WordPress.org

Ready to get started?Download WordPress

Forums

Subscribe2
[resolved] My site was hacked and sent out mass emails from this plugin (25 posts)

  1. pluto459
    Member
    Posted 2 years ago #

    I was just notified by my host that I was sending out 20000 emails and was in violation of TOS for sending more then allowed. I replied WHAT IN the world are you talking about.

    They said this plugin was sending out the emails. The strangest part was that the email had content and a link to my site and looked as if I had actually done the email list. Problem is NO ONE set up the list or attempted to send these emails out, yet it happened.

    This is not the first time I have seen strange behavior using this plugin and figured since was updated would have corrected the backdoor that was left that allowed people to post content to my site through the plugin.

    This post is directed at the makers, since there was no contact link and stated to post on the forum.

    I need answers as to how someone was able to access my site through your plugin and was allowed to create an email list.

    http://wordpress.org/extend/plugins/subscribe2/

  2. I'm not sure why this plugin would do that, but I think that using a company like MailChimp, Constant Contact or Campaign Monitor is a better option for subscriber lists.

  3. pluto459
    Member
    Posted 2 years ago #

    I didnt want to send ANY emails!!!

  4. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    Subscribe2 has certainly been used by whoever hacked your site to send emails - in exactly the same way that you can use it to send emails to your subscribers from the Subscribe2->Send Email page.

    It has not however been used to hack your site unless between you and your hosting company you can show me the security flaw.

    The recent issues to which you allude were issues that allowed someone who already had administrator level access to your blog to execute arbitrary javascript - certainly nothing that would explain your site being hacked - anyone with this level of access could have emails already.

    You need to check your local machines for viruses and malware that may have captured passwords, then change your passwords on your sites for everything (cPanel, emails, WordPress, the whole lot). Then make sure you access your FTP via a secure means (like SFTP) and also consider changing the admin login name from 'admin' to something less obvious.

    All of that and a lot more are covered already by WordPress here

  5. pluto459
    Member
    Posted 2 years ago #

    My machine is checked EVERYDAY for malware and virus.

    The scary part about this whole thing is that the email that was sent out actually linked to site content and looks like I actually set up this email list.

    The logs show only my IP accessing the server and I know that I never created the email. Hostgator as pinpointed the mail sending out to this plugin. I would love to share any logs I have so this can e solved.

    Since my IP is the only one and I know I didnt do it and the link isnt the standard spam for drug sales or whatever something really screwing is going on.

  6. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    Just to get this clearer in my head - you have never used Subscribe2 then?

    If that is the case then who ever compromised your site (and you haven't said if you used clear text pass wording for your FTP logins - that was how I got hacked back in January) could have installed this plugin, loaded up a mailing list via your admin panel and then clicked send - really not that hard once the site is compromised.

  7. pluto459
    Member
    Posted 2 years ago #

    I have never used it, yet was installed and active.

    According to logs it was just my IP accessing the server and the email sent was a link back to my site, which is the strange part. On the surface it looks 100% like I actually did the mailing.

  8. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    As I said above, once your site is compromised the attacker can log into the WordPress admin area and install plugins. Of course it will then look like the emails came from you - they used your site.

    If Subscribe2 was not installed before the attack then it is not under suspicion as part of your security breach - you are back to passwords, malware and brute force attacks.

  9. pluto459
    Member
    Posted 2 years ago #

    Guess I wasnt clear, the site wasnt compromised and the plugin was installed and active, although I never used it or opened it to even know how to set it up.

    NO ONE installed this plugin, I did while ago.

    Unless the hacker spoofed my IP there is no one else loggin in to the site or server.

  10. esmi
    Forum Moderator
    Posted 2 years ago #

  11. pluto459
    Member
    Posted 2 years ago #

    funny, i have that plugin installed as well and no issues.

    So, someone hacked my site to create an email to promote a page on my site?

  12. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    You have completely lost me now!

    Your title for this thread begins "My site was hacked" but more recently you are saying "the site wasnt compromised". You also seem to be saying that subscribe2 was installed and activated. Well who did that then? Was your site hacked or not?

  13. pluto459
    Member
    Posted 2 years ago #

    if someone sent out an email list using this plugin and it wasnt me i call that hacked.
    the plugin sent out mass emails with a message promoting a page on my site.
    i said the logs show only my IP and i KNOW i didnt set up any email list.
    the plugin was activated a while ago thinking it was the social plugin allowing you to share.

  14. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    So are you saying that you installed it? You activated it? You left it on your site and then you are surprised when the plugin code does what it is supposed to do?

  15. pluto459
    Member
    Posted 2 years ago #

    so your telling me that the plugin auto generates an email and then after IT MAKES IT up sends it out?

    Last time I checked you have to setup the plugin, create an email and email list and then HIT SEND to start that list.

    I never did any of that!!!

  16. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @pluto459,

    In the banner at the top of the plugin page: "Sends a list of subscribers an email notification when new posts are published to your blog "

    When you write new posts the plugin generates emails from your post content and sends to a subscriber list. That is the entire purpose of the plugin.

    It is designed to work on activation to keep things easy but it also allows site level customisation. So, no need for you to create any lists or hit send buttons.

    Again, I question why you would install a plugin and activate it when you don't want to use it and don't really know how it works.

  17. pluto459
    Member
    Posted 2 years ago #

    AS stated EARLIER, plugin was thought to be sharethis and not any email plugin. Was installed for over two years and never an issue. THEN sent out over 20000 emails in an hour.

    Regardless if I set it up and activated it that is not normal.

  18. Frumph
    Member
    Posted 2 years ago #

    ^ just to interject.

    the Subscribe2 plugin has a vulnerability where anyone from outside can send emails through it by sending info to the plugins url with your domain and the content they want to go out, which includes lists of recipients.

  19. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @Frumph,

    Thanks for raising this as a security issue, if you would send me more details and a proof of concept via here I can investigate and patch if necessary.

    As far as I'm aware I've implemented the WordPress nonce security so what you are suggesting should not be possible - but perhaps I've done something wrong or there is a flaw in the nonce security.

  20. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    Any update on the supposed vulnerability?

    And, as always, thanks MattyRob for the plugin, all your work, and all your support. Some of us really appreciate it :)

  21. mattyrob
    Member
    Plugin Contributor

    Posted 1 year ago #

    @MadtownLems,

    I don't recall ever having any follow up contact on this so as yet any security vulnerability remains unconfirmed.

  22. Inndesign
    Member
    Posted 1 year ago #

    What Frumph described just happened to my client too. Somehow, a hacker is using the Subscribe2 software to email to the installed client list remotely, with malware attached. The site is secure, the password seriously encrypted, no activity is shown from the hosted account or the blog itself in the sense of a unknown IP accessing the site in any manner. Still trying to define the details.

  23. mattyrob
    Member
    Plugin Contributor

    Posted 1 year ago #

    @Inndesign,

    Access the site via FTP and erase the Subscribe2 folder. Then install and run the Exploit Scanner plugin. I suspect you will find a few remaining back doors for the hacker.

    If you can identify any vulnerability in Subscribe2 I can fix it but as far as I know the code is secure.

  24. cdogstu99
    Member
    Posted 1 year ago #

    Folks, same thing happened to me. I use the subscribe2 plugin to send out emails to clients for new posts. Knew something was wrong when none of my emails were going through. The hackers were sending thousands of email an hour and it in turn led to my site being marked as a spammer. I am now removing the plugin.

  25. mattyrob
    Member
    Plugin Contributor

    Posted 1 year ago #

    @cdogstu99,

    Subscribe2 is a plugin designed to send out emails when a post is published, periodically or manually. If you site us hacked and this plugin is present (or even installed by the hacker) that doesn't mean the plugin was the source of the hack, simply a bonus for the hacker.

    You site may have been vulnerable due to other reasons like weak password, WordPress being out of date, sharing passwords with other accounts or using FTP when FTPS is more secure.

    The code is open source and has been reviewed before and as I've said before, until I am shown a proof if concept for an exploit in the code I cannot patch any presumed security holes.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic