1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WP Super Cache, W3 Total Cache, Digi Link Doctor - Possible BackDoors!

Discussion in 'BlackHat Lounge' started by raven123, May 21, 2012.

  1. raven123

    raven123 Regular Member

    Joined:
    Jan 18, 2012
    Messages:
    456
    Likes Received:
    278
    Hello everyone, I just put an end to one of the worst nightmares I've ever had in IM. I got my site's security compromised and got some bad code inserted in my website which costed me a lot of money and time.

    I want to warn everybody using these plugins: WP Super Cache, W3 Total Cache, Digi Link Doctor that it is possible that their site is in danger of being compromised.

    This is the thread where I've recorded everything. Everything I've done, everything I've tried and eventually how I fixed the problem. It was in one of these 3 plugins, with a 99% certainty that it was in WP SUPER CACHE.

    I can't say which one for sure, because I deleted all these plugins via FTP at the same time. However the searches showed the malicious code residing in the Super Cache. If you are using it, I suggest you change it for another cache plugin.



    This is the thread, there is a lot more info out there for everybody who wants to make their site safer, and fight hackers. http://www.blackhatworld.com/blackh...n-hijacked-google-metatags-2.html#post4264815

    Thank you BHW, and I hope none of this ever happens to any IM businessman.

    EDIT: Here is for your convenience my last post to that thread on how we solved the problem, but I still strongly advise you take 5 minutes and read the whole thread, it might save you thousands. :

    THANK YOU EVERYONE WHO HELPED!!
    Hey guys, the problem is finally cleared! I am now in the process of giving thanks to everybody who offered to help and who shared their experience!

    It was a long 3 day battle that costed me more that I could have imagined, but its over. And we are victorious!

    I am also posting in the Lounge warning everyone of this exploit, but read below to see how I fixed this nightmare. And what worked and what didn't work.

    What Didn't work:
    Talking to Bluehost - I managed to get several friendly guys wanting to help. I can honestly recommend Scott as the best Bluehost support operator. That man went to extreme lenghts to help me and I would buy him a month worth of beers if I was able to. So if you are in serious trouble, ask for scott, or Aaron those are the guys who helped me the most.

    Doing restores: It turns out a restore didn't do anything in my case, because the problem was in a plugin. More on that below. Doing a restore will only replace your files, it seem. Note: Doing a restore will not delete your posts, unless you tell the bluehost guy to speciffically do so.

    Disabling plugins - Disabling a plugin won't stop a malicious code inside to work, it seems.

    What I couldn't have done without:

    Always have a backup plugin installed guys. Always. I am using BackUpWordpress, you never know when you'll need one. This time I needed it to make sure a restore doesn't fix my issue.

    BHW

    WHAT WORKED

    Here is step by step how to fix this sort of problem, and how I eventually fixed it.

    First, check your source code and FIND THE BAD CODE! If you have to, read through the whole page, read and understand every single line. Without the code, you are doomed. If you have to ask a friend, or ask here on BHW. You have to find the bad code, and it will show for sure in the source code (in these cases)

    Go to your host, open a live chat, and INSIST that they do an automated search for bits of the code it can't do without. Like for example, a code can have 10,000 variations. But it can't do without a link to redirect to, or some other footprint (in my case it was a bit.ly link). Find the footprint, and demand (they might say its out of their authority, but it really is, they are just lazy) that they search your website's files (NOT your hosting account's files, or it will take them too much CPU and they'll get banned from their admins/). After they are done, they will paste you a list with the paths of the files.

    LOOK at the paths before you go "Oh no, this is too much work...". In most cases, like it was in mine, it will be a long list, but all in the same directory

    Determine the directory, and what it is. Theme files? Plugins? Whatever it is, its killing you. Its killing you and your business and you have to take it out.

    In my case, this was one of these three plugins: W3 Total Cache, WP Super Cache, Digi Link Doctor.

    If you have one of these plugins installed, I honestly recommend you do away with it right away. I am 90% sure that it was the SUPER CACHE , but I can't say for sure, because I deleted all 3 simultaneously.

    I suspected this because it would give me errors after each backup (Still don't know why)

    Making the site secure

    Read through this, it might not exactly be the best thing, but it will help
    https://my.bluehost.com/cgi/help/511
    Install whatever security plugins, along with a plugin that will check for backdoors in future plugins.
    Find a web security company. I still haven't done this step, but if you are running a big and growing business, its a must. Even if its for the weekend, a simple hack like this can set you back thousands.

    Read this thread again. Its a very useful thread thanks to the many people who participated, and you are sure to learn one or two things from it.

    Thanks again, everybody who helped! BHW is a great place with people on whom I can count to back me up when the knife gets to the bone. I am proud to be a part of a community with such great and helping members and caring Admins!

    Thank you!

    PS: Ask away if I left something unclear, I'll try to help wit whatever I can!
     
    • Thanks Thanks x 1
    Last edited: May 21, 2012
  2. ziplack

    ziplack Senior Member

    Joined:
    Feb 18, 2010
    Messages:
    1,193
    Likes Received:
    603
    Location:
    BHW
    ill change my plugins right now
    and doing some backup too
    thanks!
     
    • Thanks Thanks x 1
  3. Skywalker

    Skywalker Junior Member

    Joined:
    Nov 2, 2009
    Messages:
    170
    Likes Received:
    42
    Occupation:
    Jedi
    Location:
    Tatooine
    Had same problem with the WP Super Cache...was the only plugin out of the 3 that i had. Set me back 3 months...plus time for the site to return if it ever will and money. But I keep backups now and have a server management company I use so was a good lesson for me.
     
  4. raven123

    raven123 Regular Member

    Joined:
    Jan 18, 2012
    Messages:
    456
    Likes Received:
    278
    EDIT: I now confirmed that the problem was in DIGI LINK DOCTOR.