Title: Possible Security Vunerability: admin-bar.php Last modified: August 21, 2016 --- # Possible Security Vunerability: admin-bar.php * Resolved [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/) * I am noticing a pile of traffic all of a sudden on different wordpress installs, attempting to directly post to admin-bar.php. It looks like an attempt to add malware onto the admin bar, which would potentially permit either a user privilege escalation or to try to obtain credentials or similar. * Thankfully, I get errors like this: * PHP Fatal error: Call to undefined function add_action() in /var/www/website/ wp-includes/admin-bar.php on line 48 * Interestingly, I didn’t see these before installing 3.9.1, which means either the hack was on previous version, or they have found something new. * I did find one cached page on Google (not the actual page anymore) that showed this being used to install a rootkit. Again, not sure of the mechanics, but I am seeing plenty of activity on this. Viewing 15 replies - 1 through 15 (of 22 total) 1 [2](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/page/2/?output_format=md) [→](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/page/2/?output_format=md) * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985290) * Just because hackers are targeting your sites’ admin bars does not mean that the admin bar itself is the vector. Only that it’s a victim of the hack. You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Anything less will probably result in the hacker walking straight back into your site again. * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * Thread Starter [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985293) * Thank you, but my sites were NOT hacked – I am seeing people make direct calls to that function, which is highly unusual. * My sites are as secure as wordpress sites can be. So pointing me to a bunch of“ your sites has been hacked” information isn’t helping. * I am reporting an issue, not asking for help. Is it hard to tell the difference? * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985294) * > I am noticing a pile of traffic all of a sudden on different wordpress installs, > attempting to directly post to admin-bar.php > […] PHP Fatal error: Call to > undefined function add_action() in /var/www/website/wp-includes/admin-bar.php > on line 48 * Hmm… That sounds like a hacked site to me. * Thread Starter [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985298) * Nope. That is a direct call attempting to use that functions to do something. See, you can access that function without being logged in, which appears to be pretty silly. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985299) * > That is a direct call attempting to use that functions to do something. * Then can we see the full error message? * Thread Starter [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985305) * That is all that ends up in the error log at this point, I don’t have full verbose logs on (it would be a machine killer to do that). But looking at it, it appears to be a direct call (as it isn’t attributed to another page), with no referring page. * Looking at the code, it appears to be trying to call a function that has not been loaded, as they are directly calling the admin-bar.php file. * [kyle_t](https://wordpress.org/support/users/kyle_t/) * (@kyle_t) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985440) * I have been noticing the same error coming through our logs. I am interested in any more information that you find about this attempted exploit. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985442) * > That is all that ends up in the error log at this point * Then how do you know that this is a direct call? It still smacks of a hacked site. * [kyle_t](https://wordpress.org/support/users/kyle_t/) * (@kyle_t) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985445) * I was able to recreate the error in the error logs with our ip by visiting /wp- includes/admin-bar.php directly, I did not try posting any data to it I have to agree with another guy that the site is not hacked, it is just an attempt to exploit. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985447) * So where is the issue? * [kyle_t](https://wordpress.org/support/users/kyle_t/) * (@kyle_t) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985459) * I don’t see any issue, as of now. Obviously these files are not supposed to be accessed directly, and accessing admin-bar.php directly doesn’t do much since the add_action() function is not defined within that file. (It is defined in wp-includes/plugin.php) * But I’m going way out on a limb here and saying maybe there is a plugin or some other malware that makes an edit to that file so that when that file is accessed directly it leads to a backdoor into wordpress admin. Again just speculation and also worst case scenario. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985461) * None of the plugins hosted at wordpress.org make edits to any core WordPress files. * Thread Starter [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985466) * “I don’t see any issue” * In simple terms, if someone is knocking on a particular file on more than one installation, then you have to ask why. You make the assumption of an already hacked wordpress install, my feeling is this is much more an attempt to create a hole, not to profit from it. * I tend to go with Kyle T on this one, it looks like someone has figured out a potential hole, or that a different hack modifies this file to allow for a back door to create a recurring hack. It looks potentially like someone checking to see if an installation has been hacked or modified. * It’s also the first file in that directory, alphabetically. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985467) * > In simple terms, if someone is knocking on a particular file on more than one > installation, then you have to ask why. * That parts easy: some installations get compromised, that file get’s hacked and BOOM! you’re done. * > You make the assumption of an already hacked wordpress install, my feeling > is this is much more an attempt to create a hole, not to profit from it. * That’s just not the case. * > I tend to go with Kyle T on this one, it looks like someone has figured out > a potential hole, or that a different hack modifies this file to allow for > a back door to create a recurring hack. It looks potentially like someone checking > to see if an installation has been hacked or modified. * There are a lot of insecure hosts and installations running insecure add-on code. The bad guys look for systems that have been compromised _already_. That is all that those probes mean. * Now if someone does know of a means to exploit the stock WordPress files then please report it. But this part: * > I am noticing a pile of traffic all of a sudden on different wordpress installs, > attempting to directly post to admin-bar.php * Doesn’t mean that file is exploitable. It means someone is looking for a copy that has already been hacked. * Thread Starter [Another Guy](https://wordpress.org/support/users/another-guy/) * (@another-guy) * [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/#post-4985468) * I understand your points Jan, but I think you are missing context here. * Why this file, and not any others? It’s not generally a file people would access( unless they are logged in) but potentially code added here would be executed by someone with admin level privileges. If they are just testing to see if wordpress exists, there are easier ways. Moreover, as emsi pointed out, these are not files that generally can be modified by a plug in, so it wouldn’t be some simple thing. * Moreover, I did find at least one cached example of this file turned into a rootkit install point. It basically Google caching the page, but there is no current version. So it suggests someone has found a way either to exploit that file directly or to use it as the “exploited file” for some other hack. Either way, it’s worth noting. * I have to ask though: Why is there such a strong resistance to accepting a report of potential hacking activity? Viewing 15 replies - 1 through 15 (of 22 total) 1 [2](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/page/2/?output_format=md) [→](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/page/2/?output_format=md) The topic ‘Possible Security Vunerability: admin-bar.php’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 22 replies * 6 participants * Last reply from: [Nicki Faulk](https://wordpress.org/support/users/nitallica/) * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/possible-security-vunerability-admin-barphp/page/2/#post-4985487) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics