Support » Plugins » Plugins distributing malicious code?

  • Hello,

    the day before yesterday i’ve toyed around with a few plugins that implement video playback, namely:
    VideoJS – HTML5 Video Player for WordPress
    HTML5 Video
    JW Player for WordPress – Flash & HTML5 Video Player

    Yesterday i then found a EMail from Google that my site attempts to distribute malicious software. A search within wordpress quickly raised a blob of obfuscated javascript connecting to strange dyndns hosts at the end of each site. After a while i’ve found that the code was inserted base64-encoded into *every* themes footer.php, the modified-time exactly at the date+time when i test-used one of the above plugins (TBH i’m not sure which one it was at that time). Is it then correct to assume one of the plugins distributes malicious code? I’ve downloaded them all once again, this time manually, unpacked them and browsed the code, but my quick look and php understand did not yield something looking overly bad…

    One thing i can rule out is JW-Player, because i’ve installed it again after i quickly checked the code and it did NOT inject the code again. So … would someone care to browse the other plugins code and check whether i’ve overlooked something?

    Or once again – without a theme using timthumb (currently the only widely used exploit in the wild know to me … right? I’m bad at these things…) … What else could this have been? I’ve put the wordpress folder under close (tripwire) watch so that i’ll immediately see when something happens again, but … i thought that IF something was distributing this code the responsible person for the plugin registry ought to know… (big fat IF).

    Anyways, thanks for reading my tl;dr textblocks ;P.
    Regards
    – Dario Ernst

  • The topic ‘Plugins distributing malicious code?’ is closed to new replies.