Title: Hack installed into plugin folder Last modified: August 22, 2016 --- # Hack installed into plugin folder * [WolfieZero](https://wordpress.org/support/users/wolfiezero/) * (@wolfiezero) * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/) * Just thought I’d make you aware that one of our sites was hacked today and scripts where installed that did mail shots. Although I’ve not confirmed it was anything to do with this plugin, the scripts where all installed into relative folders. * These are the offending files I found so far: * ``` better-search-replace/includes/functions.php better-search-replace/templates/.include.php better-search-replace/templates/code.php ``` * As I said, I can’t confirm the hack was caused by this plugin but it installed itself into the plugin folders and used the existing directory structure to hide itself (that could be to spoof me though). * [https://wordpress.org/plugins/better-search-replace/](https://wordpress.org/plugins/better-search-replace/) Viewing 4 replies - 1 through 4 (of 4 total) * [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/#post-5876168) * Thanks for the heads up. I don’t see how it could be related to this plugin, it only loads/runs code if the user can already install plugins, and there is nonce verification on top of that as well. Also, it doesn’t have any code to write to files or anything like that. * Regardless I’ll do a full code review to make sure there is nothing that was missed. Please let me know if you find out anything further. * Out of curiosity, what other plugins did you have installed? * [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/#post-5876202) * Also if you could send the offending files over to [support@expandedfronts.com](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/support@expandedfronts.com?output_format=md) that’d be great, as they might have some clues as well. * [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/#post-5876241) * Hi, * I did some penetration testing against 1.0.3 and reviewed the code, and I don’t think that this plugin was the cause of the hack. There isn’t any code that would allow someone to include a file or run a search/replace without being an authenticated admin. * To be on the safe side, I’ve released an update with some additional (minor) security enhancements that I found while looking into this. Please do let me know if you find any more information on this and send over the affected files if you get a chance. * Thank you. * Thread Starter [WolfieZero](https://wordpress.org/support/users/wolfiezero/) * (@wolfiezero) * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/#post-5876342) * Cheers for having a look; not to say it was your plugin per-say but always worth letting people know just-in-case. * Annoyingly I did delete the files causing it straight off the server but the server company did get the headers of the email it was sending out. * ``` Received: (qmail 22305 invoked from network); 7 Mar 2015 13:15:31 -0000 Received: from unknown (127.0.0.1) by 0 with QMQP; 7 Mar 2015 13:15:31 -0000 To: artmuz@acn.waw.pl Subject: Wyrwij sie z finansowej niewoli i badz niezalezny X-PHP-Originating-Script: 20760:.include.php(1498) : eval()'d code Date: Sat, 07 Mar 2015 13:15:31 +0000 From: Piotr Szymanski Message-ID: <9a7b6b4f2d29495014bc96083ca2df12@THE_DOMAIN.com> X-Priority: 3 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_9a7b6b4f2d29495014bc96083ca2df12" Content-Transfer-Encoding: 8bit X-Host-Domain: THE_DOMAIN.com X-Host-Script: /domains/b/a/THE_DOMAIN.com/public_html/wp-content/plugins/better-search-replace/templates/.include.php X-Host-Server: ... X-Host-Client: ... ``` * (Blanked out sensitive data) * I’m doing an audit of the site now but if you’re happy it’s nothing to do with your plugin then I’m happy with that as well. Thanks for having a look though! Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Hack installed into plugin folder’ is closed to new replies. * ![](https://ps.w.org/better-search-replace/assets/icon-256x256.png?rev=2706527) * [Better Search Replace](https://wordpress.org/plugins/better-search-replace/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-search-replace/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-search-replace/) * [Active Topics](https://wordpress.org/support/plugin/better-search-replace/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-search-replace/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-search-replace/reviews/) * 4 replies * 2 participants * Last reply from: [WolfieZero](https://wordpress.org/support/users/wolfiezero/) * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/hack-installed-into-plugin-folder/#post-5876342) * Status: not resolved