WordPress.org

Ready to get started?Download WordPress

Forums

ATTENTION: IGIT Related Posts With Thumb Image After Posts phpRemoteView Attack (27 posts)

  1. debajyoti
    Member
    Posted 3 years ago #

    ATTENTION: IGIT Related Posts With Thumb Image After Posts version 3.9.7 with WordPress 3.2.1 is vulnerable to phpRemoteView Attack. 2 of client's site were compromised recently. We checked it thoroughly and found IGIT plugin is the source of injection. Here’s the hack [malicious code]
    [removed code] injected into index.php. Also in wp-admin, there were 2 suspicious files 'common.php' 'udp.php' there.

    We have cleaned the index.php, deleted those suspicious files and removed the whole IGIT plugin and things come back to normal.

    I am posting it here if it would be of any help of anyone in future.

  2. debajyoti - Please email plugins[AT]wordpress.org with that information as well as what file in the plugin has the hack.

  3. petirico
    Member
    Posted 3 years ago #

    Thx Debajyoti !
    I've followed your instructions & it works again !

    Are u sure it's from IGIT Related post plugin ?

    Thx for your follow up & investigations ;)

  4. debajyoti
    Member
    Posted 3 years ago #

    @Ipstenu: I have mailed the details.
    @petirico: Thnx mate. I am glad it came to your help. Yes sure. That plugin also places hidden spam links if you don't give them credit. The ethics of the plugin developer is now questionable. I would not further recommend that plugin to anyone :) Bad experience...

  5. girlgonegeekblog
    Member
    Posted 3 years ago #

    Thanks debajyoti! I got it working I deleted that plugin and took out that code. I also fixed a few other code issues and it works now!!! Thanks so much!

    http://www.girlgonegeekblog.com/

    feed://feeds.feedburner.com/girlgonegeekblog

  6. bigal42
    Member
    Posted 3 years ago #

    would the plug in called TAC have caught this ? Just wondering

  7. Daniel Cid
    Member
    Posted 3 years ago #

    Did you save any of those files (or the malicious code)? If you did, can you email to me for analysis (my email = username).

    thanks,

  8. 1337man
    Member
    Posted 3 years ago #

    I do not think it is just that plugin that is to blame. I believe it is the timthumb.php file that the plugin is using. Try changing yours with this one. http://timthumb.googlecode.com/svn/trunk/timthumb.php

  9. 1337man
    Member
    Posted 3 years ago #

    I also just discovered another file aside from the ones that I have been reading about that the hack will put on your server. look under wp-content for something that looks like a cache file. If you open it you will find all the info relating to the superuperdomain.com

    http://imageshack.us/photo/my-images/713/screenhunter07aug081202.jpg/

    http://imageshack.us/photo/my-images/845/screenhunter06aug081202.jpg/

  10. OceansDB
    Member
    Posted 3 years ago #

    Y'all have to read my post here:

    WordPress › Support » RSS Feed Crash http://bit.ly/ojQ4sC

    Gave all the details on this bug in that topic.

  11. cbmc
    Member
    Posted 3 years ago #

    I've been hit with this as well. I had already removed the plugin because it was not working very well, but it left those nasty little surprises. I've been banging my head against the system trying to find the source of the problem for about 36 hours.

    I want to note that I could not have found this thread without this other thread: http://wordpress.org/support/topic/feedburner-rss-feed-link-broken ... which was posted after my initial search and contained the code/url placed by the malware:

    script language="javascript" SRC="http://superpuperdomain2.com/count.php?re

    Hopefully having that in this thread will make it easier for others to find. I'm glad I came back and ran the search for the url again.

    Thanks for posting the fix!

  12. veggera
    Member
    Posted 3 years ago #

    @ debajyoti Thank you very much you save my site!!

  13. heredia21
    Member
    Posted 3 years ago #

    Thanks debajyoti

  14. eclarian
    Member
    Posted 3 years ago #

    CHECK YOUR PHP.INI FILE AS WELL!!!! It enables remote debugging! Make sure to clear out your php.ini file.

    Also make sure you change ALL your passwords. It has a MD5 Cracking Script that cracks your current passwords.

    This script embeds an iframe within your site from another site "http://global-traff.com" and this could possibly hijack any other current sessions that your browser has open (such as to Facebook, Twitter, etc.)

    Clear your cookies and change the passwords for everything you have and especially those things that were currently open at the time that this occurred.

    ALSO NOTE: This may be a vulnerability within WordPress itself because we did not have the plugin mentioned above.

  15. cbmc
    Member
    Posted 3 years ago #

    eclarian: What were the earmarks of what hit you that match what is being described in this thread related to the related posts plugin?

  16. debajyoti
    Member
    Posted 3 years ago #

    It's a timthumb.php exploit. That plugin was using old timthumb.php. Also any other theme or plugin using old timthumb.php might also be vulnerable to this phpRemoteView attack. I have mailed the detail files to WordPress. They have intimated the plugin developer and for the time being, the plugin has been removed until plugin developer fixes the loopholes and further tighten security. So far I have investigated further, It's not a vulnerability within WordPress core, it's the timthumb.php file causing this problem. Ipstenu posted a good link in another thread
    "For those following along, this seems to be the TimThumb issue: http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html You can run an instant free security check for your site there.

  17. cbmc
    Member
    Posted 3 years ago #

    I actually ran the Securi scanner before I found this thread and it did not detect the active exploit. That was what prompted me to search for that URL again, because I had a wild guess that the exploit was too new for them to have it listed in their system yet as something to look for.

  18. OceansDB
    Member
    Posted 3 years ago #

    Don't forget to delete the phony files in your WordPress installation!

    There are 6 now:

    /wp-admin/js/config.php
    /wp-admin/common.php
    /wp-admin/udp.php
    /wp-content/udp.php
    /wp-content/uploads/feed-file.php
    /wp-content/uploads/feed-files.php

    A new domain popped up, so you have to change your .htaccess (not inside public_html) and replace the lines with this:

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    If you don't have an .htaccess file there, make one :)

  19. cbmc
    Member
    Posted 3 years ago #

    What do you mean by "not inside public_html" ? Do you mean under /wp-admin /wp-content etc?

  20. eclarian
    Member
    Posted 3 years ago #

    The php.ini file is in the root of your account folder ABOVE public_html.

    So the folder structure would be like this:

    ../php.ini
    ../public_html/index.php
    ../public_html/wp-admin/js/config.php
    ../public_html/wp-admin/common.php
    ../public_html/wp-admin/udp.php
    ../public_html/wp-content/udp.php
    ../public_html/wp-content/uploads/feed-file.php
    ../public_html/wp-content/uploads/feed-files.php

    REMEMBER TO FIX YOUR INDEX FILE. It loads an external script which writes an iframe inside your site.

  21. OceansDB
    Member
    Posted 3 years ago #

    @cbmc In your account’s root folder.

    You can read the full thread here:

    PHPRemoteView Hack: What it is, and how to remove it • TechSpheria http://bit.ly/oRgMnJ

  22. cbmc
    Member
    Posted 3 years ago #

    Oh, the site's root folder. I've got my own servers, so there is no "account" involved.

    Much appreciative of the link. Thx!

  23. OceansDB
    Member
    Posted 3 years ago #

    You are very welcome :-)

  24. gitanoblue
    Member
    Posted 3 years ago #

    thanks for all the help here. 3 sites effected so far. But these fixes seem to do the trick.

  25. naptunian
    Member
    Posted 3 years ago #

    These fixes worked for me as well. Thanks everyone!

    Unfortunately, it looks like IGIT Related is still available from the wordpress plugins directory.

  26. naptunian
    Member
    Posted 3 years ago #

    never mind. it looks like I may have confused the widget with the non-widget version.

  27. phpaddicted
    Member
    Posted 2 years ago #

    Hi All,

    Sorry I was not available for a month due to accident and many things happened here when I was not available.

    First of all I am sorry for not updating plugin for timthumb vulnerability. I have updated timthumb but wordpress closed my plugin and this is because of all your efforts specially debajyoti.

    @debajyoti as you wrote : The ethics of the plugin developer is now questionable.
    Could you please explain me what you want to say????How you could blame to someone ethics. If i put links then I already gave one option to remove it in admin you can check it in admin that there is already one option available.I am really sorry for not updating plugin and thanks to all and specially you to make attention to remove my plugin from sites.

    Ankur

Topic Closed

This topic has been closed to new replies.

About this Topic