Title: Current hack on 4.3.1 Last modified: August 30, 2016 --- # Current hack on 4.3.1 * [Ben121](https://wordpress.org/support/users/ben121/) * (@ben121) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/) * A new admin user appeared earlier in my wordpress, luckily I was at my PC when it happened, and received an email alert. * The user was: Obuser Email was [user@gmail.com](https://wordpress.org/support/topic/current-hack-on-431/user@gmail.com?output_format=md) * I then noticed that I could not delete any spam from the admin side, as one of the spam comments was injected with some code to infect the site, thereby creating an admin account. * What I did: * 1) Instead of deleting the user, I changed their permission from ‘Admin’ to ‘ subscriber’, so if the bot tries to join again, it will be met with an account that is already there, but with ‘subscriber’ permissions. * 2) I then went to mysql and deleted all the spam from there, which once the offending message was removed, I was able to delete spam normally from the admin panel. Viewing 15 replies - 1 through 15 (of 17 total) 1 [2](https://wordpress.org/support/topic/current-hack-on-431/page/2/?output_format=md) [→](https://wordpress.org/support/topic/current-hack-on-431/page/2/?output_format=md) * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799771) * User injection is actually an old hack. Start by immediately changing the password to your MySQL database through your hosting account’s control panel. Don’t forget to add the new password to the wp-config.php file. * Next, carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * [Svetlana0777](https://wordpress.org/support/users/svetlana0777/) * (@svetlana0777) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799874) * The same problem: First: you get comment with some suspicious code. This comment was discussed here [https://wordpress.org/support/topic/is-this-a-hello-world-blog-post-hack-of-some-kind](https://wordpress.org/support/topic/is-this-a-hello-world-blog-post-hack-of-some-kind) I spamed it and noticed that comment section on WP dashboard acting strange. For example, I can’t empty spam. Then in ten minutes I’ve got a new user registration email. Its name is obuser and it has role of Administrator. I changed his role to “None”. * My WP 4.3.1 * I dodn’t think [@james](https://wordpress.org/support/users/james/) that someone hacked MySQL DB password. If someone just added a new row to wp-users we would not get email about new user registration… I think, but I can check. I am OK with DBs and MySQL. By the way this user has user-activation-key=”1449069040: $P$BF9DUww03BtZtuTicT264TTOhan4aJ.” I don’t know what does it mean. Maybe someone knows? Maybe this information will help someone? * [Svetlana0777](https://wordpress.org/support/users/svetlana0777/) * (@svetlana0777) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799876) * Code inside comment was: _[Code moderated. Please do not post hack code blocks in the forums._ * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799877) * The fact that your site was hacked does not, per se, suggest any issue with the current security of WordPress core. There are many other, far more likely, reasons that your site was hacked – insecure server, leaked FTP passwords, insecure plugin, insecure theme etc etc. * If – and only _if_ – you can _verify_ that there is a security issue within core, you can contact security [at] wordpress.org with all of the relevant details. * [Svetlana0777](https://wordpress.org/support/users/svetlana0777/) * (@svetlana0777) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799878) * [@ben121](https://wordpress.org/support/users/ben121/) and I for sure were hacked through comment section. That might be not WP security issue but some plugin issue and we are trying to discuss and solve this problem here. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799879) * If you want to swap hack code blocks, perhaps you could use a resource like pastebin? Just please don’t post it here. Apart from anything else, such code blocks can trigger AV software – blocking access to your topic completely. * [Svetlana0777](https://wordpress.org/support/users/svetlana0777/) * (@svetlana0777) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799880) * OK, [@esmi](https://wordpress.org/support/users/esmi/), no code anymore. Thank you for removing it. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799881) * No problem 🙂 * Your best bet on narrowing this down might be to run some Google searches on bits of the injected code and see what it throws back. Just be careful, though. Unless you have verified exactly what this hack does, there’s always the possibility that infected sites may try to download malware. Even with a fully up-to-date AV defence in place, a new piece of malware can bypass it. Been there, had it happen. Took 4 hours to clean this machine. 🙁 * [TIV.NET INC.](https://wordpress.org/support/users/tivnetinc/) * (@tivnetinc) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799887) * [@svetlana0777](https://wordpress.org/support/users/svetlana0777/) You were asked not to publish any such “discoveries” – but you continue doing that on all forums( Google+, etc.). Please stop. * [remake](https://wordpress.org/support/users/remake/) * (@remake) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799894) * Yes, it definitely goes through the WP comments. My site just survived such an attack and I was lucky as it was stopped by WP-SpamShield plugin because the code they tried to inject failed on one of the tests this plugin performs before it let the comment to be posted. All the activity and the injection code itself stayed in the plugin log. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799900) * Since you still have all the logs, would you please report it following [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/)? * [Svetlana0777](https://wordpress.org/support/users/svetlana0777/) * (@svetlana0777) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799911) * [@tiv](https://wordpress.org/support/users/tiv/).NET INC., you did not understand. I was asked not to publish **the code what was included in the comment** . Hundreds people were attacked and they need to know if they get a comment with “strange code”, they can get the user “obuser” with Administrator privileges next. And here is a place where we discuss it and try to solve the problem. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799912) * I’ll rephrase. If you have found a legitimate security issue, please do not endanger the 25% of known websites in the world using WordPress by publicly disclosing or discussing details of the issue. * Please use [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/) instead. 🙂 * [remake](https://wordpress.org/support/users/remake/) * (@remake) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799913) * OK. I did. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/#post-6799914) * Thank you! Viewing 15 replies - 1 through 15 (of 17 total) 1 [2](https://wordpress.org/support/topic/current-hack-on-431/page/2/?output_format=md) [→](https://wordpress.org/support/topic/current-hack-on-431/page/2/?output_format=md) The topic ‘Current hack on 4.3.1’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 17 replies * 0 participants * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/) * Last activity: [10 years, 6 months ago](https://wordpress.org/support/topic/current-hack-on-431/page/2/#post-6799918) * Status: not a support question ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics