WordPress.org

Forums

How can I force logout a user (a hacker) before their cookie runs out? (7 posts)

  1. Jeremy Clarke
    Member
    Posted 7 years ago #

    Hi guys, my 2.3.0 installation was compromised a few days ago. I've upgraded wp to 2.3.3 and locked everything down so that the attacker no longer has the power to modify my files (which they were doing like crazy).

    The problem is that at some point the attacker got control of my admin account. They haven't been destroying anything, just trying to sneak some ugly js into the content and excerpts of posts. I wrote a little logger that informed me it was the admin account that was editing the posts to add the javascript.

    I changed the password for the account, but now they are still using it to edit the posts.

    Is there any way I can force them to log back in before they can access the admin panel again? I just need to log them out once to see if they get back in or if it leaves them stuck.

    Thanks in advance, I know PHP etc and can write plugin/API code if it is necessary to boot this jerk off my install.

  2. Khairil Zhafri
    Member
    Posted 7 years ago #

    Have you tried deleting the user and transfer all posts/pages and admin privilege to a new user?

  3. Jeremy Clarke
    Member
    Posted 7 years ago #

    Actually that's a very good idea... I feel like there might be some negative effect of removing privileges from the admin account, but maybe there isn't...

    Does anyone know of a negative effect this might have? OTher than the potential for losing all admin accounts that is...

  4. Khairil Zhafri
    Member
    Posted 7 years ago #

    No. The admin account is just like other user with Administrator privilege.

  5. If you have changed the admin account password then the cookies the hacker has will have already been invalidated as they are in part based on a hash of the password.

    If the hacker can still get in it is likely they have either created a second admin account or have uploaded php files to your server which allow them to access the database directly so can regenerate themselves valid cookies.

  6. Jeremy Clarke
    Member
    Posted 7 years ago #

    Westi, thanks for the very useful response.

    I'm pretty sure they no longer have any php files of the kind you mention. They were using them like crazy but i've diff'ed my way through all the files on the server and none seem out of place.

    They were using the admin account but since I changed it's password have been jumping to various editor accounts (we have >100 accounts :S ) and even to author accounts (where they can only edit the author's own posts, which is what they are doing).

    To me this implies that they are not able to generate new accounts and that they are running out of saved hashes to use.

    Would patching my copy of WP to use the new 'salting' make a difference? I'm about to just tell all our users to change their passwords, but some are MIA and stuff, so it would probably end up being a huge hassle.

    Thanks for any input you can give.

  7. Jeremy Clarke
    Member
    Posted 7 years ago #

    Just a note: We had locked down and cleaned every directory in the system except for /wp-content/ which had to stay writeable for image uploads. The hacker was using a false jpg file full of php code in conjunction with a .htaccess file in the month folder (/uploads/2008/02) that was allowing php execution of jpg files.

    So: if you are being hacked and have full server access, disable .htaccess in your /wp-content/ folder and lock everything but /uploads/ down.

    They will think of some other way to get at us i'm sure.

Topic Closed

This topic has been closed to new replies.

About this Topic