Support » Plugin: Customize Admin » Stay AWAY!!

  • This plug-in keeps installing itself somehow and adding root users and admins. Repeated removals of this plug-in, but it keeps coming back, and we’re not sure how. All other plug-ins are updated, and secure.

    This message keeps coming from my host:
    This is an urgent message concerning your 1&1 account. Our anti-virus scanner has reported that a malicious file has been uploaded to your 1&1 webspace.
    Name of the file: ~/*****/wp-content/plugins/customize-admin/info.php

    To protect you from hacker attacks, our anti-virus scanner checks every file that is uploaded or modified. If a file exhibits malicious patterns, it is automatically disabled.

    The plug-in is malicious. Do NOT install.

Viewing 10 replies - 1 through 10 (of 10 total)
  • WordPress does a great job of telling us when a plugin has been updated. But it takes extra effort from site admins to determine when a site has not been updated for a long time.

    This plugin is an example. The plugin has not been updated since December 2013 and is only known to be compatible up to 3.8.3. I can’t say if this plugin is causing a problem due to age, but I can say I wouldn’t add it to one of my sites today.

    It’s important to occasionally check all the installed plugins and themes to determine if they are still being supported. With WordPress products doing more automatic updates, we should not let a false sense of security set in.

    Plugin Author Johan van der Wijk

    (@vanderwijk)

    Hi Mark,

    I’m sorry to hear that your website got hacked. Even though it is not possible for me to find the cause of your issue without more information, I have released an update which adds some data validation on the input fields and uses the new media uploader.

    Note that I have not received any other reports of sites that have been hacked through this plugin. The fact that the info.php file has been saved in this directory does not necessarily mean that the security breach is directly related to it. I would therefore advise to keep monitoring your site for unusual file changes.

    I would have appreciated it if you had given me the opportunity to investigate the issue before giving my plugin a 1 star rating.

    Every plugin in the WordPress Plugin Directory has a support forum which can be used to reports bugs and other issues. You can find the forum for this plugin here: https://wordpress.org/support/plugin/customize-admin

    Best regards,

    Johan

    Hi Johan,

    I’m experiencing the same issues as Mark,

    On 3 websites where I have this plug-in installed there have been added numerous administrator account. Is there any relation to this plug-in that has been causing these issues?

    Regards.

    Plugin Author Johan van der Wijk

    (@vanderwijk)

    Hi Aandagt,

    Thank you for letting me know about this. From your description it seems that you are experiencing a similar issue as Mark.

    Note that hackers usually install several back-doors so I would advise you to completely remove your wp-admin and wp-includes directories and re-upload those files from WordPress.org. Also, make sure to scan all files in your wp-content directory to see if there are any suspicious files such as info.php.

    Which version of the plugin and WordPress are you using? And could you please check the Customize Admin settings to see if any custom css has been added?

    This might also be useful for you: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Hi Johan,

    The website is currently running on 4.1 and the plug-in version is 1.6.6
    There has not been added any kind of custon css to the Customize Admin.

    I can not find any kind of info.php file though.

    Regards.

    Plugin Author Johan van der Wijk

    (@vanderwijk)

    Please upgrade to v1.7 of the customize admin plugin and then try running a scan with https://wordpress.org/plugins/wordfence/ or https://wordpress.org/plugins/sucuri-scanner/.

    If you can’t find any suspicious files, then it might be that you are experiencing a different issue than Mark. Please make sure to also contact your hosting provider to ask if they can check the server.

    Hi Johan,

    I have manually installed the latest version of WordPress, updated all plug-ins to the latest versions and scanned the website with Sucuri afterwards and there was no malware identified.

    Plugin Author Johan van der Wijk

    (@vanderwijk)

    Please make sure to also check your .htaccess file for alterations.

    Hi Johan,

    Also the .htaccess file has not been alterated. I have been notified by my hostingprovider about suspicious users being added in the database, which all have been directly blocked out by my hostingprovider.

    I have e-mailed them about this issue and I’m awaiting their reply.
    Thank you very much for the fast replies already!

    Regards.

    Updated the plug-in on 31 sites. The ‘infeceted’ website from yesterday seems to be okay, for now. Still waiting for confirmation from the hosting provider though.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Stay AWAY!!’ is closed to new replies.