security vulnerability detected

wtactics
(@wtactics)

10 years ago

Hi,

First of all, wanted to thank the developers who are working hard on the plugin and its improvements, but I think this note needs closer attention.

Writing to inform on possible security issue related with siteorigin widgets bundle. How the issue was detected:

— After the installation of the plugin, the website started started to receive 404 pings with non-existent url’s example domain/gopni3g/download-lagu-iklan–new and so on.

— All the 404 links had the same root name /gopni3g/

— The injection gets uploaded on to this folder public_html/wp-content/uploads with the name site-origin/sow-button-atom-2a09eb887a28.css

— After some time 3-6 hours the site gets hacked by insertion of this folder gopni3g.zip in the root hosting of the website

— finally, after few days your site is being noticed by gogle and the site gets blocked and blacklisted

— the virus starts generate/send various emails and information gets into your folder

————————-

The virus is not detected even using wordfence, wp-security plugin. It can be detected only after you do search scanner using wp-security check and you get the message that one of your folders is being changed.

This is the investigation I have encountered on the sites and not much info is found yet about the /gopni3g/ phenomena.

Posting this thread since I Could not direct contacts of this plugin developers. I cannot say that this is their fault about this thread, but I can see the correlation because after recreating the website from a backup the site is still being attacked with the same method, but cannot be hacked anymore. However, after I install this particular plugins (Widgets Bundle), within 10 mins, the site gets infected.

I hope this post will get more attention to the thread /gopni3g/

https://ww.wp.xz.cn/plugins/so-widgets-bundle/

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author Greg – SiteOrigin
(@gpriday)

10 years ago

Hi wtactics

Thanks for letting us know about the issue. I’m investigating this immediately. This looks very similar to an issue that was coming up with WP Mobile Detector. Do you by any chance have that plugin installed too?

https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html

That said, I’m going to read up on what caused that issue with WP Mobile Detector and see if there are any similar vulnerabilities in Widgets Bundle.

As a security measure, all files written to the server are done through the WordPress file system class. That should protect against these sorts of issues, but I’ll take a look. Do you get a similar issue when you disable all other plugins besides Widgets Bundle? Perhaps also download a fresh copy of the Widgets Bundle to make sure the version you’re using hasn’t been modified/infected.

Thread Starter wtactics
(@wtactics)

10 years ago

Hi Greg,

Thanks for prompt response.

I have read the article you have sent over regarding mobile detector. So our answer is “NO” we are not using WP Mobile detector. We used it for couple sites in the past, but not at the moment. The attack that is written in the article is very similar to our situation. We also had /gopni3g/ dir with story.php script. so this looks really familiar. Reading the hackers code it gets apparent that this code was written by Russian speaking people.

After the sites got infected, apparently, I was looking for the reasons the site got infected. My investigation started from plugins and since the infected sites did not have many plugins it was easy enough to catch the vulnerability and attackers IP addresses. After I blocked the attacks (IP addressees) as you might expect, the new attacks began after 5-7 hours. Obviously, using another proxy servers.

So after I have disabled all other plugins and left Widgets Bundle enabled – the website picked up the virus in 10-20 mins again. So yes, the site gets infected once the only plugin (Widgets bundle) gets enabled.

If widgets bundle is enabled – the virus is picked up, if plugin is disabled – then virus does not appear in the files.

If you interested, I could send/upload the actual virus for your investigation and I will do my best to help out on this investigation. Just let me know how how you want me to send the virus.

I installed fresh version vie plugins–>ad new plugin–>widgets bundle and then activation.

If you need any assistance, I will do my best.

Thank you!

N.

Plugin Author Greg – SiteOrigin
(@gpriday)

10 years ago

Thanks for looking into this with us. I really appreciate your help. We’ve investigated the code in the Widgets Bundle and can’t see any similar vulnerabilities, but we’ll continue investigating.

One possibility is that another plugin/virus has changed the contents of the CSS file created by our Widgets Bundle. The reason the vulnerability comes up when the plugin is active is because this file is once again being included.

So if you navigate to wp-content/uploads/siteorigin-widgets/ in your FTP. Do you see any files there? What do you see in the file sow-button-atom-2a09eb887a28.css? Does this look like standard CSS, or some sort of script?

Can you try deleting the siteorigin-widgets folder in your wp-content/uploads/ directory and see if you still get the issue. Ideally, you should have proper file permissions setup for the wp-content and the child uploads folders.

https://codex.ww.wp.xz.cn/Changing_File_Permissions

Either way, after a hack like this I’d suggest completely reinstalling your site. If you’ve had WP Mobile Detector installed previously, it’s possible that a vulnerability has been installed on your site and its using Widgets Bundle somehow. Even if you’ve disabled WP Mobile Detector since.

If you create a clean installation of WordPress and install all the plugins from clean versions, you shouldn’t get the same issue.

https://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

Thread Starter wtactics
(@wtactics)

10 years ago

you are welcome.

Yes, exactly, I tested out. Once I enable the plugin, the file gets included again into server. Seeing via terminal and scanner that the file is included, I immediately deleted the file.

If I navigate to wp-content/uploads/siteorigin-widgets/ I see this file – take a look the link:
http://imgur.com/o6qOpTK
This is a .css file that I find and looking like a normal .css file, but some code strings slightly strange…
When I delete the folder and its contents siteorigin-widgets/ – I still get the issue after around 10 mins. This is exactly the time loop when virus attacks again. I mean different time intervals lik 5-10 mins, and the file is included again.

The permissions are set under required scope 0755 and 0644. Actually, I have re-installed the wordpress site with fresh install, and reinstalled the plugins, but getting the issue.

You can see the list of plugins I have on the site here:
http://imgur.com/5PSQNEO

I believe thate there must be a cause and explanation, but so far, the deletion of the widgets bundle, solved the problem and the attacker cannot get into the site for 3 days starting from Thursday.

N.

whitefirdesign
(@whitefirdesign)

10 years ago

If someone is exploiting a vulnerability in a WordPress plugin, evidence of that occurring would usually show up in the HTTP log for the website. Have you reviewed that and, if so, what where the attackers sending requests to on the website?

Thread Starter wtactics
(@wtactics)

10 years ago

yes, log files clearly showed that increased traffic was coming to the site with 3-7 min interval, there was separate folder/dir created from which spam emails were coming out to spam and porn sites.

At the final stage, the site gets broken and page pops up and asks to enter login and password. Total site corruption.

Had to re-install, upload backup, make configurations.

whitefirdesign
(@whitefirdesign)

10 years ago

Okay, but if a plugin was the origin of the hack there would usually evidence in the log file of how the plugin was exploited before those other things you just mentioned would have happened, so that is what we are asking about.

vstorm
(@vstorm)

10 years ago

Could you provide a zip of that directory and the files in it? Logs would be great too. I would be curious to see how it is exploited.

Plugin Author Greg – SiteOrigin
(@gpriday)

10 years ago

Something else that would be interesting to see would be a zip file of the so-widgets-bundle folder. This would allow me to check if the version you’re using has been compromised. It’s possible that you have some sort of malware somewhere that’s modifying the Widgets Bundle code just after you reinstall it.

One tell-tale sign is the folder name you mentioned – site-origin/sow-button-atom-2a09eb887a28.css. We always write SiteOrigin as one word, so it would always be siteorigin, not site-origin. You can do a search through the code here on SVN – you’ll see it’s never written as site-origin. This makes me think the version you’re using could be compromised.

If you can zip your so-widgets-bundle folder and share it with me, I’ll take a look.

Either way, I’d suggest you try starting with a completely fresh WordPress install on a new server. It’s difficult to know what was compromised and how. Especially if there is malware hiding somewhere in your WordPress install.

Thread Starter wtactics
(@wtactics)

10 years ago

Hi Greg,

I will try to get the full .log file lists from hosting provider as it’s client’s control pannel and do not have full access to the files except for the last 3 days. And I have so-widgets-bundle zipped version for the dates of 2016 May 1st and current version 2016 june 8th.

How do you want me to share? Email or some upload place, but it still needs email so I could use for sending/sharing it with you.

Thanks

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘security vulnerability detected’ is closed to new replies.