Terence EdenJul 17, 2024

Whoa. I've just been hit with a nasty bit of #WordPress hacking.

A plugin which calls itself "Core Functionality" hiding in `/plugins/informative/testplugingodlike.php`

Seems to have added *thousands* of admin users to my sites.

Very odd and concerning. Not using multisite. Each has a different (normal) admin password. Some use MFA.

WTAF??

Show threadRob "Flack/Commodork" O'HaraJul 23, 2024
@Edent Thanks for sharing, especially the grep lookup. I got hit with this last week too. I have ~10 domains on HostGator, all different admin and db accounts, and all were compromised. I had "Core Functionality" on one (which seemed to append code to my functions.php) and two more plugins, "informative" and "custom-mail-smtp-checker".
Show threadRob "Flack/Commodork" O'Hara
@Edent I also had 4 admin accts on all my sites -- randomly generated 8 char user accts with "example.com" email addresses. I also had a new plugin "Head, Footer, and Post Injection" (sounds bad, right?) show up on all my sites. All my stuff is up to date and patched. I did have one of the compromised plugins on one site (podpress) so maybe that was the backdoor but if so, it was a good one.
Jul 23, 2024 at 10:45pmWeb
Show threadTerence EdenJul 24, 2024
@Flack
Yeah, Sounds identical. Grim.