
WordPress theme provider Pipdig using customer sites to DDoS competitors - JamieF1
https://www.jemjabella.co.uk/2019/security-alert-pipdig-insecure-ddosing-competitors/
======
pmlnr
> Another one from the @pipdig plugin. If you use one of their themes on
> @bluehost then they intentionally slow your website down by disabling the
> BlueHost cache plugin, then they can inject content with the title "Is your
> host slowing you down?"

[https://twitter.com/nickstadb/status/1112479746972151808](https://twitter.com/nickstadb/status/1112479746972151808)

pipdig is a goldmine.

~~~
asadkn
On a tangent, let's talk BlueHost.

While the call to host switch is malicious, almost every developer in
WordPress world will agree BlueHost, and their parent company with all their
50+ hosting companies, are utter garbage. The only reason they exist is
because they have hired an army of bloggers and pay them affiliate income of
$65 / signup.

As far as disabling Endurance Cache goes, it is completely legitimate. It's a
plugin forced upon BlueHost users, without being told so, and is a "must-use"
plugin that most users will never check (and can't be completely disabled from
WordPress admin).

~~~
deftturtle
I'm curious which host you'd recommend. I want a good host for making
websites. Not sure if I need to be a reseller or just use their shared
hosting. I'm hoping to create lots of static websites for different small
businesses, and then cheaply host them. Considering Namecheap, DreamHost, and
BlueHost, but I'm also hoping there's one that allows nudity (not porn, just
artistic nudity). Or if there's a host that allows any content, that's a plus.

I've been trying to find non-Amazon or non-Google hosting options, wanting to
spend my money elsewhere. Is this a waste of time or effort? I imagine that
cloud hosting with Google would be less restrictive, though more complicated
to setup.

Thanks for any ideas

~~~
cjm42
NearlyFreeSpeech.NET has strong free-speech policies. But they do expect you
to be technically competent. If you're not comfortable with the command line
and wp-cli (if you're using WordPress), you probably won't be happy with them.

If you checked them out years ago, they've since added support for custom HTTP
servers. It's not as flexible as a VPS, but they're no longer limited to
static files, PHP, or CGI. You can now run Django, Ruby-on-Rails, etc.

------
reustle
A developer at Pipdig wrote these lines of code and shipped it, I wonder how
they felt.

    
    
        foreach ($tables as $table) {
            $wpdb->query("DROP TABLE $table");
        }

~~~
Ayesh
While I don't disagree that this is horrible, perhaps the $tables array is
hardcoded array.

~~~
dajonker
It is not, you can check the post for the full context.

~~~
gadgetoid
Or, better still, an Archive.org snapshot of the commit that added this very
code:
[https://web.archive.org/web/20190331195338/bitbucket.org/pip...](https://web.archive.org/web/20190331195338/bitbucket.org/pipdig/p3/commits/edc47824200e15d64cab7270debc4a0526a8d323)

(As a resident geek, I was asked to look into this by a friend)

~~~
aasasd
For good measure, the commit seems to be removed from the original repo.

------
robotbikes
And this just illustrates the horror that is the proprietary market place of
WordPress plugins. It is annoying because this results in incentives to take
away freedom from users and require payment for proprietary code in the guise
of a free software project. To expand Word Press functionality beyond the core
functions you have to wade through a minefield of freemium plugins that have
all been slightly broken to encourage you to shell out money to someone for
code you won't have any freedom with and the worst of it possibly demonstrated
by code like this. I have built some sites with WordPress but I have always
felt stifled by the way the plugins and themes are distributed. On the other
hand I understand people like being able to charge money and create businesses
from the code they right which can be more challenging if you actually write
free as in libre software vs. attempting to extract money from every potential
user.

~~~
pmlnr
For my personal site, I've left WP behind about 3 years ago. I had to go back
last month, trying to build something instead of a Wix site for a school, and
the experience was terrifying: after adding one of the events plugin, within 5
minutes I started getting spam registration. All plugins have ugly admin
interface "extras" and are very pushy to buy them.

The WordPress of 2007, which I loved very much, has nothing to do with this
monster of 2019.

~~~
skilled
I share a similar sentiment. Since about 2-3 years ago, most WordPress plugins
are marketed bloatware that messes up the entire dashboard UI. And don't get
me started on plugins that don't let you close their notifications unless you
do "some thing".

It really is a shame, because frankly speaking - most of these plugins are
utter trash anyway.

~~~
pmlnr
I've tried out a massive amount of gutenberg block plugins; whichever added a
new line in the admin menu instead of adding it into a submenu of settings,
deserves immediate deletion.

------
nickodell
Here's a second writeup, which also contains a response from pipdig:
[https://www.wordfence.com/blog/2019/03/peculiar-php-
present-...](https://www.wordfence.com/blog/2019/03/peculiar-php-present-in-
popular-pipdig-power-pack-plugin/)

~~~
mmaunder
Thanks. My crew put this write-up together. We're here if you have any
questions. Jem and us published almost at the same time although I think we
beat her by an hour or so. We're in contact. Funny coincidence we were working
on the same story at the same time.

This has blown up on Twitter. Our team has stayed out of the online debate
mostly other than answering questions. We're trying to just focus on the data
here.

They took their public repo offline, but we mirrored it before they did that.
It contradicts some claims they're making re timing. We're publishing a
timeline tomorrow and are recording our weekly podcast tonight instead of
tomorrow as per normal because of this insanity. We'll break it down on the
show.

I guess what really jumps out at me here is how they're trying to gaslight the
thing.

~~~
mmaunder
I'd also like to add that the DDoS functionality isn't what really jumped out
at me. It was the ability to reset your site's admin password remotely using a
hard-coded password that anyone can read. And then there is also the ability
to drop all your tables.

When we contacted them before publishing via email, they explained that
someone had been pirating their software so this was a countermeasure. (quote
is in the Wordfence post above) I guess the idea was that they would destroy
sites using pirated licenses. Then they backpedalled that later on after this
went viral.

~~~
48309248302
> I guess the idea was that they would destroy sites using pirated licenses.

Isn't it GPL?

~~~
mmaunder
Depends who you ask. Also some sites use a SaaS model with API key for back-
end access. They claimed license keys were stolen. “Last year we had some
serious problems after someone obtained a huge list of license keys and
downloaded all of our products. The keys and files were then distributed on
their file sharing site, which has since been taken down (not by us,
ironically!). The drop tables function was put in place to try to stop this at
the time.”

------
skilled
Did they seriously have the audacity to deny all this after all those code
examples were shown?

Edit: Wow, peoples' responses on Twitter are even more delusional. Wtf?

~~~
ceejayoz
> Wow, peoples' responses on Twitter are even more delusional. Wtf?

I find this so baffling. It's like being shown the bodies of a serial killer's
victims, and publicly stating "oh, but he never murdered _me_ , so why are you
all complaining?"

~~~
creato
They surely do not understand they are looking at bodies. They're seeing a
bunch of nerd speak about "DDoS" and "dropping database tables" and their eyes
glazed over. But they understand their site looks pretty...

------
tfaruq
From pipdig [https://www.pipdig.co/blog/sad-
times/](https://www.pipdig.co/blog/sad-times/)

~~~
duskwuff
Pathetic.

If I'm reading this correctly, they're essentially _admitting_ to some of the
malicious features described by the researcher, but claiming that they were
included for support purposes, or as a way of sabotaging sites using pirated
versions of their plugin.

1\. Including features which can remotely grant unauthorized access or cause
damage to a user's web site is inappropriate _under any circumstances_. Even
if they're your customers, or if they aren't your customers, or whatever. You
don't do that.

2\. Pipdig hasn't come up with any sensible explanation for why their license
checks were pointed at a competitor's web site. It's not even clear why the
license check would be architected in a way that allowed for this.

3\. Altering user's site content to change links from Blogerize to Pipdig is
beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't
even consistent with the behavior of the code presented.

4\. Obfuscating the code surrounding all of these questionable bits of
functionality stinks of wrongdoing. It's understandable for a license check to
be a little obfuscated, perhaps, but there's no reason why a remote
administration feature should be (even if it had any reason for existing).

~~~
ohashi
We're just a poor small company... that is acts maliciously against our
competitors using our code we sell to clients who have no idea! we're sorry we
got caught and it's hard to explain why this isn't bad.

Oh and they deleted repos apparently, gotta hide the evidence

~~~
pavel_lishin
Didn't work:
[https://web.archive.org/web/20190331195338/bitbucket.org/pip...](https://web.archive.org/web/20190331195338/bitbucket.org/pipdig/p3/commits/edc47824200e15d64cab7270debc4a0526a8d323)

------
nixgeek
It looks like the company involved is based in the U.K. and also seems likely
this software and their usage of it is a violation of the Computer Misuse Act.

One of their competitors should consider filing a complaint with the relevant
authorities, so this gets formally investigated.

~~~
gadgetoid
I would be interested to hear from CloudFlare as to whether there is any
possibility of confirming that the URL
"[https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt"](https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt")
\- fetched by the "license check" code - did at some point return the text
"[https://kotrynabassdesign.com/wp-admin/admin-
ajax.php"](https://kotrynabassdesign.com/wp-admin/admin-ajax.php"). I suspect
this will be difficult, or impossible, to verify (I'm not a security expert)
and the "license check" code in and of itself (while extremely fishy) only
betrays the potential of a DDoS and is not a smoking gun.

~~~
anc84
Hopefully not. Cloudflare has no business in law enforcement or legal
investigations. If they are trustworthy, this will not know about the contents
of sites in the past.

~~~
skoskie
Agreed. Separation of concerns and all that.

------
duskwuff
Followup at:

[https://www.jemjabella.co.uk/2019/pipdig-your-questions-
answ...](https://www.jemjabella.co.uk/2019/pipdig-your-questions-answered/)

~~~
aboutruby
archive.org version:
[https://web.archive.org/web/20190401005430/https://www.jemja...](https://web.archive.org/web/20190401005430/https://www.jemjabella.co.uk/2019/pipdig-
your-questions-answered/)

And original link:
[https://web.archive.org/web/20190401004514/https://www.jemja...](https://web.archive.org/web/20190401004514/https://www.jemjabella.co.uk/2019/security-
alert-pipdig-insecure-ddosing-competitors/)

I'm getting errors when using a VPN:

> The firewall on this server is blocking your connection.

------
huxflux
"Sad times - [https://www.pipdig.co/blog/sad-
times/"](https://www.pipdig.co/blog/sad-times/") No shit.

------
jarym
These guys put all this evil into their code (PHP no less so easily readable
by anyone) and it took this long for them to get caught?

Further, they peddled this into who knows how many themes they sold and never
thought they'd get caught?

~~~
wp381640
tons of wordpress themes and plugin are complete crap - even popular stuff.
nobody reads the code or knows how to read it. it makes claiming bug bounties
on wordpress sites easy.

------
fastbeef
What options are left if you need a simple website builder that's not

a) Wordpress, which is a swamp filled with mines in the form of plugins b)
Wix, which forces hosting and bad HTML on you

Basically I want a Wordpress-like frontend + the rich template ecosystem and
for it to spit out static HTML files.

~~~
neurostimulant
There are many solutions out there that can generate static sites from a
WordPress installation. For example, you can use gatsby.js to generate a
static site using WordPress as data source.

~~~
TooCleverByHalf
Just to clarify for myself, this person asked for alternatives that are not
WordPress and Wix and you're recommendation is to use WordPress?

~~~
neurostimulant
My point if if you want wordpress ecosystem but don't want the associated
risk, there are many ways to generate static websites from a wordpress
installation. You can run wordpress locally in your local development computer
and only host the generated static html in your server/hosting provider.

------
EKSolutions
I'm a little late on the wagon here but someone seems to have made a recent
backup of the code on Github:
[https://github.com/longwave/p3](https://github.com/longwave/p3)

~~~
longwave
That is me, I found a Dropbox link containing the repo on Twitter and thought
it might be a good idea to preserve it.

~~~
EKSolutions
Well thanks Sir! It seems they've lost their copy of the code history so it's
a good job you made a nice backup of it for them.

------
cy6erlion
The more I read the more it sounds like an April fools joke.

