Forum Replies Created

Viewing 6 replies - 1 through 6 (of 6 total)
  • Tried both disabling the option and rolling back woo to 8.4.0, still looping calling css files, and then the php-fpm child is never closed, so they build up until max children are reached. Here are all the plugins installed:

    49 installed plugins:
    A activecampaign-subscription-forms 8.1.14
    A activecampaign-for-woocommerce 2.5.5
    A add-from-server 3.4.5
    A advanced-coupons-for-woocommerce-free 4.5.9.2
    A advanced-coupons-for-woocommerce 3.5.8.1
    A ahrefs-seo 0.10.2
    A all-in-one-favicon 4.8
    A fusion-builder 3.11.3
    A fusion-core 5.11.3
    A powerpress 11.4.5
    A broken-link-checker 2.2.4
    A classic-widgets 0.3
    A duplicate-menu 0.2.2
    A duplicate-page 4.5.3
    A easyconnect_auth 2.0
    A duracelltomi-google-tag-manager 1.19.1
    A intercom 2.6.5
    A jetpack 13.0
    I nitropack 1.11.0
    I pinterest-for-woocommerce 1.3.20
    A pixelyoursite-pinterest 5.3.2
    A pixelyoursite-pro 9.12.0.1
    A redirection 5.4.2
    A rename-wp-login 2.6.0
    A scripts-n-styles 3.5.8
    A simple-user-avatar 4.3
    A social-warfare 4.4.5.1
    A social-warfare-pro 4.3.0
    A sucuri-scanner 1.8.41
    UA team-showcase 2.2.4
    I updraftplus 1.23.16
    UA woocommerce 8.4.0
    I woo-gutenberg-products-block 11.7.0
    A woothemes-updater 1.7.2
    I woocommerce-legacy-rest-api 1.0.1
    A woocommerce-paypal-payments 2.5.1
    A woocommerce-services 2.4.2
    A woocommerce-gateway-stripe 7.9.1
    A woocommerce-zapier 2.10.0
    A woocommerce-subscriptions 5.9.1
    A wp-add-mime-types 3.1.1
    A wp-recipe-maker 9.1.2
    A wp-recipe-maker-premium 9.1.0
    A wp-rocket 3.15.8.1
    A wp-rocket-compat-wc-cart-fragments
    A wp-rollback 2.0.6
    A wordpress-seo 21.9.1
    A zapier 1.0.4
    D advanced-cache.php Legend: A = Active, I = Inactive, D = Drop-In, U = Update Available

    If we disable Woo it stops entirely. Once enabled, it just loops like this:

    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/assets/css/photoswipe/default-skin/default-skin.min.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-sku.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-stock-indicator.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-categories.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-image.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-search.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-sku.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-template.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-query.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-search.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/product-sku.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/packages-style.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/wc-blocks.css HTTP/1.0" 403 199 "-" "-"
    216.38.11.131 - - [30/Jan/2024:14:41:29 -0500] "GET /wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/reviews-by-product.css HTTP/1.1" 403 199 "-" "WordPress/6.4.2; https://XXXX"

    @shameemreza – That does not apply here, as the css files get called over and over, not 403, and no WAF in place.

    We’re seeing the same issue on a woo site. All plugins updated, no malware, etc… Disabling woo stops it. Plugins:

    +---------------------------------------+----------+--------+----------+
    | name | status | update | version |
    +---------------------------------------+----------+--------+----------+
    | activecampaign-subscription-forms | active | none | 8.1.14 |
    | activecampaign-for-woocommerce | active | none | 2.5.5 |
    | add-from-server | active | none | 3.4.5 |
    | advanced-coupons-for-woocommerce-free | active | none | 4.5.9.2 |
    | advanced-coupons-for-woocommerce | active | none | 3.5.8.1 |
    | ahrefs-seo | active | none | 0.10.2 |
    | all-in-one-favicon | active | none | 4.8 |
    | fusion-builder | active | none | 3.11.3 |
    | fusion-core | active | none | 5.11.3 |
    | powerpress | active | none | 11.4.5 |
    | broken-link-checker | active | none | 2.2.4 |
    | classic-widgets | active | none | 0.3 |
    | duplicate-menu | active | none | 0.2.2 |
    | duplicate-page | active | none | 4.5.3 |
    | easyconnect_auth | active | none | 2.0 |
    | duracelltomi-google-tag-manager | active | none | 1.19.1 |
    | intercom | active | none | 2.6.5 |
    | jetpack | active | none | 13.0 |
    | nitropack | inactive | none | 1.11.0 |
    | pinterest-for-woocommerce | inactive | none | 1.3.20 |
    | pixelyoursite-pinterest | active | none | 5.3.2 |
    | pixelyoursite-pro | inactive | none | 9.12.0.1 |
    | redirection | active | none | 5.4.1 |
    | rename-wp-login | inactive | none | 2.6.0 |
    | scripts-n-styles | active | none | 3.5.8 |
    | simple-user-avatar | active | none | 4.3 |
    | social-warfare | active | none | 4.4.5.1 |
    | social-warfare-pro | active | none | 4.3.0 |
    | sucuri-scanner | active | none | 1.8.41 |
    | team-showcase | inactive | none | 2.2 |
    | updraftplus | inactive | none | 1.23.16 |
    | woocommerce | active | none | 8.5.1 |
    | woo-gutenberg-products-block | inactive | none | 11.7.0 |
    | woothemes-updater | active | none | 1.7.2 |
    | woocommerce-legacy-rest-api | inactive | none | 1.0.1 |
    | woocommerce-paypal-payments | active | none | 2.5.1 |
    | woocommerce-services | active | none | 2.4.2 |
    | woocommerce-gateway-stripe | active | none | 7.9.1 |
    | woocommerce-zapier | active | none | 2.10.0 |
    | woocommerce-subscriptions | active | none | 5.9.1 |
    | wp-add-mime-types | active | none | 3.1.1 |
    | wp-recipe-maker | active | none | 9.1.2 |
    | wp-recipe-maker-premium | active | none | 9.1.0 |
    | wp-rocket | active | none | 3.15.8 |
    | wp-rocket-compat-wc-cart-fragments | active | none | |
    | wordpress-seo | active | none | 21.9 |
    | zapier | active | none | 1.0.4 |
    | advanced-cache.php | dropin | none | |
    +---------------------------------------+----------+--------+----------+

    This type of FTP hack is quite common these days. In almost every case it is an infected PC (with malware) that collects FTP u/p information from FTP programs on the PC. This data is transmitted to the hacker network, that then runs bots to insert iframe malicious code in index* pages, .htaccess, main* pages, etc… all automatically.

    Run a full a/v scan, and then download and run malwarebytes.org software once it’s updated on any PC that might have your FTP u/p stored in an FTP program (including designers, developers, SEO, outsource companies, etc…)

    Thread Starter rmang

    (@rmang)

    More details:

    The URL for the dashboard link is:
    https://xyz.com/wp-admin/admin.php?page=index.php

    instead of the expected:
    https://xyz.com/wp-admin/index.php

    after the upgrade. Hope this helps to shed some light on this issue. Thanks.

    Thread Starter rmang

    (@rmang)

    1.5.1.1 has the code:

    function get_the_category_by_ID($cat_ID) {
    $cat_ID = (int) $cat_ID;
    $category = &get_category($cat_ID);
    return $category->cat_name;
    }

    1.5 has the code:

    function get_the_category_by_ID($cat_ID) {
    global $cache_categories, $wpdb;
    if ( !$cache_categories[$cat_ID] ) {
    $cat_name = $wpdb->get_var(“SELECT cat_name FROM $wpdb->categories WHERE cat_ID = ‘$cat_ID'”);
    $cache_categories[$cat_ID]->cat_name = $cat_name;
    } else {
    $cat_name = $cache_categories[$cat_ID]->cat_name;
    }
    return($cat_name);
    }

    Is putting the line “$cat_ID = (int) $cat_ID;” at the top of the function for 1.5 viable, or is this security issue only affecting 1.5.1?

    Rob

Viewing 6 replies - 1 through 6 (of 6 total)