Compromised Site

  • Resolved user

    (@dnshost)


    9 years, 3 months ago

    An exploit in Updraft 1.12.30 (and possibly previous versions) allows a remote user to take advantage of code within Updraft to execute eval commands, creating a post.php file in the root folder with code that facilitates the remote user to gain access to a variety of functions including mail() execution.

    One of the files affected is updraftplus/vendor/composer/files.php

    Thankfully, I use NewRelic to monitor my server and was able to catch this security breach quickly, however, not before thousands of emails flowed through my network. To the developers of UpdraftPro, your users deserve an explanation as to why this occurred and why this fraudulent code was released.

    [topic title adjusted by moderator]

    • This topic was modified 9 years, 3 months ago by James Huff.
Viewing 1 replies (of 1 total)
  • Plugin Author David Anderson / Team Updraft

    (@davidanderson)

    9 years, 3 months ago

    Hi,

    One of the files affected is updraftplus/vendor/composer/files.php

    No such file exists in this version, or indeed any version, of UpdraftPlus, which is easily verified: http://plugins.svn.wordpress.org/updraftplus/tags/1.12.30/vendor/composer/

    i.e. This is a file which a hacker has placed on your site, not one that came with UpdraftPlus.

    Why is it in a directory belonging to UpdraftPlus? Most likely because:
    a) Once a hacker has access to your site’s files, he can place a file anywhere he chooses – that’s how webserver file permissions work. Where he puts that file is no indication of how he got the initial access to do so.

    b) Most hacks are automated and will look for directories likely to exist; and so directories associated with plugins with over a million installs are good places to start.

    To the developers of UpdraftPro, your users deserve an explanation as to why this occurred and why this fraudulent code was released.

    Your report is fundamentally wrong; please tone down the hyperbole. I understand that you’re probably stressed because your site is hacked, but you’re not helping anyone by shouting based on a beginner’s mistake.

    Mods: Please can you change this thread’s title to avoid scaring our other million users?

    David

Viewing 1 replies (of 1 total)

The topic ‘Compromised Site’ is closed to new replies.