Thread Starter
Stephen
(@sboltonjr)
In the mean time I deleted the plugin entirely and repaired the wordpress files. Thanks to Wordfence.
I have confirmed stb-uploader.php in this plugin allows you to upload
an arbitrary zip file, which it kindly unpacks for you. I was able
to use it to upload a PHP shell without any prior authentication. I
recommend removing this plugin ASAP until it gets repaired.
One of my customer’s sites got nailed with it yesterday too.
Thread Starter
Stephen
(@sboltonjr)
Yeah I noticed that file. A lib.zip file was uploaded and it got unzipped with a folder called lib and in it was 404.php which had filesman. Looks like wordpress.com removed the wp-special-textboxes plugin for the time being. Two wordpress files were modified at the time but I had repaired thanks to Wordfence. Plugin was removed. Marking this as resolved since it’s been figured out.
One of my client’s site was hacked too. Good thing that WordPress took swift action, but we need an alternative, Any suggestions please?
Thread Starter
Stephen
(@sboltonjr)
Not sure of free plugins, only know of paid plugins on codecanyon.
okay can you give me the link?
Thanks
Thread Starter
Stephen
(@sboltonjr)
To be honest don’t really remember what special textboxes did but this might be similar
http://codecanyon.net/item/styles-with-shortcodes-for-wordpress/142221
Check out the samples page. Hope this link isn’t forbidden to post.
Thread Starter
Stephen
(@sboltonjr)
I did a search for the file 404.php in my logs and then discovered that the cracker was accessing a php file in the wordpress-importer plugin called defines9.php . This of course isn’t even a file included with the plugin. Another file that was actually hidden was called .dump.php and in the wp-special-textboxes/js/jscolor folder. No clue what these are doing, everything in the file(s) are encoded. I will assume dumping information from my mysql database maybe.
I just found out the same …
And after getting rid of that issue I wrote a little script that checks if the system is “clean” (so i did not oversee any .htaccess)
just save the following file directly into the plugins-directory and run it. It displays which .htaccess-files are “bad”.
http://pastebin.com/WMQjB7bY
And of course: Don’t just trust me. Check the code for yourself. (it is quite simple) đŸ˜€
BTW: A more detailed analysis (in german) I wrote down there: https://plus.google.com/+OleAlbers/posts/8NjCKKGkZgB
Thread Starter
Stephen
(@sboltonjr)
After spending an entire day yesterday cleaning up the folder for one out of 30 websites on the same server, this was a job of a bot. A Sr. Malware Researcher at Sucuri helped me decode all the encoded php files I was unable to decode myself, to determine that it is just a bot that sets up to spam email with your server. Since I use a VPS with debian, I installed maldetect to scan all my files and it had found one file I was missing that was added to use google libraries plugin folder.
Before using maldetect, I was using threat scanner wordpress plugin to find all instances of eval. There were a ton of files modified and added to random folders (galleries, upload folder, and other plugin folders).
Maldetect probably would of been enough to determine what needed to be quarantined (or in my case, just went ahead and deleted since I could tell what was bad and what wasn’t by doing comparing between original plugin packages). I have since tightened things up with iTheme security plugin, and of course maldetect on the server side.
