If you’re using the WordPress plugin uBillboard — immediately disable it!
uBillboard is a premium plugin for WordPress I purchased from CodeCanyon for $20. It allows you to create sliders — essentially, individual banners (text, images, etc.) that transition from one to the next.
Unfortunately, I found out the hard way that the plugin is either creating virus files or has a security flaw allowing virus files to be added/created by someone else.
When WordPress Plugins Go Bad
Bryan, a user visiting my website, contacted me that his computer was hacked by my website and sent me a log file of the instance.
User email notifying me of being hacked by uBillboard plugin
Somehow, two files (b.txt and c.txt) were created within the plugin.
Location of the uBillboard plugin virus files
As you can imagine, I was completely shocked when I got the e-mail because the last thing anyone wants is for a website visitor to get hacked by your site.
Not wanting to take any chances, I immediately accessed my website via FTP, compress the files, and downloaded them to my computer. I then deleted the files off the server and removed code from web pages that were displaying sliders.
Once I knew the threat was removed, I opened the b.txt and c.txt files in my text editor to see what was going on.
First lines of code from the b.txt file
First lines of code from the c.txt file
As you can see from the above snapshots, you don’t have to be a programmer to understand there’s a whole lot of bad ju-ju going on in these files.
As you can also see in the directory snapshot there are three other cache files. Given I had only created two different Billboard instances, my assumption is at least two of the files were for those billboards.
Testing the plug-in
As a test, I wanted to see if the plug-in was creating the b.txt and c.txt files. Although I had installed and activated the plug-in on another site, luckily, I hadn’t created any billboard instances or added it’s code to any pages. When I checked the cache directory via FTP, I saw four cache files (extremely odd considering I hadn’t created a billboard yet) but no other files resembling b.txt or c.txt.
Since I have no way to contact the programmer directly, I posted a comment on the CodeCanyon product page.
Again, if you are using this plugin — immediately disable and delete it from your server! And if you were thinking about buying it, I’d recommend waiting until the programmer verifies the plugin is safe to use.
WordPress Plugin Security
One of the great WordPress security features is that whenever there’s an update to WordPress’ core files, an update notification is displayed within the WordPress admin. This helps ensure your files are up-to-date and your WordPress installation secured.
The same is true for for plugins downloaded from the WordPress plugin repository. The plugins include specific version numbers and, whenever a plugin author updates their plugin, you’re automatically notified within the admin so you can update the plugin.
Plugin Update Notification in WordPress Admin
This is really important to understand. It may also be one of the reasons why I experienced the issue with uBillboard plugin. Because I purchased the plug-in from CodeCanyon, there’s no built-in notification if the plug-in is updated.
When I went to the CodeCanyon site to post my comment, I noticed uBillboard was now version 3. Because the plugin didn’t include a version number, I have no idea what version I was using. I did, however, download and compare version 3 to the files I had and noticed the files included in version 3 were different.
Although I think uBillboard is a cool plug-in, it’s just not worth it if it’s going to create security issues with my website. So, until I get some feedback and a guarantee from the plugin author, the plug-in will remain deleted.
This unfortunate situation is a perfect example of why downloading WordPress plugins from anywhere but the official WordPress plugin repository can be a bad idea.
Please let me know if you have any questions and if you’ve had any similar experiences using WordPress plugins.
Update: March 8, 2012 Received this email from the developer noting that the issue has been resolved.
Hi, my name is Miroslav Zoricak and I’m the developer of uBillboard. Your article has been brought to my attention by a commenter on uBillboard on CodeCanyon.
I would like to address some of the issues with the article. The problem has been caused by timthumb.php, very popular WP script that resizes images, it is often included in WP plugins and themes for that purpose. The vulnerability has been discovered back in August and we’ve fixed uBillboard the same day and released an update. uBillboard contains no virus or anything of that kind. Even the timthumb library itself has been replaced in January for a proprietary solution to make uBillboard even more secure.
We’ve also notified about the update on our Twitter account, unfortunately, CodeCanyon does not offer us any other way of letting our users know about an update, but we did everything that could have been done in order to notify our users about the issue.
In your article, you say that you have no way of contacting us, but that is simply not true. Our profile page (http://codecanyon.net/user/uDesignStudios) has a contact form that lets you contact us very easily.
On the other hand, you’ve correctly identified the issue with the updates for CC plugins, the staff from CC assured us that they are working on a solution, but until they release it, we can not push updates to our plugins as easily as if they were hosted in the WP repo.
The current version of uBillboard is now fixed and safe to use, as it has been for the last 7 months. We’ve received no reports of abuse from the users of the updated version whatsoever.
I’ve attached the updated version of uBillboard for you so you can use it if you want to.
I would like to ask you very kindly to please update the article to include that the issue has been discovered and fixed back in august, and that the updated version (3 and up) is safe to use.
Best Regards,
Miro
0 Comments