen live, as we’ve yet to see it malfunction. We learn a lot that way.

    • This reply was modified 6 years, 8 months ago by zuda.
    • This reply was modified 6 years, 8 months ago by zuda.

    Thanks for the hints, this saved time and nerves for me and the customer …

    Plugin Author zuda

    (@zuda)

    There have been no problems with the latest release.

    I have been in touch with @zuda and gave them access to one of the affected sites so that they could better understand what happened.

    I hope they will explain it here.

    They responded very well once they knew about it, bit it’s important for us to tell the developer. They don’t necessarily check these boards, and within a very short time of my alerting them on Twitter they had fixed it.

    Plugin Author zuda

    (@zuda)

    It is explained to the best of our knowledge on our site, however every expert WP coder and programmer can not explain nor understand how this could’ve happened, however based on the data we have this is the current conclusion. Thanks centicon.
    https://planetzuda.com/incident-response-to-software-issues-how-to-plan-for-incident-response/2018/07/19/

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Bye bye Hacker’ is closed to new replies.