Thanks for the heads up. I don’t see how it could be related to this plugin, it only loads/runs code if the user can already install plugins, and there is nonce verification on top of that as well. Also, it doesn’t have any code to write to files or anything like that.
Regardless I’ll do a full code review to make sure there is nothing that was missed. Please let me know if you find out anything further.
Out of curiosity, what other plugins did you have installed?
Also if you could send the offending files over to [email protected] that’d be great, as they might have some clues as well.
Hi,
I did some penetration testing against 1.0.3 and reviewed the code, and I don’t think that this plugin was the cause of the hack. There isn’t any code that would allow someone to include a file or run a search/replace without being an authenticated admin.
To be on the safe side, I’ve released an update with some additional (minor) security enhancements that I found while looking into this. Please do let me know if you find any more information on this and send over the affected files if you get a chance.
Thank you.
Cheers for having a look; not to say it was your plugin per-say but always worth letting people know just-in-case.
Annoyingly I did delete the files causing it straight off the server but the server company did get the headers of the email it was sending out.
Received: (qmail 22305 invoked from network); 7 Mar 2015 13:15:31 -0000
Received: from unknown (127.0.0.1)
by 0 with QMQP; 7 Mar 2015 13:15:31 -0000
To: [email protected]
Subject: Wyrwij sie z finansowej niewoli i badz niezalezny
X-PHP-Originating-Script: 20760:.include.php(1498) : eval()'d code
Date: Sat, 07 Mar 2015 13:15:31 +0000
From: Piotr Szymanski <support@THE_DOMAIN.com>
Message-ID: <9a7b6b4f2d29495014bc96083ca2df12@THE_DOMAIN.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_9a7b6b4f2d29495014bc96083ca2df12"
Content-Transfer-Encoding: 8bit
X-Host-Domain: THE_DOMAIN.com
X-Host-Script:
/domains/b/a/THE_DOMAIN.com/public_html/wp-content/plugins/better-search-replace/templates/.include.php
X-Host-Server: ...
X-Host-Client: ...
(Blanked out sensitive data)
I’m doing an audit of the site now but if you’re happy it’s nothing to do with your plugin then I’m happy with that as well. Thanks for having a look though!
