Security flaw suspected

  • Resolved peterlaz

    (@peterlaz)


    7 years, 2 months ago

    I am using this plugin on my website. My hosting company has detected that my account has been comprised and the hackers are using it to relay their filthy emails. My hosting company has reported that the hackers have used a back door entry on this plugin to gain access. Please investigate. Here is the message from the hosting company.

    Time: Fri Sep 29 09:49:24 2017 -0400
    Path: ‘/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages’
    Count: 101 emails sent

    Sample of the first 10 emails:

    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]
    2017-09-29 13:43:58 cwd=/home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages 4 args: /usr/sbin/sendmail -t -i [email protected]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter peterlaz

    (@peterlaz)

    The offending file has been identified as
    /home/plan2040/public_html/wp-content/plugins/genesis-featured-page-advanced/languages/xmxweoko.php

    Adam

    (@adamlachut)

    Most likely malware is installed in random or well-know directories and the installation folder doesn’t indicate how it got in. It doesn’t tell you anything about how the break-in occurred at the first time.
    I would recommend scanning the whole hosting account for malware.

    Thread Starter peterlaz

    (@peterlaz)

    This is what I am suspecting now as the file xmxweoko.php is not native to the plugin.

    Plugin Author Nick Diego

    (@ndiego)

    Good morning peterlaz,

    Thanks for reaching out and I am truly sorry that you have been hacked. You are correct that the file xmxweoko.php is absolutely not native to the plugin. It is very common for hackers to hide malicious files throughout your site once they have access. I completely agree with Adam’s comments above, make sure to scan the whole hosting account for malware. I might suggest using the plugin Wordfence. It is very good for detecting vulnerabilities.

    As far as the plugin itself. I am not aware of any security vulnerabilities in the core plugin code. I have also run it through numerous checks including Wordfence. I take these situations very seriously so if you or your host needs any additional information, please let me know!

    Thanks,
    Nick

    Thread Starter peterlaz

    (@peterlaz)

    Thanks Nick for reaching out promptly.

    My early suspicion of a flaw in the code is proven to be baseless. After working extensively with my hosting company I have positively identified issue.

    The issue is documented in https://wpvulndb.com/vulnerabilities/8807

    The hacker somehow gained access to my website and planted the file xmxweoko.php in the plugin folder wp-content/plugins/genesis-featured-page-advanced/languages/

    This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction.

    Admittedly the site in question was only a test site without much security setup. I have deleted the entire site and will start again fresh as it is only for testing purposes.

    Luckily, my live sites are adequately protected with premium security plugin. A scan with Sucuri’s site scanner shows they are all safe.

    Once again thank you very much for this lovely plugin.

    Plugin Author Nick Diego

    (@ndiego)

    Great, I am glad you got it sorted. Being hacked is terrible, I have been in your boat a few times. And thanks for the kind words regarding the plugin!

    Best,
    Nick

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Security flaw suspected’ is closed to new replies.