Many WordPress attacks will create a backdoor WordPress account that has administrative privileges. One way to tell if your WordPress instance has been compromised is to check for the presence of an administrator account that you did not add.

The latest WordPress worm, as described in Matt Mullenweg’s recent post titled How to Keep WordPress Secure, uses javascript on the user page to hide the backdoor administrator account. It’s not enough to log in and check the list of users. You need to check the database itself.

Dougal Campbell had a good post, Checking Your WordPress Security, that talks about how to find the current list of accounts having administrative privileges in your WordPress instance. He provided an SQL query that you could run to get the list.

I’d rather have an email sent to me if the list of administrators changes, rather than having to check manually. I created a simple setup that checks my database every 10 minutes and sends me an email if the list changes. It checks to see if new administrator accounts are added and also checks to see if one was removed and replaced.

Security

At first I thought I could use the WordPress environment itself to make database access easier, but I realized that by doing so I could potentially run compromised code. I chose to directly connect to the database using the credentials in wp-config.php and run my queries using the mysql_* PHP functions.

Implementation

Directory Structure

First I got the directory structure in place. As root:

mkdir /root/etc
mkdir /root/bin

Files

• admin_list_common.php – Common Code – This code is shared by the other two utilities.
• check_admin_list.php – Admin List Checker – This checks to see if the current list of admins matches the known good list.
• create_admin_list_file.php – Admin List Creator – This script will create the initial list of admin users.

Common Include File

IMPORTANT NOTE: Make sure to update the database variables to match your setup. At a minimum, you will need to modify $wordpress_docroot and the database credentials.

In /root/bin/admin_list_common.php I put this:

<?php
 
$wordpress_docroot = "/www/llamalabs.com/content";
$admin_list_file = "/root/etc/myblog.wp_admin_list";
 
// get these variables from wp-config.php, which is in the document root for your blog.
$db_host = "localhost";
$db_user = "user";
$db_pass = "password";
$db_name = "db_name";
 
$db = mysql_connect($db_host, $db_user, $db_pass);
if ( ! $db ) {
    echo "Unable to connect to DB: " . mysql_error() . "\n";
    exit(1);
}
 
if ( ! mysql_select_db($db_name, $db) ) {
    echo "Unable to select db: " . mysql_error() . "\n";
    exit;
}
 
// based off of get_users_of_blog in wp-includes/user.php
function get_admin_users() {
    global $db;
    $sql = "SELECT um.user_id AS ID, u.user_login "
         . "FROM wp_users u, wp_usermeta um "
         . "WHERE u.ID = um.user_id "
         . "    AND um.meta_key = 'wp_capabilities' "
         . "    AND um.meta_value LIKE '%administrator%' "
         . "ORDER BY um.user_id";
 
    $res = mysql_query( $sql, $db );
    if ( ! $res ) {
        echo "Could not execute query: " . mysql_error() . "\n";
        exit(1);
    }
 
    if ( mysql_num_rows( $res ) == 0 ) {
        return array();
    }
 
    $users = array();
    while ( $row = mysql_fetch_assoc( $res ) ) {
        $users[] = $row;
    }
    return $users;
}
 
function get_prev_admin_users() {
    global $admin_list_file;
    $fp = fopen( $admin_list_file, "r" );
    if ( ! $fp ) {
        echo  "Error opening file.\n";
        exit( 1 );
    }
 
    $data = "";
    while ( ! feof( $fp ) ) {
        $data .= fgets( $fp, 4096 );
    }
    return unserialize( $data );
}

Check Admin List

In /root/bin/check_admin_list.php I put this:

<?php
 
require_once 'admin_list_common.php';
 
$prev_admin_users = get_prev_admin_users();
$admin_users = get_admin_users();
 
if ( count( $prev_admin_users ) != count( $admin_users ) ) {
    show_warning_and_exit( $prev_admin_users, $admin_users );
}
 
$admin_count = count( $admins );
 
for ( $i = 0 ; $i < $admin_count ; $i++ ) {
    if ( $admin_users[$i]["ID"] != $prev_admin_users[$i]["ID"] ) {
        show_warning_and_exit( $prev_admin_users, $admin_users );
    }
}
 
function show_warning_and_exit( $prev_admin_users, $admin_users ) {
    echo "Warning! The list of admin users differs.\n\n";
 
    echo "Current Admin Users\n";
    print_admin_users( $admin_users );
 
    echo "Previous Admin Users\n";
    print_admin_users( $prev_admin_users );
 
    exit(1);
}
 
function print_admin_users( $admin_users ) {
    $admin_count = count( $admin_users );
    echo "------------------------------------\n";
    for ( $i = 0 ; $i < $admin_count ; $i++ ) {
        echo "ID({$admin_users[$i]["ID"]}) user_login({$admin_users[$i]["user_login"]})\n";
    }
    echo "\n";
}

Create Admin List File

In create_admin_list_file.php I put this:

<?php
 
require_once 'admin_list_common.php';
 
$fp = fopen( $admin_list_file, 'w' );
if ( ! $fp ) {
    echo "Error opening file .\n";
    exit( 1 );
}
 
$admin_users = get_admin_users();
if ( fwrite( $fp, serialize( $admin_users ) ) === FALSE ) {
    echo "Cannot write to file ($admin_list_file)";
    exit( 1 );
}
 
fclose($fp);

Setup and Testing

Run the command to populate the known list of admin accounts. Then verify that the file was created:

[root@host bin]# php create_admin_list_file.php 
[root@host bin]# cat /root/etc/myblog.wp_admin_list 
a:3:{i:0;a:2:{s:2:"ID";s:1:"1";s:10:"user_login";s:5:"admin";}i...<snipped>
[root@host bin]#

Run the check script and make sure you get an exit status of 0.

[root@host bin]# php check_admin_list.php 
[root@host bin]# echo $?
0
[root@host bin]#

Now, check to make sure that the check works. To do this you can erase the contents of the known good list, test, and then restore. Make sure you get an exit status of 1 from your check scrpt. This will cause cron to mail you the report.

[root@host bin]# php check_admin_list.php 
Warning! The list of admin users differs.
 
Current Admin Users
------------------------------------
ID(1) user_login(admin)
ID(2) user_login(bob)
ID(3) user_login(harry)
 
Previous Admin Users
------------------------------------
ID() user_login()
 
[root@host bin]# echo $?
1
[root@host bin]# php create_admin_list_file.php 
[root@host bin]# php check_admin_list.php 
[root@host bin]# echo $?
0
[root@host bin]#

Set up the Recurring Check

Set up the crontab entry using the crontab command:

crontab -u root -e

The contents of my entry are:

*/10 * * * * php /root/bin/check_admin_list.php

Final Notes

It’s important to test your setup. Make sure that when you add a new admin account you are alerted about the change.

Some people may not want to run the check as root. That’s fine, simply set it up under a different account.

Make sure that cron emails for the user running the cron job are making it to your inbox. Alternatively you could use the PHP mail functions to send yourself an email with the warning.

If you have nonstandard table prefixes you will need to update the SQL queries to reflect your custom table prefixes.

If I didn’t have full root access (ie: shared hosting, etc), I’d look into whether or not my hosting provider gave me the ability to create cron jobs. If so, I’d use whatever facilities were available, keeping the files out of the document root for the site. Yes, you could run these php scripts under your document root, but you should obfuscate them and understand that it’s not as safe to do so.

If you have PHP installed in a non-standard location, make sure to specify the path as well as the binary name when editing your crontab.

If you’re not getting cron emails, check out your system’s maillog and other log files to see what’s happening.

If you do need to add a new administrator account and you get emails about the difference, simply run the create_admin_list_file.php file again in order to update your list of known admin accounts.

Related Links

• http://wordpress.org/development/2009/09/keep-wordpress-secure/
• http://dougal.gunters.org/blog/2009/09/05/checking-your-wordpress-security
• http://www.news-hub.eu/2009/09/wordpress-blogs-under-hack-attack/
• http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
• http://secunia.com/advisories/product/6745/?task=advisories_2008
• http://scobleizer.com/2009/09/05/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things/

From http://www.dban.org/:

Darik’s Boot and Nuke (“DBAN”) is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

I’d have to say, it has definitely lived up to its name. I downloaded the ISO image, burned it to a CD and several unattended hours later I had four clean machines. You boot one, remove the CD, and move on to the next machine.

Now I just need to find a new home for these machines.