[wp-forums] Mailpoet exploit

Otto otto at ottodestruct.com
Thu Jul 24 11:58:31 UTC 2014 

Updating a plugin deletes the plugin directory completely, but if there are
PHP files in your /wp-content/uploads directory, then you're likely already
hacked.

The uploads directory should never contain any executable content,
generally speaking. If you find a plugin in the directory that does require
this, please report it to the plugins team so that they can complain to the
plugin developer about it.

-Otto


On Thu, Jul 24, 2014 at 6:55 AM, Rafael Poveda - RaveN <raven at mecus.es>
wrote:

> I have updated three times and the problem was still persistent. I have
> found a wp-content/uploads/wysija/themes/mailp/index.php archive that
> doesn't disappear when you update MailPoet and is a small entrance door.
>
> I suppose that the archive only exists if you have been updating since the
> Wysija times, but still it's something that you have to delete.
>
>
> On Thu, Jul 24, 2014 at 1:33 PM, Otto <otto at ottodestruct.com> wrote:
>
> > The plugin in question was fixed over a month ago. Update, update,
> update.
> > It ain't hard.
> >
> > -Otto
> >
> >
> >
> > On Thu, Jul 24, 2014 at 3:27 AM, andrew nevins <
> > andrew.nevins.misc at gmail.com
> > > wrote:
> >
> > > I've been telling people on the forums that think there's an issue with
> > > MailPoet is insecure to contact plugins at wordpress.org, but I didn't
> > > realise
> > > they were getting information from other sources. Just thought they
> were
> > > running their site through malware detectors and it was blaming
> plugins,
> > so
> > > I'm sure that sucuri have already contacted WordPress about this.
> > >
> > >
> > > On Thu, Jul 24, 2014 at 5:22 AM, Mark Ratledge <mark at markratledge.com>
> > > wrote:
> > >
> > > > I meant that maybe people were thinking they got brute forced when it
> > > fact
> > > > it was that plugin or that plugin in an adjacent account. In any
> event,
> > > > pretty much the same result.
> > > >
> > > >
> > > > On Jul 23, 2014, at 9:58 PM, James Huff wrote:
> > > >
> > > > > It appears to be unrelated to the various brute-force attempts.
> > > > >
> > > > > The plugin itself is just a vector to inject malware into the
> files.
> > As
> > > > such, no brute-force necessary, since they're already in.
> > > > >
> > > > > More info:
> > > >
> > >
> >
> http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
> > > > >
> > > > > ________
> > > > > James Huff
> > > > > http://macmanx.com
> > > > > http://automattic.com
> > > > >
> > > > >> On Jul 23, 2014, at 8:42 PM, Mark Ratledge <mark at markratledge.com
> >
> > > > wrote:
> > > > >>
> > > > >> Have people seen this?
> > > > >>
> > > > >>
> > > >
> > >
> >
> http://arstechnica.com/security/2014/07/wordpress-plugin-with-1-7-million-downloads-puts-sites-at-risk-of-takeover/
> > > > >>
> > > > >> Could be an issue related to the recent rash of concerns in the
> > forums
> > > > about brute force attacks and xmlrpc.
> > > > >>
> > > > >> -songdogtech
> > > > >> _______________________________________________
> > > > >> wp-forums mailing list
> > > > >> wp-forums at lists.automattic.com
> > > > >> http://lists.automattic.com/mailman/listinfo/wp-forums
> > > > > _______________________________________________
> > > > > wp-forums mailing list
> > > > > wp-forums at lists.automattic.com
> > > > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > > >
> > > > _______________________________________________
> > > > wp-forums mailing list
> > > > wp-forums at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > > >
> > > _______________________________________________
> > > wp-forums mailing list
> > > wp-forums at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > >
> > _______________________________________________
> > wp-forums mailing list
> > wp-forums at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-forums
> >
>
>
>
> --
>
> Rafael Poveda <*RaveN*> | *Mecus*.es | raven at mecus.es | raven at raven.es |
> twitter: bi0xid | gtalk: rafael.poveda | skype: bi0xid | +34.620.739.206
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
>

More information about the wp-forums mailing list