Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero-day in the Fancybox-for-WordPress Plugin


  • Please log in to reply
2 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,841 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:38 AM

Posted 05 February 2015 - 08:13 PM

 

By Daniel Cid on February 4, 2015 . 8 Comments

Our research team was alerted to a possible malware outbreak affecting many WordPress websites. All the infections had a similar malicious iframe from “203koko” injected into the website. We were also directed to a forum thread where users were sharing their concerns and describing similar issues they were experiencing.

In analyzing the infected websites, we found that all the websites were using the fancybox-for-wordpress plugin.

Zero day in fancybox-for-wordpress

The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code / vulnerability review.

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.

What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.

We could confirm via our Website Firewall logs by seeing many exploit attempts blocked.

This is what the attacks looks like:

http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html

 

.


Edited by hamluis, 05 February 2015 - 09:28 PM.
Moved from Web Site Development to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,560 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:38 AM

Posted 05 February 2015 - 09:26 PM

More Info .

 

Louis



#3 Martel

Martel

    Drfixup Human Internet Solutions


  • Members
  • 1,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina U.S.A.
  • Local time:09:38 AM

Posted 06 February 2015 - 08:11 AM

Here is what I have found towards security measures. What to do after the fact

 

The best general procedure in all cases is to start withhttp://codex.wordpress.org/FAQ_My_site_was_hacked

I'd also recommend regenerating all the wp-config salts, just in case you had many users, let them all expire their cookies (which might have been stolen). You can get new ones from here: https://api.wordpress.org/secret-key/1.1/salt/

 

from here

https://wordpress.org/support/topic/possible-malware-2/page/3?replies=77






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users