WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] lizamoon reference in jetpack twitter php file (9 posts)

  1. funkarchitect
    Member
    Posted 1 year ago #

    Can someone explain to me what this code is and why it is in Jetpack's twitter php file?

    // Hack to replace this junk from the tweets.
    // http://www.theregister.co.uk/2011/03/31/lizamoon_mass_injection_attack/
    			return str_replace( '</title><script src=http://lizamoon.com/ur.php></script>', '', $text );

    My wordfence scanner is telling me the website link listed is related to malware.

    Thanks.

  2. bowtie6
    Member
    Posted 1 year ago #

    I am getting the same error.

    What is this all about and what can be done to remove this hack.

    Hello - Jetpack - anyone?

  3. inamills
    Member
    Posted 1 year ago #

    After updating Jetpack today on several of my blogs, I was notified by Wordfence of the suspected malware in wp-content/plugins/jetpack/modules/widgets/twitter.php. I didn't save a copy of the file so I can't tell you the exact name of the file, but I do know it contained a URL that had to do with lizamoon. I deleted the file from all the blogs that were affected (not all the updated blogs were affected which I found quite odd) and that took care of the problem.

    I, too, would still like to know why a trusted plugin would have these issues. Maybe someone from Jetpack will respond?

  4. bowtie6
    Member
    Posted 1 year ago #

    Wordfence is a great tool. This is the second "issue" that Wordfence has caught regarding suspect lines of code in trusted plugins on my WordPress blog.

    I do not wish to hijack this thread, but you can CLICK here for another example of invalid code found by Wordfence.

    The point I am trying to make is that Wordfence is catching lines of code in plugins that might go unnoticed. The fact that Google has marked these URL's as suspect is of high concern to me. Why would there be mention of those URL's in a plugin's code is something that needs to be addressed. I think the folks at JetPack should explain in detail what is going on. For example, see the link I posted above.

    For the folks at JetPack: the scan made by Wordfence is showing the following link to Google: CLICK here Safe Browsing Diagnostics regarding Lizamoon. Sure would be nice for you folks to look at this promptly and let us know what is going on. Is this a line of code that can be safely deleted or as Inamills has done, the entire twitter.php file needs to be deleted?

    JetPack - we are awaiting your reponse.

  5. BecWaterhouse
    Member
    Posted 1 year ago #

    I'm glad to have found this thread because I just got the same notice.

  6. m1k3k
    Member
    Posted 1 year ago #

    same here

  7. daricedotorg
    Member
    Posted 1 year ago #

    Those two lines mentioned by post starter are comments made by the developers. That explains what and why the code below that comment does.

    This code strips the lizamoon url from tweets to protect from malware you get by clicking on the lizamoon website link in a tweet.
    This code effectively disables the link so no one can click on it and get infected with a malware.

    Apparently Wordfence only registered the lizamoon word and give off a warning.

  8. Tim Moore
    Moderator
    Posted 1 year ago #

    We're aware of the security notices this is generating. We added this code to protect users, as @daricedotorg mentioned.

    We are removing this bit of code in the next release, since it likely isn't needed anymore.

  9. inamills
    Member
    Posted 1 year ago #

    Thank you. Unfortunately, my knowledge of code is very limited, and I thought I had malware from the update.

Topic Closed

This topic has been closed to new replies.

About this Topic