WordPress.org

Ready to get started?Download WordPress

Forums

Limit Login Attempts
Plugin hacked (33 posts)

  1. igloobob
    Member
    Posted 6 months ago #

    Hello,

    I just got a message from my client. The were contacted from another company who had their site hacked. They had used sucuri to identify that loads of html files had been loaded into a scripts folder within the limit-login-attempts plugin folder. The infection got in through an inserted line in limit-login-attempts.php.

    The html files in the new scripts folder were all retail things for Christian Louboutin shoes and similar things. There were about 50 files.

    I went to check the site and the login page had been blocked due to to many attempts - I hadn't attempted any log in on that site for a few weeks.

    Is there a security flaw on this plugin now? I have deleted it and all the files in the meantime.

    Has anyone else come across this?

    https://wordpress.org/plugins/limit-login-attempts/

  2. ikeif
    Member
    Posted 6 months ago #

    Yup - I had to delete it as well, I had a bunch of html files (including those you mentioned) added, and a third party contacted me tracing the link jumps.

    I don't know if this will get straightened out, but I'm looking at alternatives now.

    I was sent this:
    Infection got through:

    ./blog/wp-content/plugins/limit-login-attempts-S/limit-login-attempts.php
    The .php file contained the following malicious code loading lots of .html files (~ 184 files) within the directory
    './blog/wp-content/plugins/limit-login-attempts-S/scripts/':
    ==================================================================================

    $rand_dir=array_rand($dir,3);
    foreach($rand_dir as $t_num) {
    echo '<a href=&quot;'.home_url().'/?pid='.$dir[$t_num].'&quot;
    target=&quot;_blank&quot;>'.str_replace('.html','',str_replace('-',' '
    ,$dir[$t_num])).'</a>';
    }
  3. bestfrenchmortgage
    Member
    Posted 6 months ago #

    Hi guys, were you using LLA ver 1.7.1 or an earlier release?

  4. ikeif
    Member
    Posted 6 months ago #

    I was using 1.7.1

  5. bpmildh
    Member
    Posted 6 months ago #

    There is something funny about the path in ikeif post (limit-login-attempts-S). Where did the trailing -S came from?

  6. igloobob
    Member
    Posted 6 months ago #

    I'm away at the moment so can't check but I'm pretty sure it was the latest version as I had all plugins updated.

    That trailing -s I also had on mine, must be connected to the hack?

  7. bpmildh
    Member
    Posted 6 months ago #

    You should ask yourself some more questions igloobob:
    Where both folders in the plugin directory (with and without -S)?
    What other files/folders had been added or changed the unattended period?
    What permissions do you have on files/folders?
    Did you check the company behind the complaints?
    What protection do you use insted of LLA?

    The plugin file do not contain the code in ikelfs post.

    I'm no expert but I rely on this plugin and did check my installs and the files on wordpress.org. This could be in the intrest of those trying to hack our sites, compromising one of the metods we have to stop them.

    One could only ask for the developer to update the plugin (description?) to clarify that it's not outdated.

  8. igloobob
    Member
    Posted 6 months ago #

    Both folders were not in the directory, the folder had been re named adding that -S on.

    The only files as far as I could tell that were changed were:

    1. limit-login-attempts.php (a few lines of code were inserted here that apparently were the cause of the new scripts folder and html files within that folder).

    2. a scripts folder was created containing these html files that were generated by the inserted line of code mentioned in point 1 above.

    Permissions I would have to check as the client's host controls that and has it set up where I haven't been able to change them myself. They have it tied up pretty tight as far as I can tell as I've had to get them to do all sorts for me that I would usually be able to do myself.

    I haven't checked the company myself actually but everything they said to us seemed correct.

    Currently, we've changed all the logins including FTP and are using proper secure passwords (we were anyway actually).

    We've added password protection onto the log in area with .htaccess.

    I've deleted the plugin and all files now.

    Correct, the plugin file does not contain that code. That code has been inserted via a hack we assume?

    I'm away at this week so can't check all details but the above i correct as far as I can remember.

  9. richsadams
    Member
    Posted 6 months ago #

    I'm using LLA on two sites and haven't had any issues, but based on your posts I'm going to delete the plugin on both sites as well.

    I've had sites hacked before and I do NOT want to deal with it again.

    I want to hear from the LLA developer that this has been resolved before I use it again.

  10. Julian Fox
    Member
    Posted 5 months ago #

    iv noticed this plugin doing some funny things too, like users being able to get around the lockout after login attempts is reached. im gonna uninstall this just to be safe.

  11. igloobob
    Member
    Posted 5 months ago #

    Still no word from the plugin author on this...

  12. rick111
    Member
    Posted 5 months ago #

    Any response from the plugin developer? Should we scrap this plugin?

  13. igloobob
    Member
    Posted 5 months ago #

    I've sacked it off, can't be messing about waiting for a response on security issues

  14. rick111
    Member
    Posted 5 months ago #

    Any alternatives? Yopu said that you "We've added password protection onto the log in area with .htaccess.". But what about if you have blog users that need access?

  15. igloobob
    Member
    Posted 5 months ago #

    not sure to be honest sorry, my client's site in question doesn't have any blog users, it's only got a few admins within the company that need access to the backend.

  16. rick111
    Member
    Posted 5 months ago #

    Does anyone have the email of the developer?

  17. MaFt
    Member
    Posted 5 months ago #

    Client's site had this too. I've now deleted the plugin.

  18. igloobob
    Member
    Posted 5 months ago #

    I've emailed Johan to see if he is aware of this issue.

  19. johanee
    Member
    Plugin Author

    Posted 5 months ago #

    Hi,

    Thanks for sending me a notice.

    I've not seen reports like this before, and will investigate. If you have any additional information please send it my way.

    Thanks,
    Johan Eenfeldt

  20. Dugs
    Member
    Posted 5 months ago #

    Hi,

    Is there any news on this. I have disabled the plugin until I see confirmation that this security issue is resolved.

    thanks

  21. rick111
    Member
    Posted 4 months ago #

    Johan,

    Is it safe to use your plugin or the rumors are spread purposely?

    Thanks

  22. Iamhere
    Member
    Posted 1 month ago #

    This plugin is over two years old and does not appear to have been updated, therefore it has been abandoned. The Author may well have moved on (no offense meant johanee)

    PHP code has changed a lot over the last two years, and any plugin that hasn't been updated in that time should be considered unsafe.

    I have been recommended this plugin - though I have nothing to do with it, and have not tried it, so I cannot vouch for it, but it certainly seems comprehensive (though perhaps a bit more complex than the limit logins plugin!)

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

    The other obvious alternative is http://wordpress.org/plugins/wordfence/

    Not used either, so can't comment - yet!

  23. RavanH
    Member
    Posted 1 month ago #

    @all - please be aware that:
    1. The malicious code is not in the original plugin file. It has been put there through a hack.
    2. The fact that it is inside a security plugin file is ironical (to say the least) but does NOT necessarily mean that the plugin is insecure. The leak might just as well be in any other file...
    3. A chain is as strong as its weakest link. Removing one link, without being sure it is the weakest, will not make the chain stronger.

    That said, I'd really like to hear back from Johan Eenfeldt about his findings. And if development of this plugin continues because it remains an increasingly useful one.

  24. Julian Fox
    Member
    Posted 1 month ago #

    wpengine.com use this on all their WordPress installations by default, i haven't had any problems with them, and herd mostly good things.

    They also like to be a bit picky about what you can and cant do with your WordPress so im confident they know what they are doing with limit login attempts. However they may modify it, i don't know.

    Haven't seen any issues with this plugin on any of my sites since i reported this so i dunno, maybe it was a plugin conflict that went away with an update of another plugin.

  25. bvl
    Member
    Posted 2 weeks ago #

    IMHO, this all comes down to:

    1. the plugin itself does not suffer from a security breach and is safe to use
    2. some hackers seem to target this popular plugin to hide some malicious code in. They probably target another plugin on your system if you remove it.

    So, if you have been hacked this way, be aware that your site does suffer from a security breach, but it is unlikely that that is a leak inside the original plugin code.

  26. ikeif
    Member
    Posted 2 weeks ago #

    As one of the original people reporting this from the plugin "being hacked" - this isn't "malicious rumors" but "cause for concern." As the WordPress API has been updated repeatedly, and the plug-in has not in two years, it creates the cause for concern that it may be using insecure or deprecated methods that can create the potential for it to be targeted and hacked.

    Two independent users (myself and igloobob) encountered this issue. I have emails from a third party notifying me of the breach:

    > You may view the external back link by looking at the source of the page.
    > Please know that we rectified the infection by having http://www.sucuri.net<http://www.sucuri.net/>; disinfect our blog and the infected pages. In order to assist you, we have provided you with information and coding below if your blog or site has been impacted by the infection spread by these hackers:
    > ======================================================>
    > Infection got through:
    >
    > ./blog/wp-content/plugins/limit-login-attempts-S/limit-login-attempts.php
    >
    > The .php file contained the following malicious code loading lots of .html files (~ 184 files) within the directory
    >
    > './blog/wp-content/plugins/limit-login-attempts-S/scripts/':
    > ==================================================================================
    >

    > $rand_dir=array_rand($dir,3);
    >
    > foreach($rand_dir as $t_num) {
    >
    > echo '<a href=&quot;'.home_url().'/?pid='.$dir[$t_num].'&quot;
    >
    > target=&quot;_blank&quot;>'.str_replace('.html','',str_replace('-',' '
    > ,$dir[$t_num])).'</a>';
    > }
    >
    =====================================================================
    > We have taken this attack on our website blog from these hackers very seriously. We suggest that you forward this letter to the appropriate individual who handles the technical and security issues with regard to your website.
    >
    > It is our understanding in addressing this issue with our webmaster and security team is that by removing the above coding as well as the html files within the script directories, any potential risk or exposure to your site from these hackers should be alleviated.
    >

    So I think it's a bit presumptuous to say "the plugin doesn't suffer from a security breach and is safe to use" if you are not performing a full code and security audit on it, and then pushing blame on other plugins.

    You *could* be correct. Or you could be very incorrect, asserting a false assumption, and the plugin needs updating.

    Personally, I'm reviewing the code to see if I can update it myself, as time permits, but as I'm not the author, it is not a priority of mine (and as it is a free plugin, I don't expect johanee to make it a priority, either).

  27. bvl
    Member
    Posted 2 weeks ago #

    It is my concern that with this kind of hack people are blaming this plugin and think removing it is all they need to do to be safe again, while the real security problem *may* (in my opinion even more likely) be with another part of their system.

    Maybe we can agree that it would be best if both the plugin would get a thorough code and security audit AND people who ended up with a hacked 'Limit Login Attempts' plugin also seriously look at other possible origins for the hack, okay?

    ;-)

  28. Iamhere
    Member
    Posted 2 weeks ago #

    Thanks to the moderators, my previous post was removed. So much for free speech - Dear moderators - do you enjoy censorship - perhaps you should move to Beijing ? And not even any notification that my post was not allowed (presumably because I mentioned a couple of alternative plugins?)

    The point I was making is that this plugin has been very useful, but it is out of date - over 2 years old. There are other alternatives out there, such as Wordfence and All in one security plugin, however, what I loved about this plugin is that it's so simple.

    Here's hoping the author of this plugin can get to update it.

  29. Thanks to the moderators, my previous post was removed. So much for free speech - Dear moderators - do you enjoy censorship - perhaps you should move to Beijing?

    It appears to have been caught as spam. I recovered it above and don't plan to move to Beijing.

    And not even any notification that my post was not allowed

    Generally, no. It was caught as spam and we don't want spammers to know they were caught as spam (obviously, you weren't spamming).

    Here's hoping the author of this plugin can get to update it.

    There is no need to update it, it works just fine and has no security vulnerabilities itself, but I'll respond to some of your specific points from your earlier reply below.

    This plugin is over two years old and does not appear to have been updated, therefore it has been abandoned.

    That is true in a technical sense, though it has no bearing on the quality and use of a plugin.

    PHP code has changed a lot over the last two years, and any plugin that hasn't been updated in that time should be considered unsafe.

    Not true. Yes, PHP has changed a lot, but that doesn't mean the plugin is now automatically unsafe, that's not how PHP (or any coding language for that matter) works.

    Code is unsafe if it's unsafe, nothing more, age plays no factor. If a security vulnerability is discovered in the plugin over time, then it was there to begin with, and either wouldn't have been allowed by the WordPress.org Plugins Review team or it would have been removed immediately after the report.

    This plugin still works, there are no security vulnerabilities in the plugin itself, it is still recommended by countless WordPress security experts and installed by default at many hosting providers, there is no reason for it to be updated.

  30. Iamhere
    Member
    Posted 2 weeks ago #

    @MacManX - thank you for your sincerity! Forgive my gripe - I was feeling rather persecuted!

    Why do my posts keep getting marked as spam ? I am not doing any spamming !! I hate spam!!!!

    Thank you for your fair comments and response.

    As I have said, I am not attacking this plugin, or the author - I appreciate the time and effort they have put into this plugin - however, the fact remains that when a plugin (even one as good as this) is left to age, it may not do so gracefully. Often, the only defense a humble plugin user has is to look at how often the plugin is updated.

    That being said, I am not an expert and do not claim to be - so I defer to your greater knowledge of the code veracity within this plugin.

    Notwithstanding, this issue brings up the wider debate around WordPress plugins and a repository of code, some of which is outdated and of poor quality. I realise this debate probably could be moved to a different topic, and is certainly bigger than just this plugin, but it's an issue that affects every user.

    I guess it's an open source issue - the same problems exists within Google's Play store.

Reply »

You must log in to post.

About this Plugin

About this Topic