WordPress.org

Support

Support » Multisite » Hidden Superadmin accounts following hacked site?

Hidden Superadmin accounts following hacked site?

  • dgilmour
    Member

    @dgilmour

    My site was affected by the recent malware incident.

    While sorting that out I removed superadmin privileges until these accounts had passwords confirmed reset. During that, I notice that the count of superadmins displayed above the user list is 5, although only 1 superadmin account is listed.

    I am concerned this could mean that rogue accounts have been created and are being hidden in some way. Can anyone point me to a process for dealing this situation? I have a reasonable idea how the database tables work, but no idea how accounts can be hidden, or what to do about that.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Jackson
    Participant

    @madjax

    When they insert the users into the DB, they sometimes include .js which can hide the row in the list of users. If you find superadmins in your user table that you did not add, I would treat this as a compromise and install fresh and restore from backups.

    You can use PHPMyAdmin to delete the users from the DB directly, and change your salts in wp-config.php

    Let us know how it goes.

    Also worth checking out is the excellent Exploit Scanner plugin.

    Yeah there was a hack going around on single sites that did the same.

    dgilmour
    Member

    @dgilmour

    @jackson: I’d already done a fresh install, and was hoping to avoid having to restore from backups; I don’t know exactly when things were malware free, and it’s a busy site with approx 100 posts per day.

    Have used MySql command line to delete the excess superadmins. I used Andrea’s advice here to find out what to change: http://wordpress.org/support/topic/recover-super-admin-access-after-username-change?replies=13#post-1572003

    Jackson
    Participant

    @madjax

    You should at a minimum, run Exploit Scanner, re-install your themes and plugins, and reset your MySQL db password and secure your wp-config.php file.

    Exploit Scanner will uncover some of the more common stuff.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hidden Superadmin accounts following hacked site?’ is closed to new replies.