[diso-project] Phishing enabled by OpenId plugin on WordPress ?

7 views
Skip to first unread message

Jérôme in Paris

unread,
May 3, 2010, 4:41:06 PM5/3/10
to Diso Project
Hi,

My website has been desabled this morning by my hoster because of a
phishing issue.

The reason invoked was :

« Your site is used for phishing operations at the following address:

https:// [my site] /openid/secure_ID/verified_by_paypal/
webscrcmd=login-run/cgi-bin/_login/ »

I checked my WP installation (up to date 2.9.2, all plugins up to
date, too) and find no corrupted file nor data.
So my conclusion is that my site wasn't hacked, but that there is a
weakness in OpenId plugin enabling this "phishing operation". Thus, I
deactivated the plugin and for now, I'm waiting for my site
reactivation.

I wish I was wrong and I missed something somewhere ... so if you
could enlighten me and point at something I should check... that would
be nice!

Sorry if it's not the right place to send this type of request (if so,
please tell me where I should rather post it)

Regards,

Jérôme, Paris, France.

--
You received this message because you are subscribed to the Google Groups "Diso Project" group.
To post to this group, send email to diso-p...@googlegroups.com.
To unsubscribe from this group, send email to diso-project...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diso-project?hl=en.

Will Norris

unread,
May 3, 2010, 5:48:21 PM5/3/10
to diso-p...@googlegroups.com
who is your hosting provider?  Did they give you any more information on why they thought your site was involved in phishing, aside from this URL?  Trying this same URL on my site does absolutely nothing:

https://willnorris.com/openid/secure_ID/verified_by_paypal/webscrcmd=login-run/cgi-bin/_login

which is the expected behavior.  The plugin keys off of the URL segment after "/openid/"... in this case "secure_ID" is meaningless, so the plugin ignores the request.  What happens when you visit that URL on your own site?

-will

Jérôme in Paris

unread,
May 3, 2010, 5:54:17 PM5/3/10
to Diso Project
Will,

Thank you for your quick answer.
In fact, my alert was unwarranted.

WP OpenId plugin has nothing to do with the problem encountered. In
fact, it's a old version of an openid server, installed 2 yrs ago for
some tests purpose that was concerned.

Sorry for this blunder!!!

Jérôme

On 3 mai, 23:48, Will Norris <w...@willnorris.com> wrote:
> who is your hosting provider?  Did they give you any more information on why
> they thought your site was involved in phishing, aside from this URL?
> Trying this same URL on my site does absolutely nothing:
>
> https://willnorris.com/openid/secure_ID/verified_by_paypal/webscrcmd=...
>
> which is the expected behavior.  The plugin keys off of the URL segment
> after "/openid/"... in this case "secure_ID" is meaningless, so the plugin
> ignores the request.  What happens when you visit that URL on your own site?
>
> -will
>
> > diso-project...@googlegroups.com<diso-project%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/diso-project?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups "Diso Project" group.
> To post to this group, send email to diso-p...@googlegroups.com.
> To unsubscribe from this group, send email to diso-project...@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/diso-project?hl=en.
Reply all
Reply to author
Forward
0 new messages