admin管理员组文章数量:1122832
I have a site that has a malicious link being injected into it which causes every page of the site to be clickable and go to random sites. The script is being injected through the WPCode plugin which has an area in the admin panel to add scripts to the header area. Before removing the plugin, I wanted to figure out how it was being done.
I set up some temporary logging in the wp-admin/admin.php file since the plugin's admin page submits a POST request there. I was able to catch the request of the malicious script being injected along with all of the $_SERVER parameters and the currently logged in user.
The problem is that the user that it was done under hasn't been logged into in about a year according to the admin screen "last logged in" date. The same date shows in the Sucuri plugin's login security area. I don't see any login activity for this user at all.
Is it possible for a user to be submitting requests to wp-admin/admin.php without actually logging in? Or is it more likely that they are logging in as that user somehow and then deleting the login record?
I have a site that has a malicious link being injected into it which causes every page of the site to be clickable and go to random sites. The script is being injected through the WPCode plugin which has an area in the admin panel to add scripts to the header area. Before removing the plugin, I wanted to figure out how it was being done.
I set up some temporary logging in the wp-admin/admin.php file since the plugin's admin page submits a POST request there. I was able to catch the request of the malicious script being injected along with all of the $_SERVER parameters and the currently logged in user.
The problem is that the user that it was done under hasn't been logged into in about a year according to the admin screen "last logged in" date. The same date shows in the Sucuri plugin's login security area. I don't see any login activity for this user at all.
Is it possible for a user to be submitting requests to wp-admin/admin.php without actually logging in? Or is it more likely that they are logging in as that user somehow and then deleting the login record?
1 Answer
Reset to default 0No, this is a red herring that has nothing to do with the problem, likely from a misunderstanding of what WP user login sessions are tracking.
The TLDR: It's probably because they logged out.
The problem is that the user that it was done under hasn't been logged into in about a year according to the admin screen "last logged in" date. The same date shows in the Sucuri plugin's login security area. I don't see any login activity for this user at all.
Not necessarily, WP user login sessions aren't tracking when they last logged in, they're tracking when that specific login session that is still active last logged in. Newer sessions that have ended don't appear here as they've been cleaned up
But keep in mind if they've compromised the site they don't need a login. They could directly modify any of the data you're looking at, or bypass WordPress entirely. If you've identified how they got in you need to close that as soon as possible. Analysis can happen afterwards.
Is it possible for a user to be submitting requests to wp-admin/admin.php without actually logging in?
Normally no, unless new additional PHP code had been introduced to explicitly allow it, it would redirect to a login page. A quick read of admin.php reveals an auth_redirect call near the top.
However by your own admission the site is already compromised so all of that goes out the window since the attacker could have modified files, or executed their own code, and you've already identified malicious code in a code snippet plugin!
Or is it more likely that they are logging in as that user somehow and then deleting the login record?
WordPress does not keep login records!
WordPress Sessions Are Not What You Think They Are
WordPress keeps track of active login sessions. E.g if you login on a phone, then login on a tablet, 2 sessions are tracked. This is so that you can force all devices to log out from the dashboard and invalidate those login sessions.
What they are not, is a record of when people logged in because of the simple fact that logging out destroys a session and removes it from the database.
If I login then logout there is no trace of that session. This means I could log in today then log out, and as long as I never use this machine again I could login as many times as I want on another device and you would never know, as long as I clicked logout.
In general though, wether WordPress normally does or doesn't allow these requests is irrelevant, your site has compromised code that can change it to whatever the attackers want. Removing that malicious code is the number 1 priority.
Also if you could make direct requests to admin.php and bypass authentication/login then that'd be a massive security hole for almost half the internet, the kind of news that would make it into printed newspapers with high profile targets hacked.
本文标签: Can a user submit requests to wpadminadminphp without logging in
版权声明:本文标题:Can a user submit requests to wp-adminadmin.php without logging in? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736302407a1931522.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论