Author Topic: Fast Secure Contact Script - A WARNING  (Read 246 times)

0 Members and 1 Guest are viewing this topic.

Offline CNYWeather

  • Forecaster
  • *****
  • Posts: 2103
    • http://www.cnyweather.com
Fast Secure Contact Script - A WARNING
« on: October 14, 2017, 11:42:35 AM »
No sure if anyone has the newest version of Fast Secure Contact Form up
and if this would have also effected non Word Press users. But I happened upon this
from Mike Challis from 642 Weather. He also wrote Who's Online script.

Quote
This plugin is no longer supported
I (Mike Challis) am the original author of Fast Secure Contact Form. No, this site did not get hacked. I sold my Wordpress plugins to a new owner in June 2017 with a WordPress user profile name “fastsecure”. Without prior notice or evidence of his intentions, the new owner attempted to put malicious code in several of his newly acquired WordPress plugins that would connect to a 3rd party server (that he also owned) and inject spam ads for payday loans and such in the site's WordPress posts.

The new owner put spam code in versions 4.0.52, 4.0.53, 4.0.54, and 4.0.55 of Fast Secure Contact Form and versions 3.0.1 and 3.0.2 of SI CAPTCHA Anti-Spam but it actually failed to display any spam in these plugins because he put the code in the securimage.php captcha library file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the securimage.php file is not included in the WordPress runtime environment. The securimage.php file was only included from another file securimage_show.php that loads the captcha image directly from HTML IMG src outside of the WordPress runtime. The spam code in these two plugins was never activated, it would not have corrupted your posts or changed anything in the WordPress database.


Here's the whole notice: http://www.fastsecurecontactform.com/

Again, not sure if the standalone versions some of us use could be an issue or not, but I put this here, just in case.
Tony


Offline cospringswx

  • Forecaster
  • *****
  • Posts: 4046
    • Colorado Springs Weather
Re: Fast Secure Contact Script - A WARNING
« Reply #1 on: October 14, 2017, 12:12:38 PM »
Tony I use a free program called Foxy Form.




Ryan 

Colorado Springs, CO
www.cospringsweather.com
Davis Vantage Vue
Weather Display Software
Hikvision HD IP Camera

Online sacreyweather

  • Echo Valley Weather
  • Forecaster
  • *****
  • Posts: 1560
    • Echo Valley Weather
Re: Fast Secure Contact Script - A WARNING
« Reply #2 on: October 14, 2017, 12:26:48 PM »
Thanks for the info, Tony. I use FSCF, but have version 3.2.1 from Feb. 2017.
CWOP: D2073, GR2AE, GR3, Cumulus, PWSweather,  CoCoRaHS: AR-SL-23  

Saline Weather on Twitter
Blitzortung Station 1387

Offline Otis

  • (aka Paul)
  • Forecaster
  • *****
  • Posts: 429
    • Lake Huron Weather
Re: Fast Secure Contact Script - A WARNING
« Reply #3 on: October 14, 2017, 01:59:51 PM »
Thanks for the info, Tony. I use FSCF, but have version 3.2.1 from Feb. 2017.

Yes thanks Tony for the info.  I also use v 3.2.1 13 Feb 2017.

Davis Vantage Pro2, Serial Data Logger
WD 10.37S-(b45), VWS V15.00p03, Weatherlink 6.0.3, VWSaprs 1.9.8.0, Fling 2.35, Broadwave 2.0, Win 7 Pro 64Bit
KMICHEBO10 - CW3699 - Cheboygan, MI

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 6223
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
Re: Fast Secure Contact Script - A WARNING
« Reply #4 on: October 14, 2017, 04:07:27 PM »
It is very sad that a miscreant purchased ownership of a bunch of WordPress plugins (Fast Secure Contact Form for WordPress included), then inserted malware to provide spam mailers.  Sick!  Fortunately, sharp eyes at WordFence (and others) detected the malware, and WordPress took swift action against the victimized plugins.

As Mike has sold rights to his FSCF, he is no longer supporting the software.. he did release clean end-of-life versions on the fastsecurecontactform.com site along with the explanation.
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

 

anything