ScreenName

Looks like i have found a solution… the below code updates the usergroup. As long as you know the WP_UID and the GROUP NUMBER.

WP_UID can be pulled form the WP_DB with a simple username/password verification script (not included here).

The group number(ID) can be found in the HTML souce code of any subscriber page. Look for the CheckBox formfield value.

Example:
<input type=”checkbox” id=”uam_usergroups-1″ value=”1″ name=”uam_usergroups[]” />

You could potentially first query the UAM class for a list of all groups, but this was beyond my needs so I have not spent time investigating it.

The below code updates the Groups associated with the access level.

In this case the GroupID being update is Group 2.

$wp_uid=25; //WordPress user ID
  $userGroupId=2; // Group ID to be updated

  global $userAccessManager;

  $uamAccessHandler = $userAccessManager->getAccessHandler();
  $uamUserGroup = $uamAccessHandler->getUserGroups($userGroupId);

  $uamUserGroup->addObject('user', $wp_uid);
  $uamUserGroup->save();

Update: Its been 4 days since my last post. All sites are clean… no reports from google or site users otherwise.

It would appear the malware code was injected into a WP_Include file, thus the update to 3.2.2 has over written the hacked file. If you are running 3.2.2 already you might try copying a fesh seto f WP include files ot your WP_Includes directory…

As for “how” this attack happened, I am unsure – and we may never know… so for now I am tightening all security on the server to protect us as best as possible. I suggest other WP users do the same.

Thank you to the community – especially those listed above for all your help and support.

Thank you Takayuki Miyoshi.

I have updated to 2.4.6 and it works. I will wait to try the new version once released. Thank you for your help.

For now I will roll each site back to 2.4.3

If there is anything else i can do to help you pinpoint the issue please let me know.

I would suggest the vulnerability in the server or WP is still present in the latest version. Allowing the hacker access. I upgraded AFTER notice of the virus (May 30).

I run 5 websites. I did not upgrade them all… instead I upgraded only 1, then resubmited them all to google for a health review.

Within hours all sites were listed as “clean”… but with 48 hours I had a new notice from google regarding TWO of the 4 sites not updated to WP 3.2.2.

Since then I have updated these sites and resubmitted for Google HealthCheck.

I’ll need ot take a good look at how the hacker gained access to prevent this happening again. I’ll post anything I find that might be useful for others.

OK, great, thanks. I’d done a search in my PHP files for hte same script (and portions of) and nothing is returned… however…

If the location was the same for me (hidden in WP includes) then the upgrade on my sever from and older version of WP to 3.2.2 would have overwritten the file, thuse removed the virus.

I’ll need to resubmit to google and wait. Meanwhile I work on possible security issues that might have allowed the hacker access to the site.

would you mind posting the line you found?

Agreed, and many of those steps are already taken… and will be taken again once the source is found.

Ahh… looks like the moderator pulled my list of files…

Here is is again (condensed)

* ./wp-app.php (Filename)
-long_text – base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’
-long_text – base64_decode(substr($_SERVER[‘REDIRECT_REMOTE_USE
* ./wp-includes/class-IXR.php (Filename)
-unknown – base64_decode( trim( $this->_currentTagContents
* ./wp-includes/class-simplepie.php (Filename)
-unknown – base64_decode($data

I’ll check out the tool you have suggested.

I am encouraged that I am not the only one stupmed by this issue… and that there will be a host of people looking to solve this issue very quickly.

Hi Redleg-too

The offending script code on my site isalmost identical to the one on your post at https://badwarebusters.org/main/itemview/29055#itemblock-29059

The bulk of the code is identical. Only the second half of the first param val/var (“en0no3mno3nia-sno3ndpno3rxrpno3rxen0d”) is different.

I’ve pasted a copy to Patebine for further review https://pastebin.com/JUVgBW5P

I’ve also completed a base64_decode search of all files below are the results. Only 3 files in my domain folder(and subfolders) contains the base64_decode line.

Only 3 files returned a match.

The first two look legit… however the third (class-simplepie) I need to check against a fresh install of WP to confirm thsi file and all contents are delivered with WP install.

[Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]

Would you like a report of files containing “EVAL”

I just tried a different WP site

upgraded WP to 3.2.2
Then upgraded the CF7 plugin to 3.1.2

It now has the same issue… page will not load while plugin is activated.

debug now = TRUE

Version 2.4.3 page loads ok
Version 3.1.2 same as before….

Is there a log I can retrieve?

Deactivated all plugin’s including CF7 and page loads (but without form – shortcode displayed)

Activated CF7 version 2.4.3 –> page loads with form
Deactivated 2.4.3

Activated CF7 3.1.2 –> Page does not display – same message as before.

I have tested the default 2010 and 2011 themes (prior to and after updates of the themes). In all instances the resutl is the same…

Internet Explorer cannot display the webpage

Thanks esmi

I was just coming back to update my post with a little more information…

I have already:

Visited both https://sitecheck.sucuri.net/scanner/
and https://www.unmaskparasites.com/. bot hshow the site and pages as clean

confirmed HTAccess files are all clean.

I will continue to search, read, apply and report back.

It seems though that none of the posts I can find are specific to the script appearing from within the wp_head()… most talk about base64_decode PHP, Iframes, and code injected stright into the header/footer.php files. this is different… its being generated somewhere deeper in the WP files.

A complete reinstall might be the only way to fix… the source.. I may never know.