Results 1 to 5 of 5
  1. #1
    Chips's Avatar
    Chips is offline Private Member
    Join Date
    October 2007
    Location
    God's Country
    Posts
    3,618
    Thanks
    1,040
    Thanked 1,202 Times in 886 Posts

    Exclamation WP site hacked, loaded phishing and malware through plug in

    Had a client of ours WP site attacked. She had loaded the WP Newsman plugin and this gave access to the file structure and directories. They added a slug of links within folders. Hostgator discovered and removed a shedload of files and links. Here is what was reported to us:

    We have received complaints of a phishing site being hosted on your site as referenced below. Upon inspection, we found that a phishing site had indeed been installed on your account. After further investigation, it appears that your "WP NewsMan" theme was exploited and used to place malware on the account. The theme has a file upload function which allows for new images to be uploaded however the code does not verify that the files being uploaded are actually images. This allows hackers to exploit the uploader and upload malware to the account. We recommend that you contact the developer of the theme to see if they have newer version of the theme available where this exploit is patched. Please note that if you do not update or remove this theme for all of your sites, it can lead to the account being compromised again. Simply disabling the theme will not work to resolve this issue, as the files will still be present on the account.
    They noted WP NewsMan as a theme but it is a plug in, not a theme. I searched through the files and found even more newsman crud than what they found. Also, the plug in installed as a "Must Use" so you have to delete from the directory and SQL db files. It also disabled the firewall plug in so they had open access. Nasty little bugger it was, think we got it all cleared out now.
    --
    "People who are unable to motivate themselves must be content with mediocrity." ~Andrew Carnegie~

  2. The Following 3 Users Say Thank You to Chips For This Useful Post:

    Redbush54 (30 January 2015), TheGooner (30 January 2015), universal4 (30 January 2015)

  3. #2
    Gamer's Avatar
    Gamer is offline Public Member
    Join Date
    August 2014
    Posts
    438
    Thanks
    78
    Thanked 198 Times in 132 Posts

    Default

    Good job! Good that I do not use WP as a base for my websites.
    Have heard so many horrible stories about hackers using WP plugins to attact other sites or changing affiliate links, etc. etc.
    The World is crazy!

  4. #3
    allfreechips's Avatar
    allfreechips is offline Private Member
    Join Date
    August 2010
    Location
    Ohio - The taxing state
    Posts
    1,081
    Thanks
    136
    Thanked 631 Times in 371 Posts

    Default

    Anything you install you should know the source of where it came from! Its amazing the amount of WP attacks I see on my sites and I dont use WP!
    Allfreechips online casino guide offers online casino reviews from our members. Also our exclusive No Deposit casino bonuses are always up to date. See the latest slot machine reviews at Hotslot and exclusive no deposit casino bonuses as well with a good dose of daily online gambling news to learn about pokies

  5. #4
    Chips's Avatar
    Chips is offline Private Member
    Join Date
    October 2007
    Location
    God's Country
    Posts
    3,618
    Thanks
    1,040
    Thanked 1,202 Times in 886 Posts

    Default

    Forgot to mention, the attacks appeared to come from Columbia and Peru, i.p. addresses, we blocked them in .htaccess and the ones with multiple i.p.'s were range blocked:

    190.239.53.69
    190.24.196.8
    190.233. (multiple)
    190.238. (multiple)
    190.239. (multiple)
    --
    "People who are unable to motivate themselves must be content with mediocrity." ~Andrew Carnegie~

  6. #5
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,997
    Thanks
    2,219
    Thanked 7,915 Times in 4,991 Posts

    Default

    Thanks for the report Chips,

    I will take a look at those subnets and consider blocking them globally.

    The first one listed is Peru the second Columbia but the other three are India. I have a number of clients that want traffic from those countries so I will not likely block them globally. If they later become problematic for me though this will halp me decide to do so much quicker.

    Rick
    Universal4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •