Today was eventfull day. While launching a new version of 2-viruses.com I found a security breach, affecting WP 2.x, at least versions 2.0 and 2.1. They partially (at least) work at wordpress 2.7 as well.

Apparently, it is possible to 1) add an user to wordpress 2) change it status to administrator somehow and 3) hide that user from list of other users. 

Such users can be detected by mismatch between numbers and actual amount of users listed in /wp-admin/users.php, in administrator section of your wordpress blog. If wordpress tells that you have 2 users, but you see only one, your blog might be infected.

The hidding system is relatively simple : they overload first_name in wp_usermeta table with javascript which modifies output of userlist. This means that you can not see that user with JS enabled browser. The user used name “WordPress” to confuse things further, though it is quite clear that the user is not actual “system” user becouse it was aded much later on. 

I had to remove the cloaking code from my the wp_usermeta field and then deleted user using admin panel. It is still unclear when the infection started, but I would estimate it was about mid-summer 2008.

Categories: Security

Giedrius Majauskas

I am a internet company owner and project manager living at Lithuania. I am interested in computer security, health and technology topics.

2 Comments

Daniel D · June 19, 2009 at 5:06 pm

Hi G. Found your post. Experiencing the same issue. I’m not that versed in mysql but saw in my wp_user that there are rogue users as well, one named “WordPress” and another named “Blog.” Can I just delete them from the wp_users or is there some other “Clean Up” I need to do? Also… what should I do after that to help resecure the blog? Reload WP files? Change passwords?

Any help / advice is appreciated.

Giedrius · June 21, 2009 at 1:38 pm

Look in a table called wp_options. Look there for key labeled “plugins” or similar. There will be an array of values with filenames or directories. These files are plugins.
If only plugins directory (wp-content/plugins/) are mentioned, the plugin is ok. If the plugin is in different directory, it is bad and should be deleted. Typically, bad plugins have no name and thus are not listed in wordpress admin panel.
I would recommend upgrading wordpress to last version. Changing password is good idea as well. Also, some people recommend protecting your admin panel directory using .htaccess, but it will not work if you home PC adress is dynamical (mine is), that is changes once in a while.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *