Sneaky Bastard » Security http://sneakybastard.com Web Hosting for the Chemically Unstable Sat, 30 Oct 2010 17:25:57 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Quick WordPress Intrusion Detection http://sneakybastard.com/2009/09/quick-wordpress-intrusion-detection/ http://sneakybastard.com/2009/09/quick-wordpress-intrusion-detection/#comments Tue, 08 Sep 2009 02:17:23 +0000 joseph http://sneakybastard.com/?p=390 To satisfy my curiosity after the increase in worm activity affecting WordPress websites, I decided to run a quick query of the wp_users table in all the WordPress databases on a server. Adjust the database names as necessary, and create a MySQL password file as /root/.my.cnf before running the loop:

for U in adam baker charlie delta; do
  DB="${U}_wordpress"
  echo "Database: $DB"
  sudo -H mysql -D $DB -e "
    SELECT u.user_login, u.user_registered, um.meta_value
    FROM wp_users u INNER JOIN wp_usermeta um ON (u.id = um.user_id)
    WHERE um.meta_key = 'wp_capabilities'
    ORDER BY u.user_registered DESC"
  echo ""
done

The output will show the most recently created user accounts for each WordPress installation. Apparently the current worm creates an administrator account called “Administrator (2)” that is used to login and make changes to the site. I don’t know if that string appears in the nickname field, or what, so I didn’t query for it explicitly.

]]> http://sneakybastard.com/2009/09/quick-wordpress-intrusion-detection/feed/ 0