Plugin was compromised

  • Resolved lukameci

    (@lukameci)


    2 years, 2 months ago

    We recently had a malware breach on our webpage which caused the user to be redirected to an ad page upon landing on our webpage. This only affected mobile devices, desktops did not take notice.

    I isolated this plugin to be the culprit after disabling all the plugins and enabling them one by one.

    I think this is a case of SQL injection?

    Access logs show the following:

    XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/2 HTTP/1.1” 200 685 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/1 HTTP/1.1” 500 2742 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3 HTTP/1.1” 500 2736 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    For now I will be disabling this plugin and if there is something else you might need please let me know

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter lukameci

    (@lukameci)

    2 years, 2 months ago

    Same IP makes GET requests:
    XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3 HTTP/1.1” 500 2761 “http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/6 HTTP/1.1” 500 2761 “http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/6” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET /wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/1 HTTP/1.1” 500 2761 “http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3”

    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi @lukameci,

    Thank you for getting in touch. My apologies for the trouble experienced.

    Yes, there was a known exploit that allowed this endpoint to be exploited, and it was reported to us in December. We acted quickly to get patches out to secure the endpoints. After this we released updates which attempt to cleanup any known data, based on what we knew about the redirects being stored.

    At this point in time, I can confirm that this vector is no longer accessible to new attacks, but it is possible that your marker data has not been cleaned up properly. If you are open to sharing your marker data with us via our website, we can help you in getting rid of any of the redirects, as well as expanding our cleanup system to remove this across sites.

    We are aware of a fatal error which is being thrown on that endpoint as it seems there are still scripts attempting to perform the same actions. That fatal error will be solved in our update which we expect to be released tomorrow.

    Again, we’d appreciate you reaching out to us directly so that we can work with you more closely in solving the issue with your existing markers.

    johnwpc

    (@johnwpc)

    2 years, 2 months ago

    I seem to be experiencing similar issues on several sites despite updating to the latest plugin version. Sent details via website.

    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi @johnwpc,

    Thank you for sending over the details on our website. We’ll be in touch as soon as possible to assist.

    For reference, this thread is also related: https://ww.wp.xz.cn/support/topic/fatal-php-error-39/ – The root cause of errors being reported has been resolved, meaning the invalid requests (likely from a 3rd part) have been fixed.

    We aren’t able to block these kinds of requests as the API endpoint is public, and is used to fetch marker data, but the sites running updated versions will no longer cause any fatal errors.

    With that said, we’ll discuss this further with you via email!

    rservaas

    (@rservaas)

    2 years, 2 months ago

    We seem to have the same experience. When disabling the WP Google Maps plugin the redirects stop.

    We see a weird http(?) link in some files; http://affiliatetracker.io/?aff=”.$id.”&affuri=”.base64_encode($link);

    Could be that this route is compromised.

    Edit: I guess the above is not redirect source. Found an SQL injection in the first entry of the wp_wpgmza table. After this the redirects stop and we can use the plugin again. Updated the the latest version.

    • This reply was modified 2 years, 2 months ago by rservaas.
    • This reply was modified 2 years, 2 months ago by rservaas.
    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi @rservaas,

    Thank you for reaching out, we do appreciate your time. The issue within the code was solved some time ago, this has been confirmed in various tests since then.

    However, we also released a few updates which attempt to clean/remove any already exploited data. Unfortunately, it’s not possible for us to anticipate every URL/pattern that might have been used, which means some may not have been fully cleared.

    I noticed you mentioned that you have since resolved this, but for anyone else who may have a similar situation, we do encourage reaching out to us on our website, so that we can take a closer look.

    We do appreciate everyone’s time and understanding in this regard.

    Samuel

    (@samuelldrew)

    2 years, 2 months ago

    The issue was the marker; they inserted scripts in the description field that caused the problem. I deleted the markers via myPHPadmin, updated the plugin and added the markers again. Things seem okay now.

    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi @samuelldrew,

    Thank you for letting us know, we do appreciate your time and insight. We have recently become aware of another script pattern which is affecting some users.

    We’ve released an update which will automatically clean up marker fields which were compromised by previous weaknesses in the REST API endpoints.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Plugin was compromised’ is closed to new replies.