Current hack on 4.3.1

User injection is actually an old hack. Start by immediately changing the password to your MySQL database through your hosting account’s control panel. Don’t forget to add the new password to the wp-config.php file.

Next, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

The same problem:
First: you get comment with some suspicious code. This comment was discussed here https://www.ads-software.com/support/topic/is-this-a-hello-world-blog-post-hack-of-some-kind
I spamed it and noticed that comment section on WP dashboard acting strange. For example, I can’t empty spam.
Then in ten minutes I’ve got a new user registration email. Its name is obuser and it has role of Administrator. I changed his role to “None”.

My WP 4.3.1

I dodn’t think @james that someone hacked MySQL DB password. If someone just added a new row to wp-users we would not get email about new user registration… I think, but I can check. I am OK with DBs and MySQL. By the way this user has user-activation-key=”1449069040:$P$BF9DUww03BtZtuTicT264TTOhan4aJ.” I don’t know what does it mean. Maybe someone knows? Maybe this information will help someone?

Code inside comment was:
[Code moderated. Please do not post hack code blocks in the forums.

The fact that your site was hacked does not, per se, suggest any issue with the current security of WordPress core. There are many other, far more likely, reasons that your site was hacked – insecure server, leaked FTP passwords, insecure plugin, insecure theme etc etc.

If – and only if – you can verify that there is a security issue within core, you can contact security [at] www.ads-software.com with all of the relevant details.

@ben121 and I for sure were hacked through comment section. That might be not WP security issue but some plugin issue and we are trying to discuss and solve this problem here.

If you want to swap hack code blocks, perhaps you could use a resource like pastebin? Just please don’t post it here. Apart from anything else, such code blocks can trigger AV software – blocking access to your topic completely.

OK, @esmi, no code anymore. Thank you for removing it.

No problem ??

Your best bet on narrowing this down might be to run some Google searches on bits of the injected code and see what it throws back. Just be careful, though. Unless you have verified exactly what this hack does, there’s always the possibility that infected sites may try to download malware. Even with a fully up-to-date AV defence in place, a new piece of malware can bypass it. Been there, had it happen. Took 4 hours to clean this machine. ??

@svetlana0777 You were asked not to publish any such “discoveries” – but you continue doing that on all forums (Google+, etc.). Please stop.

Yes, it definitely goes through the WP comments.
My site just survived such an attack and I was lucky as it was stopped by WP-SpamShield plugin because the code they tried to inject failed on one of the tests this plugin performs before it let the comment to be posted. All the activity and the injection code itself stayed in the plugin log.

Since you still have all the logs, would you please report it following https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/ ?

@tiv.NET INC., you did not understand. I was asked not to publish the code what was included in the comment . Hundreds people were attacked and they need to know if they get a comment with “strange code”, they can get the user “obuser” with Administrator privileges next. And here is a place where we discuss it and try to solve the problem.

I’ll rephrase. If you have found a legitimate security issue, please do not endanger the 25% of known websites in the world using WordPress by publicly disclosing or discussing details of the issue.

Please use https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/ instead. ??

OK. I did.

Thank you!