modified wp-admin/user.php file – possibly hacked?

  • was in the middle of making a new post (not adding plugin or anything, just posting), then suddenly my admin panel became accessible returning the php error “unexpected T_string in wp-admin/user.php line 451”

    // FINALLY, delete user

line 451:	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) );
	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) );

	wp_cache_delete($id, 'users');
	wp_cache_delete($user->user_login, 'userlogins');
	wp_cache_delete($user->user_email, 'useremail');
	wp_cache_delete($user->user_nicename, 'userslugs');

    I was puzzled and tried to search for this issue on forum, even though no exactly same problem is described, I found a similar thread and they explained that it might be a possible hack attempt. So I downloaded my user.php and compared with the original package, there’s indeed an extra line of code just before line 451:

    starting from line 443:

    } else {
		$reassign = (int) $reassign;
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) );
EXTRA LINE OF CODE:		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d2, $reassign, $id) );
	}

    My hosting company asked me to confirm in this place that this extra line of code is not generated automatically by wordpress/any plugins itself.

    So, what’s the real purpose of adding this extra line?
    $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d2, $reassign, $id) );

Viewing 12 replies - 1 through 12 (of 12 total)

  • so everyone is on the same page, you said:

    wp-admin/user.php

    wordpress comes with a users.php not a user.php (wordpress’ file is also not that large). Can you check the file name youre looking at, again, and verify its name? also what version, exactly, of wordpress are you using?

    Thread Starter guardog

    (@guardog)

    sorry, it’s

    wp-admin/includes/user.php

    I’m using 2.8.4, but was upgraded from 2.8.3 – not a clean install of 2.8.4

    All the same here on 2.8.4 on the local install (i can’t see that anyone could or would have been able to hack my copy with the same piece of code).

    Lines 443 – 463:

    } else {
		$reassign = (int) $reassign;
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) );
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d", $reassign, $id) );
	}

	// FINALLY, delete user

	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) );
	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) );

	wp_cache_delete($id, 'users');
	wp_cache_delete($user->user_login, 'userlogins');
	wp_cache_delete($user->user_email, 'useremail');
	wp_cache_delete($user->user_nicename, 'userslugs');

	// allow for commit transaction
	do_action('deleted_user', $id);

	return true;
}

    Note: I’m also using an upgrade version as oppose to a fresh install, whether that makes a difference or not i don’t know, but wanted to share that i’m also using an upgraded WordPress.

    ah ok, that makes a difference.

    ugh, im confused.

    in the zip:

    } else {
		$reassign = (int) $reassign;
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) );
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d", $reassign, $id) );
	}

	// FINALLY, delete user

	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) );
	$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) );

	wp_cache_delete($id, 'users');
	wp_cache_delete($user->user_login, 'userlogins');
	wp_cache_delete($user->user_email, 'useremail');
	wp_cache_delete($user->user_nicename, 'userslugs');

    from your paste, minus your emphasis:

    } else {
		$reassign = (int) $reassign;
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) );
		$wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d2, $reassign, $id) );
	}

    it looks the same to me?

    It’s safe… we all have the same.. ?? (not that the same means safe, but safe in terms of “it’s what should be there”)

    Thread Starter guardog

    (@guardog)

    sorry, i misinterpreted my diff engine as “extra line of code”

    there’s a difference over here

    $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d", $reassign, $id) );

    in my so-called modified user.php, it’s

    WHERE link_owner = %d2,

    Any idea why this can happen? Server routine jobs which spoils my php file?

    ahhh, i see it.

    back to the question I wanted to ask before — does that file have a markedly different timestamp than other files in the same dir?

    do any other files within those that make up your wordpress site have a timestamp that matches or is VERRRYYY close to the other file?

    I would be diffing those also, if there are.

    Thread Starter guardog

    (@guardog)

    timestamp are not altered, just the same as I’d uploaded it.

    put it like this, i uploaded them on 12/8, the problem arised on 14/8, the timestamp of the files are all still 12/8.

    Can’t really confirm the incident now, because I had reinstalled the whole wordpress with a clean 2.8.4, so I can’t really diff those files anymore.

    If it looks benign then I’ll report that to my hosting company.

    Thread Starter guardog

    (@guardog)

    bumped

    If the problem has gone, just leave it be and see if the problem creeps back..

    It doesn’t make sense that a user would gain access then make only that small change and leave it be.

    Does anyone else have access via FTP? Perhaps someone opened the file, hit a key (accidental) and closed the file again, saving the change in the process.

    It looks more like an accidental change then an intended one in my opinion.

    Just keep an eye on the logs, and perhaps change your FTP login (just to be sure).

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘modified wp-admin/user.php file – possibly hacked?’ is closed to new replies.