3

Context:

Third-party code is common to any open-source CMS e.g WordPress plugins and themes. I've recently encountered articles online regarding plugins/themes sending information to authors.

My concern:

  1. I cannot tell WHEN a plugin/theme is sending information to the author.
  2. I cannot tell WHAT information a plugin/theme is sending to the author (email, URL, site visit tracking, limited to full database access etc).

Whether an author is using this information maliciously or not, the lack of visibility on this matter is frustrating to me. I'd simply like to know on principle.

What I've tried:

  1. I've disabled various functions such as CURL and fopen but it's my understanding that fall-back functions might exist to achieve the same functionality.
  2. I've secured my website in a multitude of ways including modifying directory/file permissions, malware scans, black-listing, security audits, fire-walls etc.
  3. I keep an eye on script-blocker for FireFox to detect third parties.
  4. I run various code scans of plugins/themes for known malicious code and update definitions regularly.
  5. I've looked at Ghostery for FireFox however this requries the plugin/theme to be active which could be already too late should the plugin/theme be malicious.

My question:

How can I tell what plugins/themes are calling home / sending information and exactly what information is being sent?

  • Do plugins or online solutions exist to detect this?
  • Is at simple as disabling certain PHP functions?
  • If I need to manually look for code (bearing in mind that malicious code is already scanned for) what functions should I watch out for?
AstroCB
  • 12,337
  • 20
  • 57
  • 73
Clarus Dignus
  • 3,847
  • 3
  • 31
  • 57
  • It's things like this that make me happy that I write my own stuff ;) Regarding your issue, perhaps the best advice would be to only install plugins and themes from trusted sources. Recently there've been a lot of `social.png` hacks that come from installing free themes... – Niet the Dark Absol Dec 03 '14 at 14:18
  • exactly where are these plugins doing the "phone home" stuff? There is absolutely zero point in enabling ghostery if the plugin is doing the phone home on the server. – Marc B Dec 03 '14 at 14:21
  • @NiettheDarkAbsol Cheers for the heads-up. [My current definitions are checking for it](https://wordpress.org/support/topic/fake-socialpng-is-a-php-file-injecting-malicious-code-in-theme-options-file). – Clarus Dignus Dec 03 '14 at 14:24
  • @MarcB Here's one [example of a plugin](https://wordpress.org/plugins/gotmls/) that openly dials home to obtain security definition updates (see "Notice"). Certain themes have scripts that dial home to check if the current version of the theme is installed. I noticed it when an fopen/CURL error message fired. It seems like a likely opportunity to send information to the author or potentially a malicious party. – Clarus Dignus Dec 03 '14 at 14:31
  • then that's purely server-side, and a client-side plugin like ghostery would never see it. – Marc B Dec 03 '14 at 14:31
  • @MarcB Ghostery point acknowledged. Thanks for the clarification. Any ideas on what will work? Is disabling CURL/fopen sufficient and if not, how can I detect what/when information is being sent home or to a third party. – Clarus Dignus Dec 03 '14 at 14:33

1 Answers1

1

If this were a .NET application, you could install Fiddler as a system level proxy, trust its root certificate and see all traffic that originates from the machine.

See Eric Laurence's answer to this question on how to configure it.

I'm not sure if this would also work for PHP applications. I'm not even sure if you are on a Windows box.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93