Support » Plugin: Transposh WordPress Translation » Malware Found In Plugin Distribution Package

  • Today my malware defense found the following keyboard logging html infection script on both my WP sites;

    File contains suspected malware URL: /home/content/89/11198089/html/wp-content/plugins/transposh-translation-filter-for-wordpress/js/keyboard.js

    Removed the plugin and with it went the infection. Reinstalled the plugin and the infection immediately returned. This infection also has a URL reference to a Google blacklisted URL for Malware website.

    This must be the reason the upgrade package is distributed outside of WordPress.org.

    UPDATE: After a somewhat hostile response from the author of this plugin, I changed my rating from 1 to 3 stars at his request. The software does work and the blacklist problem one will need to decide for themselves if it is of concern to them.

    One should take into consideration that in order for the software to translate for the site users, a copy of all content is created for each language. Some find this troublesome for SEO duplicate content reasons and others find it actually beneficial for adding content. Only a Google insider would know if this is actually a plus or minus and in what situations. I will also note that soon (as in an hour) after I installed this plugin, I had to restore my database as everything but the theme shell became corrupted. I never could trace the cause, so it may or may not have been the plugin. Lastly, it took days to hear from the author after reporting the Malware alert. Granted this is not his primary support site and I should have thought to go there. However, I am troubled by the response received as if this was my problem that his software causes Malware alerts with a 3rd party security software. Whether this is the fault of the security software vendor or a legitimate problem is beside the point that attacking users for raising valid questions and concerns is not very good customer relations. A simple statement of why the alert happened would have gone much further in the goodwill department. I still have no rational understanding as to why the version distributed here on WP.org is crippled other than it is and apparently from the author’s comments he dislikes WP.org very much; nor do I understand why the copyright URL is blacklisted by Google according to Wordfence. Maybe the author should contact Wordfence and have it out with them rather than his users. Since translation is not a mission critical requirement for me, I have decided to leave this software off my sites. This certainly will please the author and I will be relieved of having to communicate with him the for the inevitable next troubleshooting incident. Your experience may be far different and there does appear to be many satisfied users of his software.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Did you update the plugin from a source outside of WordPress.org after the initial install?

    Thread Starter jpinches

    (@jpinches)

    Yes. After you install this plugin from WordPress.org and go to configure it, you find that you need to get the full version of the plugin to enable all languages. That upgrade is done outside of WordPress.org by using the Update button inside the WP admin console.

    Ok thanks for the clarification. Unfortunately we (WordPress.org) cannot moderate outside upgrades.

    Plugin Author oferwald

    (@oferwald)

    Hmm,

    Missed that one, I would only say this is a false postive by something called wordfence which I have never used or seen before,

    The keyboard.js script is not a malware, and can be found in:
    http://www.greywyvern.com/code/javascript/keyboard

    I would also note that this particular script is only being lazy loaded when a user wants a foreign keyboard used.

    I would appreciate if you would change this very wrong vote, but I am not counting that you’ll do that. 🙂

    Have fun, and don’t trust your anti-viruses

    Thread Starter jpinches

    (@jpinches)

    I would be more than happy to change this vote, despite the snide comment, if you would kindly explain why Google has the embedded URL blacklisted as well? The use of the script is understandable but it is not the user’s responsibility to maintain white lists with security software. Lastly, why is there a need to upgrade the plugin from outside WP.org to enable all the languages? When I download a language translation plugin, for some reason I expect the software to translate the number of languages it is advertised to do.

    Plugin Author oferwald

    (@oferwald)

    Well, talking about snide comment, I will quota yours:
    “This must be the reason the upgrade package is distributed outside of WordPress.org”

    So no, I am not writing malware, and no, I am not using malware either, also – I assume that there are no embedded URLs in the code, there might be urls that are a part of the copyright comment included in the script, but wordfence should have been a bit smarter than that.

    Now, with regards to the why you need to download externally, please go to http://transposh.org, and read the post about why I migrated away from here.

    It still allows you to translate to the number of translated languages (actually I think I have added another 5 not too long ago), but the wordpress.org version is crippled to select only 5 of those, and does not include the set of widgets.

    Your rating is a very good example regarding why I need to avoid being dependent on wp.org, which is what I have done.

    And last note, the full version is free and clean, and I do answer contacts on the contact form on transposh. Please try and think twice before giving this kind of rating to anyone.

    Plugin Author oferwald

    (@oferwald)

    I will reply to your update, hopefully point by point, do as you please:
    1. Hostility, yes, I am kind of hostile to people throwing mud and false accusations at my direction, try walking a mile in my shoes
    2. I appreciate the fact that you have changed your vote, however I didn’t request it to be 3 stars as your post indicated, I do see you have found enough reasons to mark that so, I will try relating to few in the rest of this post.
    3. The blacklisting problem is a bug/miss from the wordfence software, a software that although considered very good by many as apparently detected itself as malware in a previous version, this is not my problem, and not your problem per se, your only issue here is the rushing into conclusions.
    4. Regarding SEO implication, I am not a google insider, and not an SEO expert, it may be good or bad, but I think it is good for the users of the site, mainly when one actually fix the translation.
    5. Regarding your database issue, everything can happen, I probably have even less data then you on the issue you experienced, but I assume you had it, but besides the fact that the plugin does add more data to the database, I don’t see why it will cause that corruption.
    6. It took me 3 and a half days to find your message, posted as a review on a channel I don’t actively monitor any longer, people that approached using the right channel (transposh.org contact form) got their answers faster, however, I could have been sick or travelling, so it could have taken more, any reader can decide if 3 and a half days count as “it took days”, whatever
    7. Regarding the attack on you, I have no issue with your report, and no issue whatsoever with you believing a security software, the only problem I have with you (and I don’t know you, right?) is the fact you jumped into conclusions regarding why the full version is served outside of wordpress.org, this point is wrong and actually quite offensive, and I can’t read it in any other way rather “he is not using wordpress.org in order to distribute malware”, come on!
    8. If you want a rational understanding on why the full software isn’t distributed here, you may read my post on transposh on this issue, but I’ll sum it up for you
    * wordpress.org disallowed me to get credit for my work
    * they have terminated the software from their site, with no previous discussions for a link that has been there for four years
    * some of my messages may disappear
    * I no longer trust this place very much any longer
    * your case is a good example, if I would still rely on them and they have gotten your report, this would have happened again, luckily enough, this is no longer the case.
    9. regarding contact with wordfence and not you, I have written a review there, no comment whatsoever, I have no direct mental channels to them so I don’t care much. Regarding you, please see point #7.

    Now, to your last point, am I relived or not, well, assuming I am the guy that you have described (an abusive author, tending to bash on unsuspecting users blaming him on distributing malware intentionaly), the answer would be yes. 🙂

    However, I do appreciate the fact that you have communicated, and I do appreciate the fact that you have slightly changed your mind, I was not expecting this 🙂 and I actually do hope that in some future you will decide that you want to try communicating, starting with the right foot, and when (and if) this day ever comes, I hope you will change your mind.

    Good luck in the future.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware Found In Plugin Distribution Package’ is closed to new replies.