[wp-hackers] Hookd? Sketchy Plugin Include

Jackson Whelan jw at jacksonwhelan.com
Tue Sep 13 22:28:01 UTC 2011


Trying to help someone in the forums complaining about a plugin 
(http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing 
their site to crawl, and stumbled across this included file which looks 
like it could be used for great malfeasance.


Makes calls to hookd.org and requests actions and filters to be added. 
Creates a world-writable directory while it's at it as well.

Is anyone familiar with hookd.org? Am I paranoid for thinking this is 

As a bonus the plugin emails the author with the URL of the site it was 
activated on, with no user consent or knowledge.


Which would make sense as it would allow them to fine tune the junk they 

I found this related post in the forums from a year ago.


I've already emailed plugins at wordpress.org, but thought I'd ask if 
anyone here was aware of this.

No comment on hit counters being used in 2011, but if you'd like to step 
into the wayback machine just look at the screenshots : )

Thanks! Jackson

More information about the wp-hackers mailing list