Support » Plugin: Super Page Cache for Cloudflare » Sites infected after update

Viewing 15 replies - 1 through 15 (of 21 total)
  • Thread Starter silasveta2012

    (@silasveta2012)

    https://handmadebuy.ru/
    https://masterpro1.ru/
    https://predckazanie.ru/
    Now this script is not on the sites, after deactivating the plugin

    Plugin Contributor Saumya Majumder

    (@isaumya)

    Hi,
    first of all that script is not getting added by the plugin and the plugin has been extensively tested across many websites before actually publishing it to the world. I have not seen this on any website. Beside feel free to download the plugin code and search for the script you are seeing to see if there is any trace of that script anywhere in the plugin code.

    I will highly recommend you to run some more tests to dig deeper to see exactly where that code is getting added or by what. I can tell you with certainty that this plugin’s code has no such nonsense in it but you can also download the plugin code and run a search by yourself.

    Thread Starter silasveta2012

    (@silasveta2012)

    After deactivating the plugin, and scanning with various scanners, as well as studying the code, no infections were found. If you say it’s clean, I’ll activate the plugins and see what happens. As you can see from the script code, it seems that this may have been done because of the enabled feature (Allow notifications from other blogs (notifications and backlinks) for new posts). Similar to spam, but nowhere (it was not reflected in the records). I admit that someone found a vulnerability in your plugin, but this is just a thought. Let’s see what will happen next. Thanks

    Plugin Contributor Saumya Majumder

    (@isaumya)

    Allow notifications from other blogs (notifications and backlinks) for new posts

    – That’s a WP feature and not a plugin feature

    I admit that someone found a vulnerability in your plugin, but this is just a thought. Let’s see what will happen next.

    – Well, with this plugin active you can run a search at the server level (command line) to see where the code is being added from.

    As I said, I’ve tested the plugin across many sites and did not face any issues like these even once. Also if there is any vulnerability like you say, then organizations like WPScan would have already reported it as they actively monitor all open-source plugins.

    Привет! У меня такая же ситуация. После обновления плагина Super Page Cache for Cloudflare появился этот скрипт. После деинсталяции или отката на предыдущую версию плагина эта заставка исчезает

    Скрипт был в этом файле sweetalert2.min.js, но может быть и еще где-то есть. Замена этого файла на файл из предыдущей версии не помогла

    Thread Starter silasveta2012

    (@silasveta2012)

    Ну значит кто-то что, то не договаривает). Снес плагин, проверил код, все чисто, с плагином появляется скрипт, прописывает себя в тело сайта. Причем ладно бы один сайт, а то все 3 разом зачихали, после обновления. Чудеса случаются, но не здесь. Подключил wp-optimize кэш, все ок. Специально взял эту версию плагина, сейчас на тестовом сайте проверю, если появится, напишу.

    Well, it means that someone does not finish speaking). Demolished the plugin, checked the code, everything is clean, with the plugin a script appears, registers itself in the body of the site. And it would be okay to have one site, otherwise all 3 sneezed at once, after the update. Miracles happen, but not here. Connected wp-optimize cache, everything is ok. I specifically took this version of the plugin, now I’ll check it on the test site, if it appears, I’ll write.

    Thread Starter silasveta2012

    (@silasveta2012)

    “Скрипт был в этом файле sweetalert2.min.js, но может быть и еще где-то есть. Замена этого файла на файл из предыдущей версии не помогла”

    Если посмотреть мой скрин с кодом скрипта, видно что он отправляет запросы CORS in REST API, браузер их блокирует, но после пары обновлений панели, опять подгружает, так что замена файла не поможет. Хотя у меня ReST ip ограничен, но все равно не помогает)

    If you look at my screenshot with the script code, you can see that it sends CORS requests in REST API, the browser blocks them, but after a couple of panel updates, it loads again, so replacing the file will not help. Although my ReST ip is limited, it still does not help)

    У меня было все также на двух сайтах, после пары обновлений страницы или после переключения в админки в любой раздел появлялась заставка. Откатился до версии 4.6.1, вроде бы пока нормально. На вирусы тоже проверял – ничего нет

    Thread Starter silasveta2012

    (@silasveta2012)

    Подождем кто еще напишет, а потом что ответят создатели плагина)

    Plugin Contributor Saumya Majumder

    (@isaumya)

    Well, I google translated the above texts and it seems people are saying the issue is coming form swwetalert2 script which is the only third party script present on the site. I will update the sweetalert script to the latest version and sent you guys a link soon. Please download the plugin build from there and use that. But before installing, make sure you delete the plugin from the site and then install this build so that there is no old plugin residue present.

    Well, turns out this is not malware but a proper attack. 🤦🏼‍♂️ Link: https://github.com/sweetalert2/sweetalert2/issues/2552
    I honestly have no words. Give me some time to recompile the code without this malware embedded by the devs as a sign of protest and release an update.

    Plugin Contributor Saumya Majumder

    (@isaumya)

    Can you all please download and use this build of the plugin and confirm if the problem is resolved with this build? Once you confirm I will prioritize the release of v4.7.2 update with this fix.

    P.S.: I honestly had no idea that an open-source library as popular as sweetAlert2 can have political malware officially added to it like this. This is truly not a healthy thing considering the libraries are used across so many different systems.

    I guess this is not going to be removed by them anytime soon until this whole Russia mess is over. But then again this is the first time I have seen an Official Verified malware by the creator. 🤦🏼‍♂️

    Anyways, download and use the above-mentioned build and let me know.

    Moderator Yui

    (@fierevere)

    ゆい

    @isaumya

    sweetalert JS library maliciousness to russian sites/users is confirmed long ago on russian support forum.
    It is not the first malware targeted on russian sites or/and users, but maybe one of the first widely used 3rd party libraries which introduced that kind of issue.

    @po64
    давайте тут без политики,политоты и прочих нетехнических вещей, не относящихся непосредственно к проблеме.
    И уж тем более, что этот скрипт написан не автором, а третьей стороной. Автор вон не в курсе, т.к. малварь работает только на .ru сайтах

    Plugin Contributor Saumya Majumder

    (@isaumya)

    Hi @fierevere,
    thanks for the info. I was totally unaware of it until I looked at the source code of the latest sweetAlert2 library after seeing this thread. As I do not follow Russian forums, I had no idea about it. Moreover I honestly never thought that anyways can create a protestwar like this. As open-source codes and politics are two separate things. This is truly disheartening.

    Anyways, let’s wait for @silasveta2012 & @po64 to reply back after using the new build link given above and once they confirm that the issue no longer exists with that build will push v4.7.2.

    Moderator Yui

    (@fierevere)

    ゆい

    https://github.com/sweetalert2/sweetalert2/blob/642b9b6ace11561fbe27a684f315716829860417/src/SweetAlert.js#L235

    thats the code, if you still need it.

    Thank you for healthy vision on this problem.
    Using power of OpenSource for propaganda is one of the worst thing we can see last times.

Viewing 15 replies - 1 through 15 (of 21 total)
  • You must be logged in to reply to this topic.