Support » Plugin: Newsletter » Possible Backdoor in Plugin installing Porn-Link

Viewing 8 replies - 1 through 8 (of 8 total)
  • Hi Stefano,

    my provider informed me too, that he found a virus in everey wordpress installation, where I installed your newsletter plugin. Here comes a part of one of his info-mails:

    * VIRUS FOUND *

    During a routine virus scan, our system has detected files containing malicious code on your account XXXXX. In order to protect the visitors of your website, we have renamed and blocked these files. You can find a list of the affected files on your FTP account under: /www/htdocs/xxxxx/logs/viren_log_2015_08_06.html

    If you need more infos from me you can contact me over my wordpress account.

    Sincerely, Michael Mette

    I was just notified by Linode support that this was happening and sure enough this plug was the culprit. I have uninstalled it until this gets taken care of.

    We have received a report of a spamvertised website hosted on an IP assigned to your Linode. We ask that you investigate why your site is being referenced in spam mailings, and if possible, ensure that appropriate action is taken.

    Once you’re able to investigate this matter fully, we’d appreciate an update through this ticket.

    If you were not aware that your site was being referenced in these emails, please let us know. This will help us respond appropriately to any future reports.

    Please let us know if you have any questions or concerns.

    This message is brief for your comfort. Please use links below for details.

    Spamvertised web site: http://www.website.com/wp-content/plugins/newsletter/statistics/link.php ?r=MDswO2h0dHA6Ly9jbGFzc2ljd29uZGVycy5jb20vd3AtY29udGVudC91cGxvYWRzL3J3YWIvOzA=fb0bd3e4a81eba53749/88f159/80a70d9/e86b.html
    https://www.spamcop.net/w3m?i=z6345278955zb73599d0910122be56056f18916c3a47z
    http://www.website.com/wp-content/plugins/newsletter/statistics/link.php ?r=MDswO2h0dHA6Ly9jbGFzc2ljd29uZGVycy5jb20vd3AtY29udGVudC91cGxvYWRzL3J3YWIvOzA=fb0bd3e4a81eba53749/88f159/80a70d9/e86b.html is 104.237.134.118; Thu, 06 Aug 2015 06:52:26 GMT

    Plugin Author Stefano Lissa

    (@satollo)

    Hi, whit the latest version (3.8.6) does those links still work? I’m not understanding that .html at the end, it should produce an invalid tracking code decode.

    Plugin Author Stefano Lissa

    (@satollo)

    Hi Micheal, about the virus report, can you share with me the file where the virus is detected? Probably it’s on “store.php” where there is a code to detect invalid utf-8 characters which could be wrongly detected as virus.

    Hi Stefano,
    of course I can send you the file, where my provider found the suspicious code. And I can send you the report my provider stored in one of the endangered accounts. Shall I post these files here? Or where do you want to get them?
    Ciao, Michael

    Addendum:
    Hi Stefano, you can contact me directly over cmm@creaspekt.de.

    Sorry to say I’m having the same issue. I had a phone call from a client saying they were able to receive email but not send externally and discovered that my server’s primary shared hosting IP had been added to Spamhaus and CBL.

    The issue referred to the newsletter plugin on a different clients account.

    The infected host name is “(domain removed)”, and this link has an example of the malicious redirect: “http://www.(domain removed)/wp-content/plugins/newsletter/statistics/link.php?r=MDswO2h0dHA6Ly9kZXNpZ25ob3VzZS5jb20uYXUvd3AtY29udGVudC91cGxvY” Depending on the infection type, there may be dozens more malicious redirection pages under www…

    One hosting company reported that the malicious script was called “mainik.php” and was dropped from Russian IP addresses.

    While login in to the reported client’s WordPress site I noticed that the Newsletter plugin was out of date (but it would have been maybe a week or two since we last updated plugins so it wasn’t an ‘old’ old version). WordPress itself is running latest version (as is the plugin now.

    When I tried to verify the content of the blocked link the server returned a 404.

    Hi Stefano,

    seems that I started an important topic here 😉

    I now updated to 3.8.6 and will closely watch everything.

    As soon as there are linkspams again, I will inform you, but hopefully your update was able to resolve this matter.

    Greetz, Hannes

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Possible Backdoor in Plugin installing Porn-Link’ is closed to new replies.