• Tim

    (@timwakeling-1)


    Today I started getting notifications from several of my sites where a new user has been added with the username wpuser_awnmwnfwwel where the string after the underscore is random.

    The common denominator between these sites is that they all had PublishPress Capabilities installed and all were on version 2.3 rather than 2.3.1.

    Is the mysterious “security issue” fixed in 2.3.1 something that could be behind this, or was it unrelated?

    Thanks

    Tim

Viewing 12 replies - 1 through 12 (of 12 total)
  • Thread Starter Tim

    (@timwakeling-1)

    Thank you very much for the info! That’s incredibly helpful.

    Do you have any idea how the users got added? I’m urgently trying to establish this.

    Plugin Author Steve Burge

    (@stevejburge)

    Hi @timwakeling-1

    Thanks for reporting this.

    Can this be linked to Capabilities 2.3.0? That’s unclear, but I definitely would recommend updating to version 2.3.1. The previous version did have a security issue.

    It’s also possible there’s something else at work here. For example, we haven’t seen any way that version 2.3.0 could be used to upload plugins as reports. That doesn’t appear to be related to the issue we fixed.

    If you see something like this, it’s worth going through normal security checks on your site.

    Also if you see something, we have details on how to report security issues here:
    https://publishpress.com/knowledge-base/security-issues/

    • This reply was modified 2 years, 11 months ago by Jan Dembowski.
    Thread Starter Tim

    (@timwakeling-1)

    Thank you Steve for your quick response.

    I have just gone through and ensured all my 30 or so sites have version 2.3.1 if they have PP Capabilities installed. I can also confirm that the compromised sites were also only those with PublishPress Capabilities on them. I do realise this might be coincidence but I’ve not seen a counterexample yet.

    I have checked the security plugins and procedures as well as scanning for malware using my server tools, and found nothing yet. In all cases I have reset all users’ passwords and notified them.

    It appears to me as if the user is being added, and then that user’s privileges are being used to upload the wp-striplple plugin. I am looking at the code of that plugin now. I am intrigued that seems to have experienced it the other way round, but this way makes sense that it could potentially be a flaw in the Capabilities plugin. (I am not out to apportion blame at all here, by the way – just to diagnose so I can stop it!)

    I believe the malicious activity is happening manually rather than fully automatically. This is because on the couple of sites where I acted within a minute to delete the user once added, and before the user had reset their password, those sites did not have the wp-striplple plugin installed. So it appears I stopped the user before they had time to do it.

    I shall file a report shortly on the link you mention once I’ve finished firefighting.

    Thanks again both!

    Tim

    Plugin Author Steve Burge

    (@stevejburge)

    Thanks @timwakeling-1

    This is an ongoing investigation and we’ll know more soon. The first reports like this have just started to arrive in the last couple of hours.

    The one thing we know for sure is that 2.3.1 fixes this issue and we recommend updating.

    Thread Starter Tim

    (@timwakeling-1)

    That is brilliant to know Steve. So I can assure my clients if they are on 2.3.1 they are now safe from this attack.

    My antimalware has confirmed the source and I am getting very close now to an understanding of what’s been done.

    Thanks again

    Plugin Author Steve Burge

    (@stevejburge)

    Thanks @timwakeling-1. We’d appreciate hearing anything you find.

    Plugin Author Kevin Behrens

    (@kevinb)

    @timwakeling-1 Yes, the version 2.3.1 security release is a fix for this vulnerability. I have already notified WordPress plugin security and even submitted a WP core patch to them.

    I don’t have any knowledge of what wp-striplpe or any other exploits have done to sites. Anyone who was still running version 2.0 through 2.3 on 12/7 (when this vulnerability was irresponsibly disclosed) should run a thorough malware scan with a security plugin.

    Thread Starter Tim

    (@timwakeling-1)

    I have received an email from Kevin directly and replied with all the details I have about this exploit.

    It seems to be to have been a proof of concept, i.e. the JS being referred to on the remote server was blank. Just the attacker seeing what he could do. But I’ll of course be grateful to hear if there was more to it than that.

    Tim

    Plugin Author Steve Burge

    (@stevejburge)

    Thanks for your reports everyone. We do apologize for this and appreciate you sharing this information.

    We also appreciate the WordPress plugin team who are rolling out auto-updates for this security fix, so all PublishPress Capabilities users should be covered ASAP.

    Plugin Author Steve Burge

    (@stevejburge)

    Thanks everyone. We are only about 12 hours into the reports for this issue and your help has been invaluable.

    We apologize again for the issue.

    We’ve been able to work with the www.remarpro.com plugins team to provide the security fix by auto-update.

    If you were on version 2.3.0 or earlier, please ensure your version of Capabilities is up-to-date, and run a security check on your site. The fake users seem to be the indicator of a problem.

    The PublishPress team is here to help if you have questions.

    Plugin Author Kevin Behrens

    (@kevinb)

    Following up on my previous comment, if doing a manual check for malicious plugins, use your hosting control panel file manager to check the wp-content/plugins and mu-plugins folders. A malicious plugin may hide itself from the Plugins screen. Likewise for manual user review: check the users table with a database browser like phpMyAdmin, not the wp-admin Users screen.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Folks– if your site was hacked,

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Adding on to this topic is not really helping anyone, thus it is now closed.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Recent security issue’ is closed to new replies.