Phishing Domain Embedded into Registration Form

darrenchu · 3 May 2020 07:23

Hi,
Firstly, thank you for maintaining and building on a fantastic plugin!

I’ve been a S2member Pro user for around 5yrs, but was just alerted to a potential issue where it appears some known phishing website (wcomhost.com) may have become embedded into the registration form of my website. I have activated a 3rd party security plugin (Astounding Spam Protection), which prevents registrations (via S2member) each time a legitimate website visitor attempts a registration due to the detection of the phishing site attempting to gather the details of the form registration. If this phishing site indeed has somehow embedded itself into the S2member registration form on my website (https://tradablepatterns.com/wp-login.php?action=register), how would you suggest for me to clean the phisher from the form, and to eliminate this phishing from taking place, while allowing users to continue with legitimate registration?

Much appreciated in advance,
Darren

onepresstech · 4 May 2020 23:08

Sorry to hear you got hacked. What a pain.

There are a lot of hack possibilities to run through and none of them involve s2member.

Are you on shared hosting (one of the other sites may have hacked it…for example I just got a casual note from the one shared hosting site I keep around for testing purposes that it got hacked…which is one of the reasons I don’t use shared hosting with my clients)
Have you previously contracted someone to fix something on your site
Have you recently given your login credentials to a plugin / theme support person
Is all your software always kept up-to-date
Are all your plugins from respected sources
Are all your plugins from wordpress.org

darrenchu · 5 May 2020 05:17

Hi Tim,
I’m actually using a Virtual Private Server offered by my webhost.

I used to keep a few security plugins (like Wordfence) activated to prevent these hacks, but had to deactivate them as there were too many false positives where legitimate users couldn’t register on my website.

I’ve been the only person operating my website and haven’t given my login credentials to anyone.

My plugins are almost always kept up to date within a day of new plugins being released, and yes, all plugins are from Wordpress.org.

Let me know what else you’d suggest at this point. A security plugin author recommends I delete all of my plugins, roll back to an older Wordpress and then reinstall all plugins one at a time…

Much appreciated in advance!

onepresstech · 10 May 2020 06:05

Sorry to take so long to reply. Got busy.

Sounds like you have a good control of your site so it is unusual to see you got hacked.

If you are a techie I would dump a copy, make a developer site and set a breakpoint via debugger to trace back the source of the reigstration hook from there you can see who the culprit is and use that as a basis for your next step.

darrenchu · 10 May 2020 09:29

No worries Tim. I’m vaguely familiar w/ the debugger/breakpoint concept, but it appears I’ll need to give it a shot to find the culprit. I’ve also cloned the site for other testing purposes previously, so should be able to get a fresh cloned copy created. In the past few days, I’ve also ran a few security scans using Wordfence, where all of my installed plugins are compared (by their files) to what’s in the Wordpress repository, and there were no changes to the files of S2Member’s plugin (after my installation). I didn’t get any other warnings from Wordfence that appeared related to our issue at hand, but I’ll keep you posted of how things go once I setup the test site.

Have a wonderful rest of your wkend!
Darren

onepresstech · 11 May 2020 01:51

Security plugins may not find an issue. This is likely the normal operating mode for one of your plugins. It may be just an unwanted affectation of one of your plugins but not malicious.

Here is a debug strategy you can try that does not involve a debugger:

Verify on your cloned site that the problem exists
Turn off all your plugins and verify the problem does NOT exist
Re-enable half your plugins
If the problem still exists disable half your remaining plugins and repeat 4) if the problem does not exist disable these plugins and re-enable the other half of the plugins then repeat 4)

NOTE: This is a binary search pattern. Fastest way to find the problematic plugin

Let us know how you go.

darrenchu · 15 May 2020 15:09

Thanks for the suggestion Tim. I’ve been in the final stage of cloning the site, but stalled w/ the database import as I keep getting an Incorrect Format Error which many online have suggested is due to the default PHP.ini values on max filesize, post_max_size, max_execution_time and memory_limit, all of which I’ve already increased to the pt where they shouldn’t present an issue. I’ve restarted my Apache and MYSQL servers after making the PHP.ini changes but to no avail…once I successfully import the database, I’ll run those suggested steps and let you know how it goes.

Have a fantastic weekend in the meantime!
Darren