Mystery User

  • First, I know I have an old version of WordPress. I know I should upgrade, and I am working with my ISP to do just that… But until that time comes to pass, I have to deal with the here and now, ok? Ok…

    I have a problem with my blog being hacked. And not just the WordPress.ini, or parse error problems either. I started noticing an admin user in the admin console would disappear after the page was fully loaded in the browser. So, I took a screenshot the next time it appeared/disappeared and a user titled WordPress with an E-mail address of [email protected] is clearly there on the screen shot.

    I went into the database and wiped this user out, changed all the passwords, and thought that was the end of it – but the user keeps coming back. So, I backed up everything, replaced the entire WordPress installation one file at a time, deleted the user from the database, changed all the passwords, and thought that was the end of it.

    And then the mystery user came back.

    Has anyone heard tell of what is going on with this and how to fight it? I am perfectly aware that upgrading will probably make this go away, but as I mentioned that is not a fix that is going to happen today. Soon, but not today.

    Any and all helpful ideas cheerfully accepted !

    Thanks for your time and help!

Viewing 3 replies - 1 through 3 (of 3 total)

  • search is your friend:

    https://www.ads-software.com/search/hacked?forums=1

    Thread Starter 1macgeek

    (@1macgeek)

    I don’t suppose you could narrow it down to less than 1,200 articles to search?

    adamheine

    (@adamheine)

    I had this problem too. I think I’ve gotten rid of the user (though only time will tell). If you can’t upgrade, or better yet do a clean install, try some of the tips here along with using this Exploit Scanner plugin to help you find offending files.

    I used the plugin and found that all my files were clean, but the user was still there. I think it was there from a previous hack that I’d dealt with. You seem to have been able to get rid of the user via database changes. I was able to do it using WordPress admin (sort of), and I’ll put that procedure here for others as well (I’m using WP 2.7.1):

    (1) Go to the users tab. The offending user (mine was named “WordPress” with the e-mail address “[email protected]”) will suddenly disappear when the page is fully loaded.
    (2) Mouse over the users and the ‘Delete’ link. You’ll notice the URL to delete a user is the same for every user except for the user_id, like this: https://www.yourdomain.com/wp-admin/users.php?action=delete&user=3&_wpnonce=a9f12f3d4f
    (3) What you need to do is find the user_id of the hacked user. To do this, I looked at the HTML source of the user admin page and searched for the user’s name and e-mail address. It will be in a fairly convoluted <tr> element, but with some patience you should be able to compare this with the other elements to find the ID of the bad user (you can even find the entire delete link in here, in which case the next step is easier).
    (4) When you find the user id, copy the delete link for another user, paste it into a new browser window, and change the number after “user=” to be the same as the offending user’s ID. Then hit enter.
    (5) You should be sent to a confirmation page, and the page should have the name of the correct user (double-check this – you don’t want to accidentally delete a real user!). Confirm and delete the sucker.

    I think if you’ve successfully removed all the hacker’s other scripts, the user should be gone for good. Good luck!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Mystery User’ is closed to new replies.