Popular WordPress plugin comes with a backdoor, steals site admin credentials

Security researchers have unmasked the wicked actions of a WordPress plugin that was installing a backdoor through which it was altering core WordPress files so it could log and steal user credentials from infected sites.

First signs of something being wrong were spotted by the Sucuri team, a company that provides website security. Sucuri’s researchers were alerted by one of their clients to the presence of a weirdly named file (auto-update.php) that didn’t exist until a recent plugin update.

The plugin in question was Custom Content Type Manager (CCTM), a popular WordPress plugin for creating custom post types that, in the three years since it was uploaded on the WordPress plugin repo, has amassed quite a following, being currently installed on more than 10,000 sites.

Custom Content Type Manager version 0.9.8.8 contains malicious code

As Sucuri’s investigation revealed, in the past two weeks, the plugin that looked like an abandoned project for the last 10 months, mysteriously changed owner, and immediately after, the new developer, named wooranker, updated the plugin and pushed out a new version.

All the changes he made to the plugin were of a nefarious nature. First, there was the addition of the auto-update.php file, which included the ability to download files from a remote server on the infected website.

Additionally, wooranker also added the CCTM_Communicator.php file, which worked together with another, older, legitimate plugin file. The purpose of these two files was to ping wooranker’s server about the presence of a newly infected site.

Besides gathering info on the victim’s site, this plugin also tapped into the WordPress login process and recorded usernames and the password, albeit in encrypted format, sending the data to the wordpresscore.com server.

Some users were auto-updated to this malicious plugin version

These two modifications were pushed out as Custom Content Type Manager version 0.9.8.8, which in many cases the users themselves installed or were automatically installed on their sites if the auto-update feature was turned on.

Once wooranker gathered data about infected sites, Sucuri says he tried to access his victims. In the case they analyzed, Sucuri saw that the hacker attempted to log in manually on one of the infected sites but didn’t manage to authenticate because that site’s owner had changed the login URL to a custom link.

Seeing his login attempts thwarted, wooranker quickly changed tactics, and Sucuri says he used the auto-update.php backdoor and forced the target’s site to download and install another file called c.php, which would create another file, more exactly, wp-options.php (WordPress uses wp-settings.php).

This latter file had only one purpose, and that was to alter core WordPress files. The files it edited were wp-login.php, wp-admin/user-new.php, and wp-admin/user-edit.php.

Hacker found a way to record and steal passwords in cleartext

The hacker’s alterations made sure that he was able to control user login, creation and edit commands, intercepting user data before being encrypted, and sending the user’s cleartext passwords to wooranker’s server.

Furthermore, wp-options.php also created an admin account on the infected website, with the credentials support / support@wordpresscore.com, which he could use if anything else failed.

All of this meant that wooranker would always have an admin account on all infected websites, and he would always be notified of what passwords users were using when accessing infected sites.

Did the hacker reveal his true identity?

And just in case the CCTM_Communicator.php file had problems reporting on infected websites, wooranker also included his own set of JavaScript analytics code, loaded via the CCTM plugin as a fake jQuery version.

This JavaScript file was reporting all new infections to the donutjs.com domain. In fact, all the domains Sucuri discovered used in this attack were linked and registered under the name of Vishnudath Mangilipudi, a developer from Andhra Pradesh, India.

Sucuri didn’t accuse Mangilipudi of being the hacker, since he could have easily had his identity stolen, just like the rest of us. As for wooranker, the same developer is also an admin on the Postie WordPress plugin. Sucuri says that Postie is still managed by its original author, and that there’s no malicious code inside it.

WordPress admins who have this plugin installed should remove it right away, roll back the core WordPress files to their standard versions, and if they really have to keep the CCTM plugin on their sites, use the last stable version, which is considered 0.9.8.6 (0.9.8.7 has a security flaw).

Sucuri wasn’t the first to identify the plugin’s behavior, with some users on the WordPress forums having reported CCTM three days ago, but to be fair, they didn’t actually see the auto-update.php file as a backdoor, but as a vulnerability that needed to be fixed.

wooranker’s activity on WordPress.org

wooranker's activity on WordPress.org


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/b52NVk50-Xg/popular-wordpress-plugin-comes-with-a-backdoor-steals-site-admin-credentials-501383.shtml

Original article

Popular WordPress plugin pulled after discovery of password-stealing backdoor

password_security_hole

The precise number of websites out there running on WordPress may not be known, but one thing is for sure — there are a lot of them. Two reasons for the popularity of WordPress are the ease of set up and the availability of a huge range of plugins. One popular plugin, Custom Content Type Manager (CCTM), has just been pulled from the WordPress Plugin Directory after a backdoor was discovered.

The plugin has been installed on thousands of websites, and a recent update — automatically installed for many users — included a worrying payload. In the hands of a new developer, Custom Content Type Manager made changes to core WordPress files, ultimately making it possible to steal admin passwords and transmit them in plaintext to a remote server.

Security site Sucuri was alerted to the problems by a user, and immediately launched an investigation. A new file, auto-update.php, was discovered. Analysis of the code revealed it to be a backdoor that could download files from the suspicious-sounding wordpresscore.com. Another file, CCTM_Communicator.php, includes code that intercepts usernames and URLs of sites that have the plugin installed.

Custom Content Type Manager had laid dormant for 10 months but new owner, wooranker, was making use of an established install-base. It’s not clear whether the change of ownership was legitimate or the result of an account hack. Towards the end of last month, wooranker started to use the backdoor to deliver additional files to users who started to notice that their sites were being hacked.

Custom Content Type Manager has now been pulled from the WordPress Plugin Directory, but if you still have it installed, you need to take action. Version 0.9.8.8 of the plugin is the updated version that includes compromised code, but the previous version — 0.9.8.7 — contains a separate security flaw. As such, the last version considered safe is 0.9.8.6. If you’re reliant on the plugin, the advice is to roll back to this version. Sucuri suggests the following steps:

  1. Deactivate the Custom Content Type Manager plugin.
  2. Check consistency of all core WordPress files. You can reinstall WordPress to achieve this. At least, make sure that the following three files are not modified (For WP 4.4.2 you can get the originals here):
    1. ./wp-login.php
    2. ./wp-admin/user-edit.php
    3. ./wp-admin/user-new.php
  3.  Now that you removed the credentials stealing code in the previous steps, change passwords of all WordPress users.
  4. Don’t forget to delete users that you don’t recognize. Especially the one with the support@wordpresscore .com email.
  5. Now remove wp-options.php in the root directory.
    1. Delete the Custom Content Type Manager plugin. If you really need it, get the last good version 0.9.8.6 here and disable automatic plugin updates until the malicious plugin versions are removed from the Plugin Directory. By the way, don’t install CCTM versions older than 0.9.8.6 either. They have a known security hole and we see hackers checking websites for this (along with many other vulnerabilities).
  6. You might also want to scan all other files and the database for “wordpresscore”. Just in case.

Photo credit: bannosuke / Shutterstock


Original URL: http://feeds.betanews.com/~r/bn/~3/0ijE5J_RGaU/

Original article

MDWriter: A markdown desktop editor with steroids powered by the web.

README.md

A markdown desktop editor with steroids powered by the web.

 

Features

  • Save to Markdown
  • Export to HTML and PDF
  • Syntax Highlighting
  • Editor and highlighting themes and font size changer
  • Outlook, Gmail and Yahoo support
  • Blogger support (experimental)
  • Word counter
  • Markdown syntax helper and shortcuts
  • And a nice UI 😀

Getting Started

Clone from source

$ git clone git@github.com:kurai021/MDWriter.git
$ cd MDWriter/

Install Dependencies

  1. Install npm dependencies
    $ npm install
    
  2. Install Bower dependencies
    $ bower install
    
  3. Build Highlight.js Bower package (/app/assets/components/highlight.js) as seen in the documentation
    node tools/build.js :common

Test

Testing in browser

  • For testing in browser you need to change {app: ‘firefox-aurora’} in gulpfile.js for your browser order.
  • run gulp browser in the terminal

Testing with NW

  • run gulp test in terminal

Build

  • Actually you can build this proyect for GNU/Linux, OSX and Windows only in x64, but if you want to make a build for x86, you can add this in gulpfile.js in this line
    platforms: ['linux64', 'osx64', 'win64'],

ToDo

  • Actually jsPDF is unstable, is necessary to find a module that does the same function or create a module from scratch for HTML5 to PDF.
  • Some bugs in the word counter must be solved.
  • In file name is necessary to clean the name -> /foo/bar.md to bar.
  • Change font size in live.
  • Support for Blogger, Tumblr and WordPress (maybe Ghost).
  • Print support?.
  • Optimize the code
  • Create a task for minification.
  • Delete all bower dependencies and use only node package?

How to Contribute?

If you want to contribute to this project, create a issue with “request to contribute” as a title and a brief description of what do you want to do, so I will add you as a colaborator.

License

Check LICENSE for information.

Donations

If this project was useful for you, you can donate some BTC -> 19bAJaFzHRTYPW5SrbzzfPbZ5jLAEotCVa


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/pF2F2_oNmN4/MDWriter

Original article

ActorDB – the ideal datastore for microservices

Good intentions…

Lets imagine you’re a developer at a company that sells widgets. There is lots of widgets of different types. You have suppliers, you have clients, you have a sales department, accounting, human resources, the works.

You use Oracle, SQL Server, or another enterprise DB vendor because that makes the most sense. You need transactions, stored procedures, you need a complete relational database to model your company on. You can’t afford any errors and you must use transactions to prevent them.

Of course you are now married to your database and your chosen DB vendor. But that is just how things are done.

But…

After this point you can try as hard as you can in your code. The natural tendency will always be towards a monolith. When your data model is a monolith, your code naturally follows the pattern.

It may start out working great, but after years of upgrades and changes, it inevitably starts collapsing under its own weight. Sometimes in particularly bad cases (i.e. government projects) the architecture implodes before it is even deployed. The problem is that you can only design for what you know. The system is built for what the situation is now and you have no idea what the future will be.

The company of course changed, hopefully it grew and started doing more things. It may have made some drastic changes to its core business.

A change in business structure must also require a change in how your software is supporting your business. If you want a nimble business you must also have nimble software that supports it. A monolith cannot be nimble.

An alternative path…

Problems with monoliths is what microservice architecture aims to solve. While many think microservices take things to the other extreme, it all depends on how you implement them. It is up to you to decide how micro you are willing to go. Splitting a large problem into small understandable chunks is how problems in computing are solved.

Microservice architecture data model is to logically have a database-per-service. Realistically this means you can still use a single actual database, but just have microservices work in separate schemas/tables. This is a compromise for medium/small teams so they don’t live in an operations nightmare.

Improve the alternative…

This brings us to why I think the ActorDB way of doing things is worth considering. ActorDB is a distributed database that gives you a choice how micro you are willing to get. It gives users the option to decentralise, keep using SQL, keep using schemas, use JSON fields if you want. But work in an environment that encourages splitting up the problem into smaller workable chunks. Instead of combining them into an ever increasing ever more complicated all encompassing solution.

A real life example how ActorDB encourages splitting the problem into smaller chunks:

We have created a highly secure communication app named Biocoded and ActorDB is a part of this solution. Users can be organized into circles. This means if users A and B are in circle X, they are in each other’s contact list.

Every user is an independent actor (i.e. SQLite database). Initially we had all contacts for a user in his contact table. The problem was what happens when a user leaves or enters a circle. It requires you to update every actor in the circle. This is way too ugly to consider.

The simple solution was to create a new actor type and put the list of users there and there only. The right solution was to split the problem into a smaller chunk.

But ok what about my widgets company…

Use ActorDB as a beneficial constraint. Writing queries to access all actors at the same time is not going to work well. It will force you into a design that may require more thought to implement initially, but it will force you into a design that is decoupled.

The various areas in your company are actor types. They all have their own schema and actors. Your products are actors. Divide your code into chunks that work on those individual actor types. They can be the same app, they can be entirely different apps. You can have transactions across actors. But it is something to be avoided not encouraged.

Your code follows your data model. A decoupled data model will lead to decoupled code.

http://www.actordb.com/

Written by Sergej Jurecko


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/lIWAbCD-E2s/actordb-the-ideal-datastore-for-microservices

Original article

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. “This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user’s password is collected (in cleartext) and sent to his server. WordPress hasn’t moved in to ban the plugin just yet, despite user complaints.


Share on Google+

Read more of this story at Slashdot.


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/csYwIrElkA4/wordpress-plugin-comes-with-a-backdoor-steals-admin-credentials-in-cleartext

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: