Security compromised for WordPress.com ?

  • Author
    Posts
  • #3055157

    rvencu
    Member

    I notices in my Console view that all pages on wordpress.com are compromised by this insecure code the site tries to load via http
    http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe
    It happens with all my browsers so there is not a browser issue.
    Also it does not appear on other sites so perhaps it is not injected code by ISPs.
    I guess these is a problem present on wordpress.com

    The blog I need help with is ivory.dentfix.ro.

    #3055277

    rvencu
    Member

    I would upload a screenshot, not possible so I am copying what Chrome says inside the Console view:

    STOP!
    (index):70 Wait! This browser feature runs code that can alter your website or its security, and is intended for developers. If you’ve been told to copy and paste something here to enable a feature, someone may be trying to compromise your account. Please make sure you understand the code and trust the source before adding anything here.
    activityi;dc_pre=CK6f3-mXhdgCFZiOmgodPd8CSQ;type=wordp0;cat=wppv;u6=%2F;u7=db41648ba09f44179ee7e2e9717c729a;u4=10474899;src=6355556;ord=9984632384623.412;num=7263399275267.69:16 Mixed Content: The page at ‘https://wordpress.com/’ was loaded over HTTPS, but requested an insecure resource ‘http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe’. This request has been blocked; the content must be served over HTTPS.
    (index):1 The SSL certificate used to load resources from https://amplify.outbrain.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

    #3055278

    rvencu
    Member

    Apparently this forum does not have the issue, but https://wordpress.com/plugins/ has it

    #3055282

    timethief
    Member

    vory.dentfix.ro is hosted by Trend IMPORT – EXPORT SRL. It is not on WordPress.com servers as it is not hosted here.

    Name Servers:
    dentfix.ro
    pns1.cloudns.net
    ns1.cloudns.net
    ns4.cloudns.net
    pns4.cloudns.net
    ns3.cloudns.net
    pns3.cloudns.net
    pns2.cloudns.net
    pns7.cloudns.net
    pns6.cloudns.net
    ns2.cloudns.net

    For hosting issues contact your web host. For software support read on.

    You are posting to the wrong support forum. This is WordPress.COM support and that site is not on our servers.

    To be clear we do not provide support for local installs of WordPress.ORG software, or for WordPress.ORG software installs on paid hosting, linked to WordPress.COM accounts with the Jetpack plugin so they display on the My Sites WordPress.COM account page.

    WordPress.COM and WordPress.ORG are completely separate and have different username accounts, logins, features, run different versions of some themes with the same names, and have separate support documentation and separate support forums. Read the differences here http://en.support.wordpress.com/com-vs-org/

    The wordpress.ORG support forum is at http://wordpress.org/support. The wordpress.ORG login link is here https://login.wordpress.org/ If you do not have an account yet then click Create an account https://login.wordpress.org/register/ and if you have lost an account password click Lost password? https://login.wordpress.org/lostpassword/
    WordPress.org support docs are at https://codex.wordpress.org/Main_Page
    See also https://apps.wordpress.org/support/ for app support.

    #3055295

    rvencu
    Member

    Thanks. I really do not need support for my blog, that text was inserted automatically by the forum. (The blog I need help with is ivory.dentfix.ro.)

    I wanted to alert you, as an user of central management tools wordpress.com/plugins that your site, wordpress.com appears to be hacked or something.

    All the problems I see are when I am accessing wordpress.com

    I could not find another place to send you this alert.

    #3055299

    timethief
    Member

    ivory.dentfix.ro is hosted by Trend IMPORT – EXPORT SRL. It is not on WordPress.com servers as it is not hosted here.

    #3055300

    timethief
    Member

    I will also type modlook into the sidebar tags on this thread for a Staff follow-up. How do I get a Moderator/Staff reply for my question? https://en.support.wordpress.com/getting-help-in-the-forums/#how-do-i-get-a-moderatorstaff-reply-for-my-question

    #3055301

    rvencu
    Member

    Never knew, thank for the modlook thing…

    #3055309

    supernovia
    Staff

    Hi @rvencu, your site isn’t hosted here with us. If you’re running a forum plugin on your site and that’s been compromised, you may need to update, patch, or replace your plugin.

    You might search the forums for self-hosted sites to see if anyone there has encountered this, too: https://wordpress.org/support/forums/

    #3055344

    rvencu
    Member

    Hi @supernovia

    I want to alert you that the website wordpress.com seems to be compromised from my end. It is like someone is trying to inject code in all pages. Here is a screenshot https://prnt.sc/hmub06

    I guess my English is really bad or you people do not read properly what I am writing

    #3055425

    supernovia
    Staff

    Ah I’m sorry. I think I understand now.

    Your Calypso pages are having a frame injected, correct?

    This could be due to a browser plugin – can you test another browser to see if you get the same thing there?

    #3055426

    rvencu
    Member

    OK. Yes, it happens in all my browsers. It also happens on other computers I had the chance to test, and even on other networks.

    It might be a benign wrongfully made doubleclick tracking code but the fact the browser is working so slow means it might be mining software injected into an iframe.

    #3055429

    supernovia
    Staff

    Thanks. Can you confirm which pages it’s appearing on?

    If you create a new site at wordpress.com/start (so it’s hosted here) do you see the iframe when working with that site, or only on the ones hosted with your current provider?

    #3055430

    rvencu
    Member

    I can see it on:
    https://wordpress.com
    https://wordpress.com/plugins
    https://wordpress.com/me
    https://wordpress.com/stats

    I made a test site at https://mytestsite804161963.wordpress.com/ and it does NOT exhibit this behavior.

    My own hosted sites are fine. But I am afraid someone might crack my wordpress.com identity then gain control to all my sites via Jetpack central management.

    #3055431

    supernovia
    Staff

    I made a test site at https://mytestsite804161963.wordpress.com/ and it does NOT exhibit this behavior.

    But do you see the behavior if you go to https://wordpress.com/settings/general/mytestsite804161963.wordpress.com ?

    #3055432

    rvencu
    Member

    Yes, on this page the issue is present!

    #3055433

    supernovia
    Staff

    Thank you. For what it’s worth, a few of us have tested here; even while logged in as you we do not get this code.

    Can you tell me more about the computers you’ve tested with?

    #3055434

    supernovia
    Staff

    Also, to be clear, we’re talking about the iframe code (not the “Stop” warning).

    It appears to be an tracking image for an advertiser.

    #3055435

    rvencu
    Member

    It is a Windows 10 Fall Creators Update with Chrome browser.

    The other browsers do not display such a bold alert. I can give you access with Teamviewer if you like to have a live test. Or send more screenshots from other browsers. All of them mention the http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe url to be blocked by the browser security.

    I am not sure if the STOP! message is related to this url though…

    #3055437

    supernovia
    Staff

    The STOP message is normal. The iframe is not. It seems to be related to an advertising network, perhaps one you use on purpose, or maybe one that comes with a browser extension or app.

    What type of computer did you test on another network?

The topic ‘Security compromised for WordPress.com ?’ is closed to new replies.