Categories
General

Sodiumworks.com Compromised (Sep. 5th 2020)

Hello. From what I can tell, yesterday, Sodiumworks.com has been the victim of a hack. Details below.

 

(Update) I have found another -most likely- malware .php file in the folder of a plugin that I was using (BEFORE THIS). This increases the chance of all of this being caused by a security flaw in that plugin.
/update

 

It started with me trying to solve a 503 error yesterday, when I found this very suspicious file in my root folder named “9mpeoi99gk_index.php”. This was an intentionally obfuscated .php file. PHP is a programming language that is very widely used on internet sites.

At first, I thought maybe it could be a file that is a component of a WordPress plugin that I was using. Searching a part of it on Google proved this theory wrong.

“Cryptojacking malware” means that it will try to mine cryptocurrency (using CoinHive in this case) utilizing the CPU of visitors. Meaning when you visited Sodiumworks.com, your computer would most likely slow down and battery usage would be increased as it would be trying to mine cryptocurrency for the malicious hackers.

Looking at some of the articles and forum posts about this thing shows that it is not new. People were being affected from the same thing for a while now. This forum post is from two years ago:

After seeing that this was, indeed, malware; I have immediately reverted the entire website to a backup from 31 August, of which did not have this file. However, I will be on the lookout in case if I see this again.

 

What to do now?

Seeing that this was a type of attack many people were experiencing, I don’t think any changes were made to my software. The attackers were probably just after making some cryptocurrency. Although, obviously if they could insert this file, theoretically they could alter with anything else, and they could have altered with my software like naBoota or Conertset etc. and release that altered version that would install itself when you tried to update. If you installed an update in the past few days of any of my software, although an altering is very unlikely, I recommend doing a virus scan on your computer, just to be safe. Not knowing much about it in the first place, it is good to be a little paranoid about this, I think. I have also released a version update to all of my software that use an updater. This update will just install the latest version again, just to be safe.

This attack probably utilized some kind of security flaw in one of the plugins that I was using, or in WordPress itself. I, of course updated my admin password, and the database password immediately after this.

However, I know of another possible point of entry: The cloud save sync feature in Electrilinked. This feature enabled users to upload and download their save files to my server. Before releasing it to the public, I have tried to close as many possible security holes in it as I could. Though, admittedly, with my (very) limited PHP knowledge, I might have screwed up. Although I don’t think this was the point of entry in this hack, I will still disable this feature for now.

I am not very experienced in terms of sysadmining. I am still learning as I move forward. However, seeing that people actually download my software now and maybe even use them, which is something that I never expected, makes me feel like I have a responsibility towards these -potential- users of my software now more than ever. I hope you can trust me going forward.

In case if you have a question, any question, please send me an eMail on mail at sodiumworks.com. Thank you very much.