Sneaky Bastard

To satisfy my curiosity after the increase in worm activity affecting WordPress websites, I decided to run a quick query of the wp_users table in all the WordPress databases on a server. Adjust the database names as necessary, and create a MySQL password file as /root/.my.cnf before running the loop:

for U in adam baker charlie delta; do
  DB="${U}_wordpress"
  echo "Database: $DB"
  sudo -H mysql -D $DB -e "
    SELECT u.user_login, u.user_registered, um.meta_value
    FROM wp_users u INNER JOIN wp_usermeta um ON (u.id = um.user_id)
    WHERE um.meta_key = 'wp_capabilities'
    ORDER BY u.user_registered DESC"
  echo ""
done


The output will show the most recently created user accounts for each WordPress installation. Apparently the current worm creates an administrator account called “Administrator (2)” that is used to login and make changes to the site. I don’t know if that string appears in the nickname field, or what, so I didn’t query for it explicitly.