Whitelisted IPs and Array entries?

Hey guys… I’m just chiming in here because I am also seeing the Array,Array issue on a number of my sites. I don’t know if I can correlate this 100%, but I know at least on two of them I’ve received what I call “login attacks”… some IP is trying over and over to login with various UID, or access wp-admin urls.

This is a sample (truncated) of what is placed in the Whitelists field:

198.61.176.9,198.61.173.69,23.253.56.59,23.253.62.185,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Array,Ar

This was only noticed when I tried to save options and received an error. Note that the Whitelists field is sized such that the IP addresses at the front of the list show and you don’t see the Array entries because they fall past the end of the display length.

PS: To allow saving of the options I simply did a “select all” in the Whitelists field, deleted everything, and then saved. Thus an empty Whitelists field. But I’m wondering if this is some type of malicious stuffing going on.

Thanks Norm for confirming.

Hopefully will make it easier to get a fix sooner than later.

Can both of you post hosting providers?

tim

We run our own hosting servers.

I’ve had this issue show on both Godaddy cpanel hosting and hostgagor hosting.

@swedeman

Since you run your own servers, can you search for array in your wordpress folder? Like grep array * and see if anything comes back?

Thanks

tim

create_masterblog_zip.php:exec($command, $output=array(), $worked);
create_masterblog_zip.php:$tables = array();
create_masterblog_zip.php:$tables = is_array($tables) ? $tables : explode(',',$tables);
create_masterblog_zip.php:$array_items = array();
create_masterblog_zip.php:$array_items = array_merge($array_items, directoryToArray($directory. "/" . $file, $recursive));
create_masterblog_zip.php:$array_items[] = preg_replace("/\/\//si", "/", $file);
create_masterblog_zip.php:$array_items[] = preg_replace("/\/\//si", "/", $file);
create_masterblog_zip.php:return $array_items;
create_masterblog_zip.php:$wp_files = array();
wp-cron.php:if ( false === $crons = _get_cron_array() )
wp-cron.php:$keys = array_keys( $crons );
wp-cron.php:				$new_args = array($timestamp, $schedule, $hook, $v['args']);
wp-cron.php:				call_user_func_array('wp_reschedule_event', $new_args);
wp-cron.php:			 * @param array  $args The arguments to be passed to the hook.
wp-cron.php: 			do_action_ref_array( $hook, $v['args'] );
wp-links-opml.php:	if ( !in_array($link_cat, array('all', '0')) )
wp-links-opml.php:	$cats = get_categories(array('taxonomy' => 'link_category', 'hierarchical' => 0));
wp-links-opml.php:	$cats = get_categories(array('taxonomy' => 'link_category', 'hierarchical' => 0, 'include' => $link_cat));
wp-links-opml.php:foreach ( (array)$cats as $cat ) :
wp-links-opml.php:	$bookmarks = get_bookmarks(array("category" => $cat->term_id));
wp-links-opml.php:	foreach ( (array)$bookmarks as $bookmark ) :
wp-login.php:	$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
wp-login.php:	 * Filter the error codes array for shaking the login form.
wp-login.php:	 * @param array $shake_error_codes Error codes that shake the login form.
wp-login.php:	if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
wp-login.php:	$classes = array( 'login-action-' . $action, 'wp-core-ui' );
wp-login.php:	 * @param array  $classes An array of body classes.
wp-login.php:	$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
wp-login.php:if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
wp-login.php:		wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
wp-login.php:<?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) :
wp-mail.php:	$dmonths = array('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
wp-mail.php:	$post_category = array(get_option('default_email_category'));
wp-settings.php:$GLOBALS['wp_plugin_paths'] = array();
wp-signup.php:if ( is_array( get_site_option( 'illegal_names' )) && isset( $_GET[ 'new' ] ) && in_array( $_GET[ 'new' ], get_site_option( 'illegal_names' ) ) == true ) {
wp-signup.php: * @param array $errors
wp-signup.php:	 * @param array $errors An array possibly containing 'blogname' or 'blog_title' errors.
wp-signup.php: * @return array Contains the new site data and error messages.
wp-signup.php: * @param array $errors
wp-signup.php:	 * @param array $errors An array possibly containing 'user_name' or 'user_email' errors.
wp-signup.php: * @uses wpmu_validate_user_signup() to retrieve an array of user data
wp-signup.php: * @return array Contains username, email, and error messages.
wp-signup.php: * @param array $errors
wp-signup.php:	$signup_defaults = array(
wp-signup.php:	 * @param array $signup_defaults {
wp-signup.php:	 *     An array of default site sign-up variables.
wp-signup.php:	 *     @type array  $errors     An array possibly containing 'blogname' or 'blog_title' errors.
wp-signup.php:	$blog_meta_defaults = array(
wp-signup.php:	 * @param array $blog_meta_defaults An array of default blog meta variables.
wp-signup.php:	 * @param array $meta {
wp-signup.php:	 *     An array of default site meta variables.
wp-signup.php: * @param array $meta Any additional meta from the 'add_signup_meta' filter in validate_blog_signup()
wp-signup.php:function confirm_another_blog_signup( $domain, $path, $blog_title, $user_name, $user_email = '', $meta = array() ) {
wp-signup.php: * @param array $errors
wp-signup.php:	$signup_user_defaults = array(
wp-signup.php:	 * @param array $signup_user_defaults {
wp-signup.php:	 *     An array of default user variables.
wp-signup.php:	 *     @type array  $errors     An array of possible errors relevant to the sign-up user.
wp-signup.php: * @uses validate_user_form() to retrieve an array of the user data
wp-signup.php:	wpmu_signup_user( $user_name, $user_email, apply_filters( 'add_signup_meta', array() ) );
wp-signup.php: * @param array $errors
wp-signup.php:	$signup_blog_defaults = array(
wp-signup.php:	 * @param array $signup_blog_defaults {
wp-signup.php:	 *     An array of default site creation variables.
wp-signup.php:	 *     @type array  $errors     An array of possible errors relevant to new site creation variables.
wp-signup.php: * @uses wpmu_validate_user_signup() to retrieve an array of the new user data and errors
wp-signup.php: * @uses wpmu_validate_blog_signup() to retrieve an array of the new site data and errors
wp-signup.php:	$signup_meta = array ('lang_id' => 1, 'public' => $public);
wp-signup.php: * @param array $meta Any additional meta from the 'add_signup_meta' filter in validate_blog_signup()
wp-signup.php:function confirm_blog_signup( $domain, $path, $blog_title, $user_name = '', $user_email = '', $meta = array() ) {
wp-trackback.php:	wp( array( 'tb' => '1' ) );
wp-trackback.php:$request_array = 'HTTP_POST_VARS';
wp-trackback.php:	$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
xmlrpc.php:$_COOKIE = array();

@noah Can you do it too?

tim

Tim-

Are we waiting on Noah or is there something relevant in the grep info previously posted?

Thanks

Who’s Noah on this thread? Or do you mean me, Norm?

Probably you Norm as you’re the only one who has responded.

Sorry to have confused your name as was going off what Tim had posted.

I just had another site hit with the Array stuffing in the Whitelist field. This is either a bug or someone thinks there is a malicious back door through Wordfence.

One thing that might correlate… I think the Array stuffing was recent… I just installed Wordfence on this site yesterday, and today I have received a number of new user signups that look suspicious to me.

Sounds more like a bug or database anomaly to me.

Sorry Norm. I apologize. Yes, can you post yours too?

tim

Hey Tim, no problem. I thought it might be me but I just wasn’t sure.

I just had one of my sites which I had cleaned out the Whitelist field previously because it had the Array stuffing come back with the Array stuffing.

[Large code excerpt removed by moderator per forum rules. Please use the pastebin for all large code excerpts. It works better anyway.]

I would be happy to give you admin access to it for trouble-shooting if you would like.