WordPress.org

Ready to get started?Download WordPress

Forums

WPlite
Widely exploited? (7 posts)

  1. optricsdavid
    Member
    Posted 1 year ago #

    We don't use this plugin. However, one of our websites has been getting LOT of contact form spam.

    IN those contact form requests, there are links to a TON of WordPress sites and the spammy links all incorporate the wplite plugin.

    Example (urls sanitized for safety):
    hxxp://www.FAKESITE.com/wp-content/plugins/wplite/redbottompumps.php

    And about 50 of those urls in each contact request, and ALL with wplite.

    With SO many involving the WPlite plugin, I wonder if it's been sooooo compromised?

    If so, perhaps remove it from the plugins?

    http://wordpress.org/plugins/wplite/

  2. MoghillPat
    Member
    Posted 1 year ago #

    I agree. I'm also getting this spam and warning site owners where I can.

    The hack seems to place four php files in the /wp_lite/ folder and these are being used to distribute malware.

    Is there anywhere we can report these compromised plugins?

  3. esmi
    Forum Moderator
    Posted 1 year ago #

    Your site being hacked or targeted by spam does not necessarily mean that this plugin was responsible - even if the hackers have placed files in this plugin's folder.

    Where hacks have occurred, you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you have hard evidence of this plugin being involved (ie you can trace attack vectors etc), then please contact plugins [at] wordpress [dot] org. I also think it worth noting that the plugin hasn't been updated in almost 6 years and may no longer be compatible with the current version of WordPress - as the notice on http://wordpress.org/plugins/wplite/ warns.

  4. MoghillPat
    Member
    Posted 1 year ago #

    My site wasn't exploited as I wouldn't use a plug in that was this out of date.

    I know of an infected site that is using 3.8, so it presumably works, and of the current load of spam I am getting (which includes links into typo3 sites and asp.net sites), ALL of the WordPress sites have links in the wplite folder.

    I checked the known site on sucuri sitecheck.

    I'm trying to help others here, and not myself. None of my sites are infected.

    However there are site owners using this plug in who clearly need help, never mind those who follow the links in the spam emails and get infected by the malware.

    Since the plug in has not been updated in such a long time and is at least suspected (if not the back door) in infecting WordPress sites would it not make sense to remove it from the directory anyway? It may stop people who don't bother to read the out of date notice opening their sites up to infection.

  5. MoghillPat
    Member
    Posted 1 year ago #

    Thanks for the links though. Interesting reading ;-)

  6. esmi
    Forum Moderator
    Posted 1 year ago #

    @MoghillPat: Not all older plugins create issues in the current version of WordPress, so it's not general policy to remove them.

    Also, as you are not using this plugin yourself, I don't see how (with all due respect) you can claim that this specific plugin has been compromised. I cannot see anything obvious in the plugin's code that looks suspicious. A far more likely explanation is that some sites have been hacked and the mail is coming from them with inserted files in the plugin's folder possibly being used as the mechanism. There could well be other emails going out that appear to come from other plugins.

    Unless you can provide hard evidence that this plugin is acting as a vector for these emails/hacks, there's really not a lot we can do. If you do know of infected sites, all I can suggest is that you try and persuade the owners of the sites to start de-lousing their sites. If that doesn't work, a quiet word with their hosting provider might be in order.

  7. MoghillPat
    Member
    Posted 1 year ago #

    Fair enough, I guess. Just trying to prevent others from getting infected.

    However, I have seen dozens and dozens of these spam emails now, and all used wplite to store the infected files.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic