Strange warning message – update plugin

  • mica123

    (@mica123)


    10 years ago

    I apologise if this question has been asked before – I searched for it everywhere. When I view our website, there is a warning at the top of every page:
    “WARNING! Please update plug-in to continue – Update now”
    This message appears in all the browsers and all the computers I tried.

    Everything is up to date. I found this line of the code in Firebug:
    <style>
    #hdplayerb { background: none repeat scroll 0 0 #FBECAD; border-bottom: 1px solid #999999; color: #111111; font-family: Verdana,Geneva,sans-serif; font-size: 13px; height: 35px; line-height: 20px; margin: 0; min-width: 910px; padding: 0; position: fixed; top: -40px; width: 100%; z-index: 2147483647; } #hdplayerb div.message { background: url(“data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAAUCAYAAABvVQZ0AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAIGNIUk0AAG2YAABzjgAA+WQAAIVlAAB0RQAA7/YAADAfAAAU56AoLTwAAAQvSURBVHjahJJrTFNnGMefZF9MTExMFpJ9WmQXKLPQcakYExHmuIVLa1vanl7OOW1PaQaoE1m31Y110SmC1lWYu4TgZC6LwClSKBbYBbKEjM1sCTrFLWPM4OI4vbCB2J7TPPtQWsum24df/ue8z/v+3vOe5wUhPAaP4tpM9+blxcuPrAsh/4MM+WHDixCO59rSCFD6CjZL9HREvP2ZleG+dwpj4TEQwn5I5MNYnxBHCF2BWNgP302dS8vLFS/tLMxDaYEEW14m3cJ6PZmpz0lZopBCaHEMKFLDKvZVo0pZM3Hte//mh80TQqMpOQrALfTD4tynGwoR7gp0uU8wNEWgveWAS1ieSi5IEFzo/9cYnH//VaUoMz0iykyPZGZsE7JET0V2SCV3ZLUVX5NGDdapaifkNXsnVfLiieLdeTczM7YJosz0iJms6uODPhBCo8AHfcAHfQBdZxzMDqkEUynaXYhyWSXSFIEqZQ3uKdqJBfnZWJCfjdKCHJQW5KD9cL0rLvM9kHW6jjC1NeWoVFSjRi1HjVqOhFaBNEWglSGRpgjUqOUol1WiUlGNSkU1ymor8OTx15rjohEQQnEpnOlwvKQjlGiidUmsDIm2ehpt9TTWWym0MiQyFiNaGRJNtA4N+jp0dbzRJIRG1mVxoPuD44Rep/IecRzG5kMNSWFC9k8YixEN+jo80Eh/yAeHoetUI3Os1eS4c+siwMKtcRj3s5LY/dtbIqu3t7a3OZv/T2jQ12FlxQtXS/ZIb4q3P7uSLc5YMZNVfcCHxkH4awb4oBf44DBc/WYkjaaI/5RRpBblskosKd6VZG/JrusQ+PUzWLj+MQhBL/CBIRhh3y00GtRoonVoMRuQsRix3kolRYmm2Fv2u/y+/lyblerVqOX+0+3OJjjUVNeVKxEFz3Y02PouOEr3ycomCa1iQ0NSj2026ZGmCLzQ45YLf85AaGlu64+z00/cX54FaHU0HpUW5GDu889hfp4YS18sQh2hRFs91dvpbmNOdxxtspgNaKJ1aDbp0WI2IEVq8dRJx8FoYBD4oA+i4S8hGrgM8NG5Y/rqqlIsLyvG8rJiVClrkKYI9rdffkiL3ZuD2L2fHvt8zCNOfF2im6/bG9r4wCCkAsPse4WEVoF6nQpJowYpUov2lv0uPugHnvMAz3lg9ttLWyhSm/yPBn0d2qz63ijnAT4wCFHOA1HOAzD9Vc+TOkLpTey8fuP9X3hPZPEBD6wsXgKbRd2berFJowa1apmP59j1DVngORbgj/khONX+9kFnq93pbLXjW2++gi3NDe5xr1vCB1i4+/MnIK8tnzTRBDpb7c5OdxvT031WPTx0sZAPsBDlWOADcSAaGAJh9QbE1uY3pSKEpyDKDQAf8EIs8vvjscjdtNja/CZh9QYIK7MgLE/H6xwLUW4AotwA/D0ACvlYFv1THvsAAAAASUVORK5CYII=”) no-repeat scroll 10px 5px rgba(0, 0, 0, 0); float: left; height: 20px; margin: 0; padding: 7px 25px 35px 35px; text-align: left; } #hdplayerb div.download a { text-decoration: none; } #hdplayerb div.download { float: left; padding: 3px 0 0; width: 200px; } #hdplayerb div.close { float: right; padding: 6px 10px 0 0; width: 16px; cursor: pointer; } #hdplayerb input.dl_button { background-color: #F4F5F5; background-image: linear-gradient(to bottom, #F4F5F5, #DFDDDD); border: 1px solid #4E4F4F; border-radius: 3px; color: #000000; display: inline-block; font-family: arial,helvetica,sans-serif; font-size: 12px; font-weight: bold; line-height: 12px; padding: 5px; text-decoration: none; } #hdplayerb input.dl_button:hover { background-color: #D9DDDD; background-image: linear-gradient(to bottom, #D9DDDD, #C6C3C3); border: 1px solid #4E4F4F; cursor: pointer; }
    </style>
    <div id=”hdplayerb” style=”top: 0px; opacity: 1;”>
    <div class=”message”>
    WARNING! Please update plug-in to continue
    </div>
    <div class=”close”>X</div>
    <div class=”download”>

    <input id=”ClickHere” class=”dl_button” type=”button” name=”submit” value=”Update NOW”>

    </div>

    I searched for this code or anything linked to this code in all the WordPress files and came up empty. There is nothing like that there. I also search for anything related to hdplayerb on the Internet and found nothing. Would anyone be able to point me in the right direction?
    Also, in Firebug, I can’t find the file that is related to this style –
    all it shows is the website’s url with this number after this: https://www.xxxx.xxx #3
    Thanking you in advance.

Viewing 7 replies - 16 through 22 (of 22 total)
  • jack randall

    (@theotherlebowski)

    it may be coming from the meteor slides plugin, jcrop is a jquery doodah that resizes images. try renaming that plugin’s folder and see if that makes the code go away…

    Thread Starter mica123

    (@mica123)

    I am not sure if this is the case as I use Meteor slides on other sites and there was no problem. I also searched for anything to do with jcrop on jsquery.js in the plugin and there is nothing like that.

    I had this problem with a site, and the wp-includes/js/jcrop/jquery.js file seems to be causing all of this. Looking at the file’s source, it isn’t a jQuery library at all. Turns out that file has a bunch of code encoded into hexadecimal values. After translating it, it basically appends the appropriate tags to the document. After removing all the content from that file, I don’t have that problem anymore.

    Decoded file

    Thread Starter mica123

    (@mica123)

    Thanks for letting us know. Just a quick question: you say that removed content from that file – does it mean you just deleted the text from the file or deleted the whole file? Also, in my case even if I deleted the file, I still had the problem because the file managed to append the tags to several php documents which I had to clean up. So I had to do more than just delete the file.

    Currently I’ve just cleared the content and left a comment in it just in case there’s some sort of check they do to see if the file exists.

    I see what you mean with the php injection – it’s done that to my files too. I can’t figure out how they’ve managed to do that (files are only writable to owners on server), so by clearing the content it would make their javascript invalid if they tried to run it again in the future.

    Edit: I’ve just realised that php files can be edited through Appearance > Editor. This might be how the php files were altered.

    Thread Starter mica123

    (@mica123)

    Thanks for this. I would also be interested to know how they got in. It would seem that they hacked the password and they could do what they liked with the files as owners? If you figure this out, could you let us know?

    Hi There, I came across this thread after Googling the same fake warning message I saw on another website.

    Worth noting from the plugin “Widget Logic”:

    PLEASE NOTE The widget logic you introduce is EVAL’d directly. Anyone who has access to edit widget appearance will have the right to add any code, including malicious and possibly destructive functions. There is an optional filter ‘widget_logic_eval_override’ which you can use to bypass the EVAL with your own code if needed. (See Other Notes).

    You can find this and more information on the Widget Logic plugin page.

    Just wanted to add this to the discussion as a possible point of vulnerability.

    Best of luck.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Strange warning message – update plugin’ is closed to new replies.

Tags