[Plugin: OptionTree] This plug-in is getting hacked

btw, when I replace the plug-in with a clean version, the site is fine again, of course.

Investigating right now.

Please contact me through [email protected] with as much detail about the links as possible. Thanks.

The plugin is withdrawn for now.

Just sent it.

What are you talking about? How is the plugin being hacked? Contact me [email protected], I need more info more info than it’s being hacked. Thanks.

Are you sure it’s OT and not timbthumb, if you have it on your site it could have gotten hacked that way?

As a heavy user of this plugin since its inception, I haven’t heard of anything like this either.

Mark – Any chance it could be put back up while under review? It causes a bit of a headache when users can’t find a well known plugin.

The plugin was replaced a few hours ago – sorry for not noting it here.
I can’t see anything wrong so if anything it is being targeted. Not there there is a lot you can do about that.

Timthumb is currently being targeted heavily all over the web, do you have that in use with your theme?

Derek – That’s all I was thinking was that it might be being targeted, if there’s some loose code somewhere. I’m not at home right now, but I’ll email you when I get back with more. What happens is that the index.php of this and only this plug-in gets over-written or corrupted with a bunch of other stuff, which, of course, causes WP to disable it. I -think- that might open up other parts of the theme that relay on OT for functionality.

The only fix I’ve done so far is to look for other corrupted files, and replace OT with a fresh copy. Everything works fine until they replace the index.php file again.

As far as I know timthumb isn’t on the site at all, and isn’t in the current theme (no pages use the usual “TimThumb” custom field. I’ll look closer when I get home.

The client may have added a theme – not in use – that uses it, also. Would that be a vulnerability, or only the theme in use? I’ll look and see if there are any inactive themes they added and I haven’t deleted yet.

Thanks for all the action on this, by the way. I’m sorry for the initial confusion that caused a momentary unavailability.

If timthumb is anywhere on the server it’s a possible way to hack the site. I’ll look at the plugin more later today, but I’m at a loss for why it was hacked and how. Please do send me anymore info you get via my email so I can look into it further.