WordPress.org

Ready to get started?Download WordPress

Forums

Extended Comment Options
Vulnerability? getting risky emails with links re this plugin (10 posts)

  1. anmari
    Member
    Posted 2 years ago #

    Hi - just flagging that it looks like websites that use this plugin may be used for scams. Possibly a vulnerability in the plugin ?
    I got an email from someone I hardly ever communicate with
    with just this link

    hxxp://users.crashculture.com/wp-content/plugins/extended-comment-options/image.php?Miss164.jpg

    so started googling, intrigued as to what the problem was
    and found mention of hacked gmail accounts in last couple of days,
    http://www.google.co.uk/support/forum/p/gmail/thread?tid=1323c091c79c67d0&hl=en

    listing links also with this plugin listed

    hxxp://users.crashculture.com/wp-content/plugins/extended-comment-options/photo.php?cook164.jpg
    also see
    http://www.google.com/support/forum/p/gmail/thread?tid=2bff3fdf61d978d2&hl=en

    http://www.dataprotectioncenter.com/security/dreamhost-hijacked-websites-redirect-to-russian-scam/

    http://wordpress.org/extend/plugins/extended-comment-options/

  2. tanmccuin
    Member
    Posted 2 years ago #

    I also just received a link from a client's Yahoo account (mass emailing) forwarding to a "friends.php" link inside a WP installation w/ Extended Comment Options.

    OP - i'd recommend removing the full path to the image.php?miss164.jpg etc - if anyone here clicks that they may be exposed to malicious software.

    To the plugin developer, i'd look into this

  3. Reported up the chain for a review if it's the plugin or just the folder they're picking on.

    It's possible that the plugin's vulnerable, but it's also possible that it just happens to be the folder people are sticking their evil code in.

  4. Glenn Ansley
    Member
    Plugin Author

    Posted 2 years ago #

    Thanks guys. I actually just received ownership of this from the original developer. I'll take a look at it. I know I saw a lot of custom SQL in it when I looked through it earlier. I was planning on cleaning that up so I'll look the whole thing over.

  5. I asked Otto, who said he didn't see anything in trunk as a problem (so that's good!)

  6. Lew Ayotte
    Member
    Posted 2 years ago #

    Not sure, but I think this is just a coincidence... e.g. somehow someone compromised your site and stuck some code in that file (or created a new file). I got an email from a friend at yahoo (had his account hacked) with this link: http://inscoremusic.com/wp-includes/piecemaker-images/info.php?coffee176.jpeg

    I didn't go to it because it was suspicious, and it looks similar to your link.

  7. tanmccuin
    Member
    Posted 2 years ago #

    I've seen this with a few different hacked email accounts from various people. Not always from this plugin, but the same idea... [name].php?[image] must be a common exploit?

  8. Yeah, layotte, I think that's the case. People used to target Akismet that way (since they knew it'd be there). I don't know if there's anything you can do to prevent it, without actually seeing someone's copy of a corrupt file.

    If you have one, post it to pastebin.com and share :)

  9. takien
    Member
    Posted 2 years ago #

    hello, I just got email with link to
    _http://connor.cannaphonic.com/wp-content/plugins/extended-comment-options/docs.php?model1.php

  10. Glenn Ansley
    Member
    Plugin Author

    Posted 2 years ago #

    Hi,
    As mentioned above, it appears that a script is targeting the plugin's folder as a landing zone. I would suggest that you don't post links to malicious code on the forums though. That's probably not good for the masses.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic