• This plugin was installed on a website of a client. The X feed normally does not work anymore since X has closed the doors for people without a account. However the website of my clients was suddenly hacked, new emails arrived with “new user added” which where full blown admin accounts. After 2 scans and cleanup, things looked OK again, till the next morning. Certain plugins where disabled, one was installed. We changed the admin password yesterday including database details and such.

    After deleting above and inactive plugin, the adding of sudden new admin user accounts, stopped. I think this plugin is abandoned, or someone is having access and installing malicious backdoors. Please prove me wrong!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Smash Balloon Joel

    (@joelsmashballoon)

    Hey @jvanderlinde,

    Thank you for reaching out to us here. We take security issues very seriously. We perform consistent security tests including Penetration testing. The plugin also does not have any functionality built in to create administration users (or any user at all). It is unlikely that this situation was caused by our plugin, and I say this based on there being no other report of this type of issue on our end (normally such a security flaw is widespread and malicious attackers will take the opportunity when a free plugin has a security vulnerability.) That being said, if the issue originated in our plugin we will need additional information so we can address this directly and quickly.

    The plugin certainly is not abandoned and is recently updated to fit the changes of the Twitter API.

    Our plugin being related to your case could be due to:

    • There was another type of security breach on the site, and malicious files were added to our plugin, or our plugin files were edited with malicious code.
    • The plugin was downloaded from a source other than wordpress.org or smashballoon.com (we do not provide any versions of the plugin in any other location and do not approve third-party resale).
    • The plugin could have been heavily out of date and may have old undetected security issues.

    And of course, undetected security issues in the current version. If you have any further suspicion of the plugin causing these issues, please send us a security vulnerability report here. If you do so, please include as much information as possible such as the plugin version at the time, what event led up to the situation, how they were resolved, and any logs that would show that code in our plugin was responsible for creating administration. In case we can determine that there was a security flaw in our plugin, we will immediately address it and keep our users up to date.

    We appreciate your concern here, as our users’ security is of utmost importance. If you would like further assistance or had issues with the plugin itself, let us know in our contact form and we would be happy to dig into other issues with the plugin if you should be so inclined.

    Many thanks,
    Joel

    Thread Starter Vanderlindemedia

    (@jvanderlinde)

    Hi,

    after deleting of above plugin, the creation of new admin accounts has stopped. There’s numerous login attempts through invalid names (users that have bin deleted before) and any of the new hacks are not happening again.

    In regards of a plugin being installed by client or someone who was helping the client, i.e nulled software with potential backdoors, yes that might be a scene. But it’s suspicious after deleting the plugin, the hacks stopped completely. Perhaps there is a security vulnerability that you or me don’t know about.

    Once you can upload a file, you can execute certain commands, thus reading the database, plus inserting users into the database which grants them admin rights.

    So please, double check your plugin, perhaps outdated, old or vulnerable files.

    Plugin Support Smash Balloon Joel

    (@joelsmashballoon)

    Hey @jvanderlinde,

    Thank you for your response. As mentioned we do consistently check our files and update them for security. This is done both autonomously and manually.

    I completely understand that removing the plugin in this case stopped what was ongoing on the website. This does not necessarily mean that the version of the plugin that we provide would allow for these types of issues.

    As you mentioned a vulnerability could be undetected, however, we would require additional information and logs, and likely the files themselves to be able to dig into what happened here. If a security vulnerability report is made to us with additional details we will investigate this fully. It is unlikely to be caused by our files themselves, but rather by incorrect sourcing, installation, file permissions, or other security vulnerabilities in the site or host. If not, we will patch the issue immediately.

    Currently, no other users have reported any security vulnerability issues with this plugin.

    If you have any other feedback or can provide more details, let me know!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Suspicion of backdoor (Beware)’ is closed to new replies.