[wp-hackers] Hookd? Sketchy Plugin Include
Jackson Whelan
jw at jacksonwhelan.com
Tue Sep 13 22:28:01 UTC 2011
Howdy,
Trying to help someone in the forums complaining about a plugin
(http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing
their site to crawl, and stumbled across this included file which looks
like it could be used for great malfeasance.
http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/class.resource.php
Makes calls to hookd.org and requests actions and filters to be added.
Creates a world-writable directory while it's at it as well.
Is anyone familiar with hookd.org? Am I paranoid for thinking this is
dubious?
As a bonus the plugin emails the author with the URL of the site it was
activated on, with no user consent or knowledge.
http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/image.php
Which would make sense as it would allow them to fine tune the junk they
deploy.
I found this related post in the forums from a year ago.
http://wordpress.org/support/topic/my-site-hacked?replies=14
I've already emailed plugins at wordpress.org, but thought I'd ask if
anyone here was aware of this.
No comment on hit counters being used in 2011, but if you'd like to step
into the wayback machine just look at the screenshots : )
Thanks! Jackson
More information about the wp-hackers
mailing list