WP Cost Estimation & Payment Forms Builder Hacked

Support
#1

Hi there,

This external plugin is available through X. Last night installed and this mornig my website got defaced

They get in posting to the plugin upload feature:
194.140.192.8 - - [03/Oct/2018:09:55:34 +0200] “POST /wp-admin/admin-ajax.php?action=lfb_upload_form HTTP/1.1” 200 31 “-” “python-requests/2.18.1”
194.140.192.8 - - [03/Oct/2018:09:55:35 +0200] “POST /wp-admin/admin-ajax.php?action=lfb_upload_form HTTP/1.1” 200 31 “-” “python-requests/2.18.1”
194.140.192.8 - - [03/Oct/2018:09:55:35 +0200] “POST /wp-content/uploads/CostEstimationPayment/_/ngfndfgsdcas.tss HTTP/1.1” 405 166 “-” “python-requests/2.18.1”
194.140.192.8 - - [03/Oct/2018:10:18:10 +0200] “POST /wp-admin/admin-ajax.php?action=lfb_upload_form HTTP/1.1” 200 31 “-” “python-requests/2.18.1”
194.140.192.8 - - [03/Oct/2018:10:18:11 +0200] “POST /wp-admin/admin-ajax.php?action=lfb_removeFile HTTP/1.1” 200 31 “-” “python-requests/2.18.1”
194.140.192.8 - - [03/Oct/2018:12:38:34 +0200] “POST /wp-admin/setup-config.php?step=2 HTTP/1.1” 200 707 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36”
194.140.192.8 - - [03/Oct/2018:12:39:34 +0200] “POST /wp-admin/install.php?step=2 HTTP/1.1” 504 578 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36”

Can this plugin be fixxed of removed for now untill it gets fixxed?

#2

Hello Flaming,

Thanks for asking and I am really sorry to hear about the website getting hacked.

Actually the log message you have shared does not reflect that website is compromised because of Cost and Estimation plugin. Have you recovered the website? Please follow below steps in case site is not accessible:

  1. If you have a backup with you, you can rollback the website. Here’s an article that you can take a look. https://www.wpbeginner.com/beginners-guide/beginners-guide-how-to-restore-wordpress-from-backup/
  2. In case you don’t have backup, try and get in touch with the hosting provider and see if they have backup. Some web hosts do keep a backup.
  3. If you want to remove the plugin and if the website is not accessible then using FTP programs like Filezilla you can delete the plugin under /wp-content/plugins/ directory. If the website is accessible then plugin can be removed from Plugins > Installed Plugins.

In general I have seen that website security is compromised because of following reasons, there are lot of factors and other reasons but these are quite common ones:

  1. Not using the latest version of WordPress core. Along with that, not using the latest version of Theme and or supported Plugins. You can take a look at our theme and plugin update guide for more info. https://theme.co/apex/forum/t/setup-updating-your-themes-and-plugins/62
  2. Incorrect file permissions. File permission plays significant role in who can access your website files. https://codex.wordpress.org/Changing_File_Permissions
  3. Web host. It’s crucial to select a good and reliable web host company. https://www.cnet.com/how-to/how-to-choose-a-web-hosting-provider/
  4. Shared hosting: I have seen that website hosted on shared hosting environment are prone to more hack attempts. https://hackrepair.com/articles/web-hosting/why-shared-hosting-can-be-bad-for-the-health-of-your-business
  5. Use of plugins that are not updated. If developer of plugin has stopped providing support and updates for plugin and if those plugins are there on a website then it quite a security issue. So if you have any plugin that is not well coded using guidelines laid by the WordPress community and if developer has stopped updating the plugins, it’s time to look for some alternatives and remove that plugin from your website.

Thanks.

#3

Hi Prasant,

This part: lfb_upload_form is actually the plugin. That part there seems to work without credentionals (need to look for the actual hack myself). Seems a post there resulted in the .tss file that is a php script where they have also uploaded a .htaccess file. That combined resulted in a php executable and there the site was defached.

Lucky to say indeed have it all back. Was 4 hours of pain but was good and and glad its all back. Now wonder how to help more and what is best for showing how it was hacked? Then maybe others will nog have the same problem.

Thanks.

#4

Hi Flaming,

I am sorry but I could not comment about that due to the fact that there is simply no way to account for all of the potential variables at play when using another developer’s plugin.

I have searched through the net and forums but didn’t find any recent attacked or news regarding WP Cost Estimation & Payment Forms.

Please always make sure to update your theme and plugins to latest versions to prevent being hacked.

These links might help as well.

https://codex.wordpress.org/Hardening_WordPress


Thanks

#5

Hi Guys,
I have to agree with @flamingbob

5 of my websites that use this plugin got compromised yesterday, similar log files and wp-config file got removed, and WordPress default page turned into “please setup wordpress” Got them back in no time,

My sites are fully protected, updated, all security are up to date, this is worrying.

EDIT

The owner of the plugin has admitted it!!!

Please patch as soon as possible.

#6

I always do that each day. Saw that the upload dir has 777 as default unix premission that is asking for problems:
Seems they mixup group witl world.

drwxr–rwx 2 XXX XXXX 4096 Oct 4 12:53 CostEstimationPayment

Current version is: 9634

#7

Hey @rafalkukla and @flamingbob,

Thanks for reporting. I’ll post this in our issue tracker. Please stay tuned for updates.

#9

Same issue here. Please patch as soon as possible.
Thanks!

#10

Welcome indeed it was hacked by someone from hungary and was send to a digitialocean server. Hope indeed it will be fixxed. I will also try to look into the code and see where the problem is.

#11

Thanks for reporting also, @MooiInMaatwerk. I’ve already reported the issue. Please stay tuned.

#12

Hi guys,
The plugin was patched few days ago by the author, he doesn’t know what was the main goal of the attack and if they managed to obtain any of the wp-config info.

In my case, my WP config files was removed from 5 different sites with this plugin installed.

if you got paid license, you can download and patch manually.

Any way, I would highly recommend to review your MYSQL settings and change DB password as well.

#13

Thank you for the updates and recommendations.

Have a great day! :slight_smile:

#14

So, what’s the fix?

I just noticed this on one of my websites that was using WP Cost & Estimation. All I see now is the setup page from WordPress, as if it’s installing a fresh WP install.

I haven’t checked the files but I’m assuming they are all there. Should I just create a new wp-config file?

Any help is appreciated. Thank you.

#15

From the plugin author:

"Here is the way to follow :

  • Change the database password
  • Fix the wp-config.php file by filling the database informations
  • Apply the last plugin automatic update that will fix the security issue and will remove the problematic files from the uploads folder if they still here."

Also, according to him only the wp-config file was deleted and in some cases replaced with another one. Apparently, the attacker’s objective was to bring as many sites down as possible.

Cheers.

#16

Hey There,

You can use the automatic update function of our X or Pro theme to get the latest version of Cost Estimation Payment Forms.

As mentioned by @DoubleBond I would check the wp-config file and if it was altered. Since they only could move or replace the file it is highly unlikely that any wp-config database information was exposed.

If your site redirects to a different site/server then deleting the wp-config file and recreating it is your best bet. Our staff can assist you with this process if needed.

#17

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.