• 01271 220 605
  • northdevondesign
  • 6727053
  • email
  • Facebook
  • Google Plus
  • Linked In
  • Twitter
  • Tumblr
  • Instagram

Ultimate Member virus

Posted on Sep 7, 2018

Ultimate Member virusIn late August, several of our sites fell victim to a security vulnerability in the Ultimate Member plugin. Ultimate Member is a WordPress plugin for creating and managing users and groups and is generally a very reliable and robust plugin, but a flaw was found that hackers took advantage of which enabled them to upload malicious files to the server, from where they could cause havoc.

As soon as it was discovered, the makers of Ultimate Member posted details on their website and updated their plugin to fix the flaw and prevent any further uploads, but for some of our sites and for many others it was too late to prevent the virus from taking hold.

A source file was added to the uploads folder from where it wrote a script to any file with write access, which in turn generated a JavaScript file link within the content pages. The pages which included the file where redirected to a host of nasty websites, many of which used Phishing techniques to acquire credit card details and passwords.

The link to the javascript linked to this file: https://cdn.examhome.net/cdn.js?ver=1.0.5

Cleaning the virus took several stages. First we had to update Ultimate Member and delete all virus code in the uploads folder. We then had to perform a search and replace on all files on the server to rid them of any malicious code. The last stage was to perform and search and replace on the database and finally it was gone (and hasn’t returned). Luckily we reacted quickly enough to prevent any of the sites being blacklisted by Google as malicious.

Ultimate Member is a plugin that has been available for around 10 years and currently has over 100,000 active installations. It is a trusted and respected plugin, which goes to show that any web product can fall victim to hackers and viruses. They estimate that 30,000 websites were affected by this attack, so we wern’t alone.

If you notice any odd behaviour or pages being redirected on your site, please let us know as soon as possible.

Find out more about Ultimate Member

Find out more about our WordPress development service in North Devon

Find out more about our Hosting and managed web services in North Devon