Security compromised for WordPress.com ?

rvencu · Member · Dec 12, 2017 at 7:15 pm
Copy link

Add topic to favorites
I notices in my Console view that all pages on wordpress.com are compromised by this insecure code the site tries to load via http
http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe
It happens with all my browsers so there is not a browser issue.
Also it does not appear on other sites so perhaps it is not injected code by ISPs.
I guess these is a problem present on wordpress.com

The blog I need help with is: (visible only to logged in users)
rvencu · Member · Dec 12, 2017 at 7:17 pm
Copy link
I would upload a screenshot, not possible so I am copying what Chrome says inside the Console view:

STOP!
(index):70 Wait! This browser feature runs code that can alter your website or its security, and is intended for developers. If you’ve been told to copy and paste something here to enable a feature, someone may be trying to compromise your account. Please make sure you understand the code and trust the source before adding anything here.
activityi;dc_pre=CK6f3-mXhdgCFZiOmgodPd8CSQ;type=wordp0;cat=wppv;u6=%2F;u7=db41648ba09f44179ee7e2e9717c729a;u4=10474899;src=6355556;ord=9984632384623.412;num=7263399275267.69:16 Mixed Content: The page at ‘https://wordpress.com/’ was loaded over HTTPS, but requested an insecure resource ‘http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe’. This request has been blocked; the content must be served over HTTPS.
(index):1 The SSL certificate used to load resources from https://amplify.outbrain.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
rvencu · Member · Dec 12, 2017 at 7:18 pm
Copy link
Apparently this forum does not have the issue, but https://wordpress.com/plugins/ has it
timethief · Member · Dec 12, 2017 at 9:09 pm
Copy link
vory.dentfix.ro is hosted by Trend IMPORT – EXPORT SRL. It is not on WordPress.com servers as it is not hosted here.

Name Servers:
dentfix.ro
pns1.cloudns.net
ns1.cloudns.net
ns4.cloudns.net
pns4.cloudns.net
ns3.cloudns.net
pns3.cloudns.net
pns2.cloudns.net
pns7.cloudns.net
pns6.cloudns.net
ns2.cloudns.net

For hosting issues contact your web host. For software support read on.

You are posting to the wrong support forum. This is WordPress.COM support and that site is not on our servers.

To be clear we do not provide support for local installs of WordPress.ORG software, or for WordPress.ORG software installs on paid hosting, linked to WordPress.COM accounts with the Jetpack plugin so they display on the My Sites WordPress.COM account page.

WordPress.COM and WordPress.ORG are completely separate and have different username accounts, logins, features, run different versions of some themes with the same names, and have separate support documentation and separate support forums. Read the differences here http://en.support.wordpress.com/com-vs-org/

The wordpress.ORG support forum is at http://wordpress.org/support. The wordpress.ORG login link is here https://login.wordpress.org/ If you do not have an account yet then click Create an account https://login.wordpress.org/register/ and if you have lost an account password click Lost password? https://login.wordpress.org/lostpassword/
WordPress.org support docs are at https://codex.wordpress.org/Main_Page
See also https://apps.wordpress.org/support/ for app support.
rvencu · Member · Dec 12, 2017 at 9:39 pm
Copy link
Thanks. I really do not need support for my blog, that text was inserted automatically by the forum. (The blog I need help with is ivory.dentfix.ro.)

I wanted to alert you, as an user of central management tools wordpress.com/plugins that your site, wordpress.com appears to be hacked or something.

All the problems I see are when I am accessing wordpress.com

I could not find another place to send you this alert.
timethief · Member · Dec 12, 2017 at 9:43 pm
Copy link
ivory.dentfix.ro is hosted by Trend IMPORT – EXPORT SRL. It is not on WordPress.com servers as it is not hosted here.
timethief · Member · Dec 12, 2017 at 9:44 pm
Copy link
I will also type modlook into the sidebar tags on this thread for a Staff follow-up. How do I get a Moderator/Staff reply for my question? https://en.support.wordpress.com/getting-help-in-the-forums/#how-do-i-get-a-moderatorstaff-reply-for-my-question
rvencu · Member · Dec 12, 2017 at 9:59 pm
Copy link
Never knew, thank for the modlook thing…
supernovia · Staff · Dec 13, 2017 at 1:12 am
Copy link
Hi @rvencu, your site isn’t hosted here with us. If you’re running a forum plugin on your site and that’s been compromised, you may need to update, patch, or replace your plugin.

You might search the forums for self-hosted sites to see if anyone there has encountered this, too: https://wordpress.org/support/forums/
rvencu · Member · Dec 13, 2017 at 8:44 am
Copy link
Hi @supernovia

I want to alert you that the website wordpress.com seems to be compromised from my end. It is like someone is trying to inject code in all pages. Here is a screenshot https://prnt.sc/hmub06

I guess my English is really bad or you people do not read properly what I am writing
supernovia · Staff · Dec 13, 2017 at 6:47 pm
Copy link
Ah I’m sorry. I think I understand now.

Your Calypso pages are having a frame injected, correct?

This could be due to a browser plugin – can you test another browser to see if you get the same thing there?
rvencu · Member · Dec 13, 2017 at 6:56 pm
Copy link
OK. Yes, it happens in all my browsers. It also happens on other computers I had the chance to test, and even on other networks.

It might be a benign wrongfully made doubleclick tracking code but the fact the browser is working so slow means it might be mining software injected into an iframe.
supernovia · Staff · Dec 13, 2017 at 7:17 pm
Copy link
Thanks. Can you confirm which pages it’s appearing on?

If you create a new site at wordpress.com/start (so it’s hosted here) do you see the iframe when working with that site, or only on the ones hosted with your current provider?
rvencu · Member · Dec 13, 2017 at 7:24 pm
Copy link
I can see it on:
https://wordpress.com
https://wordpress.com/plugins
https://wordpress.com/me
https://wordpress.com/stats

I made a test site at https://mytestsite804161963.wordpress.com/ and it does NOT exhibit this behavior.

My own hosted sites are fine. But I am afraid someone might crack my wordpress.com identity then gain control to all my sites via Jetpack central management.
supernovia · Staff · Dec 13, 2017 at 7:26 pm
Copy link
I made a test site at https://mytestsite804161963.wordpress.com/ and it does NOT exhibit this behavior.

But do you see the behavior if you go to https://wordpress.com/settings/general/mytestsite804161963.wordpress.com ?
rvencu · Member · Dec 13, 2017 at 7:29 pm
Copy link
Yes, on this page the issue is present!
supernovia · Staff · Dec 13, 2017 at 7:30 pm
Copy link
Thank you. For what it’s worth, a few of us have tested here; even while logged in as you we do not get this code.

Can you tell me more about the computers you’ve tested with?
supernovia · Staff · Dec 13, 2017 at 7:31 pm
Copy link
Also, to be clear, we’re talking about the iframe code (not the “Stop” warning).

It appears to be an tracking image for an advertiser.
rvencu · Member · Dec 13, 2017 at 7:34 pm
Copy link
It is a Windows 10 Fall Creators Update with Chrome browser.

The other browsers do not display such a bold alert. I can give you access with Teamviewer if you like to have a live test. Or send more screenshots from other browsers. All of them mention the http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe url to be blocked by the browser security.

I am not sure if the STOP! message is related to this url though…
supernovia · Staff · Dec 13, 2017 at 8:15 pm
Copy link
The STOP message is normal. The iframe is not. It seems to be related to an advertising network, perhaps one you use on purpose, or maybe one that comes with a browser extension or app.

What type of computer did you test on another network?

No items found.