Skip Navigation

[Closed] CRED notifications are being triggered from old posts by some kind of hacking

This support ticket is created 3 years, 9 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 - - 9:00 – 13:00
14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 - - 14:00 – 18:00

Supporter timezone: Africa/Casablanca (GMT+01:00)

This topic contains 21 replies, has 3 voices.

Last updated by Jamal 3 years, 8 months ago.

Assisted by: Jamal.

Author
Posts
#1774263

I applied the fix that you sent in the zip file - but it did not make a different - the forms still sent a notification even just by opening the saving the post with no changes.

I'm going to try the activity logging plugin that you have recommended and let you know what I find out.

Elise

#1775153

So this is really strange. I installed the Activity Log onto my writingmusicaltheatre.com site - because it has far fewer plugins, and only one main form that triggers notifications.

I just downloaded the activity log - and it show literally hundreds of log-ins with "wrong password" - but they are all attributed to IP address 142.4.19.211 - which is my own server. (and they certainly weren't me).

However - I don't see any actions taken by any of them.

I just went in and did something that I knew would trigger a notification - and then checked the log again - and it quite clearly showed that IP address 142.4.19.211 logged in an updated a post. (and the notification did send).

However - about an hour ago, I received a notification that shouldn't have gone out - that I didn't send - and there is no record of that post update in the activity log.

I'm not sure how to interpret all of that.

What does it mean that there is so much activity - even if it is the wrong password - directly from my IP address? Does that mean someone is getting into my control panel, or my database - but they don't know the password to my admin account?

But even then -how was that email notification sent out earlier today, if nobody logged in and updated a post at that time!

I'm pretty confused!

Thanks for any help you can offer!

Elise

#1775155

I just looked at the Activity Log again - I think the IP address column is always going to be my own server address - that's just the way it works, I guess - so never mind that.

All of those were for user "unknown" - and they all said wrong password ... so unless someone breaks the password and gets in, how can they be updating a post and triggering a notification?

(by the way - there were about 1500 attempts in the last two days since I installed the program!)

Elise

#1778697

Jamal
Supporter

Languages: English (English ) French (Français )

Timezone: Africa/Casablanca (GMT+01:00)

Hello Elise,

I am noting that the fix is not working for you. But this brings the possibility that something else is triggering these emails.

When analyzing the copy of your website locally, we are not able to reproduce the same issue(trigger email by a simple open/save). The fix is also working on our copy.
Unfortunately, if we can't reproduce the issue, we won't be of much help.

At this point, what I can suggest is:
- Asking help from the hosting provider to understand the origin of these failed logins.
- Asking for a security check from a WordPress security agency, this will, probably, be a paid service.

I'll remain at your disposal.

#1785409

Jamal
Supporter

Languages: English (English ) French (Français )

Timezone: Africa/Casablanca (GMT+01:00)

Hello Elise,

Our 2nd Tier explains that this fix should be applied after the last update of Toolset Forms, we released last week. The update does not include the patch yet, so you will have to update Toolset Forms, then apply the patch.

As I explained before, the issue was not reproduced on my local copy(triggering email with a simple open/save of a donation post), probably because of a difference in the server setup), I am catching emails with a plugin, instead of a complete email solution. So, I can't confirm from my end. Our 2nd Tier has tested the fix again in a copy of your websites and it works for him.

Can you try from your end?:
- Update Toolset Forms to the latest release.
- Apply the patch in my reply https://toolset.com/forums/topic/cred-notifications-are-being-triggered-from-old-posts-by-some-kind-of-hacking/page/2/#post-1773085

Then, let us know what you will get.

#1786479

I don't seem to be able to use this thread to download that patch anymore ... it gives me a "server error" message...

#1787743

Jamal
Supporter

Languages: English (English ) French (Français )

Timezone: Africa/Casablanca (GMT+01:00)

Please try this link hidden link

The topic ‘[Closed] CRED notifications are being triggered from old posts by some kind of hacking’ is closed to new replies.