Support » Plugin: WooCommerce Catalog Enquiry » Avast reported a virus in demo website

Viewing 15 replies - 1 through 15 (of 21 total)
  • AVAST and AVG are also reporting this in 2 wordpress websites I maintain. How can it be removed?

    Best way would be to replace this files with new one but this doesnt mean your problem is over. The real question is how this files got infected with the trojan. It was because of vulnerability from this plugin or something else.

    Either way i would remove and stay away from this plugin until the situation become clear.

    Plugin Author WC Marketplace

    (@dualcube)

    @diabolico @grt007 We are extremely sorry to see that you have to face this issue.

    Just to inform you, this issue has not generated from our plugin. A third party plugin was causing this.

    Again we are really sorry for this inconvenience.

    We have set up a new demo: http://wcmpdemos.com/addon/catalog_enquiry/

    Please visit the demo link. We won;t face any such issue there.

    Let me know if you have further query or doubts.

    Looking forward to your co-operation.
    Regards,
    Moumita

    pluginvulnerabilities

    (@pluginvulnerabilities)

    @dualcube
    The files listed earlier still contain malicious code, so you really need to do more than just create a new demo as the page for the plugin here and probably others still link the old demo that contains malware due to those files.

    [removed by moderator]

    • This reply was modified 7 months, 3 weeks ago by  James Huff.
    • This reply was modified 7 months, 3 weeks ago by  James Huff.
    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    @pluginvulnerabilities
    As we have mentioned before, please report plugin security vulnerabilities following the guide at https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/ so that they can be handled properly by the right people, and please do not publicly disclose security vulnerabilities here.

    pluginvulnerabilities

    (@pluginvulnerabilities)

    @macmanx
    We didn’t disclose any vulnerability here, but no one can see that because you have removed the rest of our message despite nothing inappropriate being in that.

    If you actually read the page you linked to you would see that it says:

    In the case of serious exploits, please keep in mind responsible and reasonable disclosure. Every attempt to contact the developer directly should be made before you reported the plugin to us (though we understand this can be difficult – check in the source code of the plugin first, many developers list their emails).

    Which is what we were in the process of doing, but now you have gotten in the way of that.

    If you can undo your actions we can delay disclosure, but otherwise we will need to go ahead with that to warn our customers and the users of our plugin that they are vulnerable.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    @pluginvulnerabilities
    Both the WordPress Security Team and the WordPress Plugins Team consider “responsible and reasonable disclosure” to be private disclosure, not public disclosure: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

    Every attempt should be made to contact the developer privately, not publicly on the forums here. If you are not able to contact the plugin developer privately, then you should email the Plugins Team following the instructions at https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

    The Plugins Team will handle the matter when properly reported, and as you can see if you try to access this plugin now, they are already in the process of doing so.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    I’ve clarified the pertinent information to add this:

    If you cannot contact them privately, please contact us directly and we’ll help out.

    You already contacted them privately. Airing dirty laundry or dog shaming by mentioning it here and announcing publicly that there is an issue, we feel puts more people at risk. We understand this can be a difference of opinion, but we really would rather err on the side that limits public exposure before a fix is out.

    go ahead with that to warn our customers and the users of our plugin that they are vulnerable.

    honestly at this point, you’ve already done the damage so yes, please do. Send us a link to the report (though you know we’re happy to take your reports before you post them too) and we’ll enforce the fix as best we can.

    pluginvulnerabilities

    (@pluginvulnerabilities)

    @macmanx
    We haven’t done any public disclosure yet, we privately notified the developer and included a reminder that we had contacted them in the part of our message you removed (so the public can’t see what really happened). You don’t seem to understand what disclosure is and you have made a mess of this situation, which is unfortunate (even worse is that once again the moderators here don’t seem to be even consider that they don’t what they are doing).

    Removing the plugin slows down the process of getting a fix out if the developer is responsive, that is why it is suggested that “Every attempt to contact the developer directly should be made before you reported the plugin to us”. The Plugins Team will only remove the plugin and inform the developer again, but they don’t fix it. If the plugin wasn’t removed the developer could simply put out a fixed version and people could start updating, but with it removed additional steps will have to happen that slow things down.

    Now we will need to disclose the vulnerability before it is fixed, which is what we were trying to avoid.

    pluginvulnerabilities

    (@pluginvulnerabilities)

    @ipstenu
    We were providing them a reminder because we had not gotten a response yet (which in another recent situation helped to get an issue resolved), not anything else.

    We easily found the vulnerability after coming across this thread, so if someone wasn’t already exploiting the vulnerability (the issue of a vulnerability being exploited was raised before we joined in the thread), there isn’t a reason to believe that others could have figured out without us saying anything (we certainly don’t have unique expertise when it comes to doing that).

    Considering that you should know that there are vulnerabilities being exploited in plugins that never get fixed, your continued stance to “err on the side that limits public exposure before a fix is out” is irresponsible at best.

    We are probably going to take a pause notifying the Plugin Directory of disclosed vulnerabilities because doing work that people on the WordPress side should be handling, when they continue taking actions that are harmful to security of WordPress websites, doesn’t seem to be the best use of our resources.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    I’m sorry that our disagreement about what coordinated and responsible disclosure is has resulted in this.

    Our feeling is that since we’re always working against the clock, it’s best to contact the developers privately. Which you do. And we love it. When they don’t reply you follow up with us. Again, we are incredibly thankful for you doing this.

    All James and I are saying is that public posting from someone with as much positive merit in the community when it comes to security (i.e. you) it raises red flags. If you’ve ever wondered why I don’t talk about those things in public, it’s because any time I do, I set of terror in the hearts of men. And I have a responsibility not to put folks in a panic before I have everything in hand and as sorted as it can be.

    You, for better or worse, have the same power as I do here. People know your reports are good. If they don’t, I’m happy to tell them you were wrong maybe twice in the years you’ve been volunteering your information (one was a disagreement about public disclosure, one was a VERY early on bug with WP and .. I’m pretty sure that’s it). You have a PHENOMENAL track record of right.

    But that comes with a cost. You, like Sucri and other heavy hitters, have the ability to scare people.

    And honestly, while I agree they should be scared about security, we ask that you not scare them here in the forums.

    I know there are vulnerabilities that never get fixed. We still don’t have a great system for handling it. It still sucks. But we’ve open sourced all the directory code now, so if people can help us figure out a process that is maintainable and supportable to do this, we would love the help.

    Every last person on the plugins team, in the forums, and working on WP core is a volunteer. It’s probably not the best use of our resources either, but it’s the system we’ve got right now. I hope you’re willing to help us push forward and make it better. If you wanted to just switch over to email-dumping your reports on us, that’s fine (though it’s possible I may cherry pick you when we start pulling in new plugin review team members!)

    I should have pointed out when I first added to this post that in my instance it had nothing to do with WC Marketplace. I was merely reporting Avast and AVG were highlighting a similar issue with sites I maintain.

    I have cleaned up my sites and eradicated the problem for now. I found the issue was occurring in a number of different .js files through out the sites. One of the files being reported with the problem was in the js folder for the theme I was using. I had a clean install of this theme on another site and I compared the content of each of the .js files. I found at the end of the code there was some additional code beginning with var _0xaae8=[“”,”\x6A…… I have no idea what it was as I am not a coding person so will not copy the full extraneous code here. I then looked at the last modified date on the file and looked for .js files with the same last modified date and found quite a number and on checking a few they had the same code at the end.

    I reinstalled the theme and also found a number of themes had been installed on the sites which I had not done so. Also on one of the sites I found a plugin that I had not installed. I deleted these.

    As the problem was in a number of .js files I thought manually fixing it would take me ages and also I had no idea how they were “infected”. After some research I installed the free version of Wordfence plugin and ran the scan. I checked the scan themes and plugins option before running the scan.

    It picked up a number of plugins that were infected. Wordfence as a function fix the plugins which it did successfully, However a couple of plugins were not picked up by Wordfence and I was able to fix these manually.

    I also changed all the passwords for the administrator users of the websites. And crossed fingers that I had resolved the problem but I had not discovered the cause.

    48 hours later BANG! they got hit again including Wordfence. Fortunately Wordfence was able to log a strange login to the main sites admin area from and IP address that was not known to me at about 2am in the morning. Also the login password for that site had been reverted to old password. I also found another strange theme installed and on another site a strange plugin. I removed these, deleted and reinstalled Wordfence. This time before running the scan I also checked the option to scan files outside the WordPress install. It found numerous instances of the hack in .js files with the message “The infection type is: Redirector:PHP/0xaae8”. Wordfence resolved most and I resolved the others manually.

    This time I also changed all the User ids and passwords for the WordPress administrators and also deleted all FTP accounts, and changed the hosting password on the premium hosting service being used.

    On checking this morning Wordfence shows a number of attempted logins using the old login so hopefully I have resolved the issue for now.

    But what troubles me is how was the old WP administrator user id found, it was not admin, and how was the password determined? It was a complex string of characters.

    @ipstenu
    Hi
    The plugin is not available to download, the recommendation is deactivate the plugin?,

    regards

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    At this point, due to lack of response from the developer and the fact that it’s known there is a vulnerability, I personally recommend uninstalling.

    As the plugin review team rep, I can’t comment further on that save to confirm the developer has been contacted directly.

    @ipstenu
    Ok thanks for your answer
    I have an issue and the developer asked me for the credentials to check it so I was confuse if continue or not.
    I must say that he has a good support for the plugin

    regards,

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Avast reported a virus in demo website’ is closed to new replies.