Support » Fixing WordPress » Invisible Administrator

  • I’ve been suffering from multiple hacks into my WordPress installs, hosted on Mediatemple’s gs service. After this latest round I’ve done the usual cleanup and script removals (frustrating) and changed all my DB users and all my passwords everywhere possible. I’ve updated all WP installs to 3.0.3.

    But I still see an invisible administrator account on every dashboard. See this image:

    http://dl.dropbox.com/u/1259430/phantomuser.png

    I’ve gone through the MYSQL and it’s only showing 1 admin in the database as far as I can see, by clicking on the wp-users “browse” icon or by running this SQL query:

    SELECT u.ID, u.user_login
    FROM wp_users u, wp_usermeta um
    WHERE u.ID = um.user_id
    AND um.meta_key = ‘wp_capabilities’
    AND um.meta_value LIKE ‘%administrator%’;

    that I found in the support forums here.

    Are my databases compromised? Securi scans show I’m good now, and Mediatemple has swept my sites to remove all the scripts they know about.

    But this one phantom admin has got me kinda spooked. I’m not very good at PHPMyAdmin – any advice would be great.

    Thanks
    ©

Viewing 8 replies - 1 through 8 (of 8 total)
  • Try running this and see if anything shows as administrator

    SELECT u.ID, u.user_login, um.meta_value
    FROM wp_users u, wp_usermeta um
    WHERE u.ID = um.user_id
    AND um.meta_key = ‘wp_capabilities’;

    It should show all your users. Anyone who should not be there, or anything strange about permissions should be visible.

    Thanks – I just tried that query too, and found no users, but the invisible admin still appears there in the WordPress dashboard.

    Moderator keesiemeijer

    (@keesiemeijer)

    moderator

    maybe stupid but why not try: clear cookies and clear the cache of your browser

    You couild try looking in wp-admin/users.php. If they hacked your site they might have left a bit of code hard copied into the file to give themselves a backdoor?

    Thanks guys. Clearing the cache & cookies didn’t change anything.

    datasoftict, I check the users.php file on two of my sites so far and found no back door code (I compared the file to a fresh blank file from the latest WP download). I’ll check the remaining 7 sites, but no luck.

    I found this site:

    http://blog.nachotech.com/?p=125

    and this

    http://www.studionashvegas.com/wordpress/latest-wordpress-hack-check-your-permalinks-people/

    which looked hopeful, but so far I haven’t been able to find any super users or hidden users.

    Blah.

    SOLVED

    Much thanks to this site:

    http://www.snipe.net/2010/01/when-wordpress-gets-hacked/

    I think what was happening was there were additional privileges assigned to the admin account. So searching for users with administrator privileges only returned ONE account. But that snipe article outlines how to search the database for additional wp_usermeta rows. Which I found

    IMPORTANT: There’s a typo in the first query he supplies.

    select * from wp_usermeta where meta_values LIKE ‘%administrator%’;

    “meta_values” shouldn’t have an s. It should read:

    select * from wp_usermeta where meta_value LIKE ‘%administrator%’;

    So to review, my solution was to:

    1. Log in as admin
    2. Make a new admin file with a different name (whatever you like)
    3. Log out and log back in with that new account.
    4. Delete the first admin account – assign all posts to your new account.

    5. Go in PHPMyAdmin and browse your users – you’ll only see your new account. Note the ID#.

    6. On SQL tab, query this:

    select * from wp_usermeta where meta_value LIKE ‘%administrator%’;

    and delete the row(s) that don’t match your new ID#

    7. On SQL tab, query this

    select * from wp_usermeta where meta_key=’wp_user_level’ AND meta_value=’10’

    and delete the row(s) that don’t match your new ID#

    8. In your WordPress site, refresh the Users page, and the invisible Admin should have disappeared.

    9. Wipe hands on pants.

    10. You might go and reset all your passwords again at this point. ALL of them.

    11. You should do as the article says and scour your folder for any funny PHP files. Check your CGI-BIN folder, your uploads folders, everything. I found them all over.

    Good luck to anyone who has this same problem.

    ©

    today, you save my blog!!!

    Hi, Thanks for this! I followed all steps except #11, and thought it was fixed, but, spam comments cam right back.

    Can someone explain what a non-programer would look for (exactly) in step #11???

    Thanks

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Invisible Administrator’ is closed to new replies.