WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacked? Admin Accounts Created Without My Doing (38 posts)

  1. nickda
    Member
    Posted 1 year ago #

    I recently noticed that new users were added to my wordpress sites (yes multiple sites) without my doing. They were also given administrator access and the email address for all the users is sysadmin@wordpress.org. Unless I didn't notice before, but does wordpress create these admin accounts by default? I wouldn't think so? All my sites were on the same hosting service.

    Has anyone else experienced this? I deleted these accounts, then on one site the account reappeared again the next day. I called my hosting provider and they said my site looked fine. I plugged in my URL to other sites to see if I've been hacked and they all said my sites were fine.

    I've never seen these admin accounts from WordPress before, but if anyone else has experienced anything like this, I'd love to hear any feedback.

    Thanks in advance.

  2. The Hack Repair Guy
    Member
    Posted 1 year ago #

    If accounts are being added then your account has been hacked.

    Start by removing all administrative accounts, except your primary one.

    Then change your administrative account password, hosting control panel password, FTP password, and all email account passwords related to the website.

    Use a service like Unmask Parasites to check the coding of your pages just in case.

  3. esmi
    Forum Moderator
    Posted 1 year ago #

  4. LavishDhand
    Member
    Posted 1 year ago #

    Same with my sites!!! Just noticed the same admin account with the same email address, I googled "sysadmin@wordpress.org" and reached here.

    Please advice

  5. Andrew
    Forum Moderator
    Posted 1 year ago #

    @LavishDhand, why not try Esmi's methods?

  6. nickda
    Member
    Posted 1 year ago #

    Hi,

    Thanks for all the feedback. So before anyone was able to reply to the thread, here's what I did.

    -Removed all the admin accounts that I did not create
    -Changed the passwords on my admin account, email associated with it, FTP account and hosting provider
    -I did plug my site into Unmask Parasites and it said it was clean.
    -I installed a security plugin (I was stupid to not do it before) to double check and add another barrier. It found suspicious coding on all of my sites, so I removed all the code.

    Now I'm waiting and hoping this is the end of it. I'll keep you posted.

  7. Andrew
    Forum Moderator
    Posted 1 year ago #

    Hang on, how did the hacker get into your code to begin with?
    Surely you need to tackle that instead of removing the malicious code after the hacker gained access to your website.

  8. nickda
    Member
    Posted 1 year ago #

    @LavishDhand
    Did they do anything to your sites? When did you notice these accounts created?

  9. LavishDhand
    Member
    Posted 1 year ago #

    Hello @anevins Hello Everyone!

    I sure am working as per the advice given however I'm curious to know is my website really hacked or is it wordpress. If my website is really hacked, how did this happen? How can I protect my other websites before it happens to them?

    regards

  10. nickda
    Member
    Posted 1 year ago #

    @Andrew
    I'm not sure. I installed WordFence and it said it found "malicious" code on my site. I'm not sure if they put it there or if it was really malicious. I don't even know where to start to investigate this stuff.

    I just had it removed to be safe.

  11. nickda
    Member
    Posted 1 year ago #

    @Lavish
    I'm in the same boat as you. But I do know that one day the account wasn't there and the next day the account was in my site.

    I found it very strange and would doubt that WordPress would create these accounts.

  12. The Hack Repair Guy
    Member
    Posted 1 year ago #

    WordPress did not create the accounts.

  13. LavishDhand
    Member
    Posted 1 year ago #

    The email address is mentioned on this webpage http//bestteam-com-do/author/sysadmin/

    Does someone find a clue out of this?

  14. nickda
    Member
    Posted 1 year ago #

    @lavish
    The URL didn't work for me. Can you resend?

  15. nickda
    Member
    Posted 1 year ago #

    I found the page. That is strange. I found their FB page as well and it mentions them as spammers.

    Hmm.

  16. LavishDhand
    Member
    Posted 1 year ago #

  17. nickda
    Member
    Posted 1 year ago #

    @Lavish

    Did you find anything? I'm not sure what that site is you linked to. It appears they're not longer managing their site.

  18. LavishDhand
    Member
    Posted 1 year ago #

    Hi!

    Even after deleting the hacker account "All Users" count is shown 4 while there are only 3 accounts that I created and after deleting the wrong account the total now should be 3 and not 4.

    Please see the screen shot : http://s14.postimage.org/c09x2usht/2013_03_09_174058.jpg

  19. twsimpson
    Member
    Posted 1 year ago #

    I just noticed this today as well. Has anyone drilled down what this is? Is it new or just new to me?

  20. LavishDhand
    Member
    Posted 1 year ago #

    @twsimpson do you see same email address? WordPress experts / senior guys please we need your attention. Kindly guide us.

  21. vloo
    Member
    Posted 1 year ago #

    @LavishDhand, I've had this case in year and a half ago. You might got a user with blank or white-spaced username, who is admin. This user is not displayed by the admin panel, but is available in the database. As I'm not sure of the reason it is not displaying, you'd better reinstall your WordPress (in order to remove any code changes in the Core) and then remove the odd admin user from the database (phpMyAdmin or something).

    Please tell me the version of your installation and keep me updated on this issue, as I'm curious if it's exactly the same case as the one I had at the time! Good luck :)

  22. LavishDhand
    Member
    Posted 1 year ago #

    We're not the only ones I find the discussions online : https://twitter.com/irsdl/status/310522692367429632

    @vloo it was the user that I deleted, the one that came up from no where. The username was 'sysadmin' and email associated was 'sysadmin@wordpress.org'. I am not sure how can I reinstall wordpress, mine is a MultiSite network - how can I go about a renistall?

  23. vloo
    Member
    Posted 1 year ago #

    Automatic reinstalling of multisite is done through the network admin panel: http://yoursite.com/wp-admin/network/update-core.php

    I think it's obvious that you'd better have a backup of all files and database tables for that.

    Good luck!

  24. LavishDhand
    Member
    Posted 1 year ago #

    Hello Vloo!

    As per your advice I have just reinstalled my wordpress, now I have a new problem. All my subsites in the Multisite network are missing their images. Every image is broken/missing, just the primary site's iamges are fine.

    Example :
    The image is actually located at :
    http://www.MyPrimarySite.com/wp-content/blogs.dir/4/files/2012/10/image.jpg
    Wordpress is picking up the path as :
    http://www.MyPrimarySite.com/SubSite/files/2012/10/image.jpg

    Even the images I'm uploading now are not showing up.

    Please help.

  25. vloo
    Member
    Posted 1 year ago #

    Usually after updating from the network admin, WordPress prompts you to update from your subsites, so if you haven't done this, go to the admin panel of your subsites and probably it will ask you to update the db there too.

    If this doesn't help (which is not likely to happen), most probably the best thing will be just to restore the site with the last backup before the update, and then compare the WordPress installation with a clean one, using software as WinMerge (for Windows) or Meld (for Linux).

    Keep me updated on the progress and I'll help you if I can!

    You can write me privately on vlood.vassilev at gmail if needed.

  26. Finfan923
    Member
    Posted 1 year ago #

    Hello All,

    My site was hacked. It appears they have access to my wordpress admin panel and I cannot log in. ( i had a company design my page) so I do not know the orignal user name or email they used to setup up my wordpress page which is asked for when I click "forgot password" via my wordpress control panel login.

    Any suggestions as to what I can do to get my control panel access back?

  27. LavishDhand
    Member
    Posted 1 year ago #

    Hi Vloo,

    There is no otion to update from subsites. I've restored the backup (one from before the update). Nothings worked out, I'm afraid that everthing is messing up and I'm losing this installation :(

    Starting up from the scartch is scary :(

    NOTE : I only have db back ups I never had files backed up.

  28. vloo
    Member
    Posted 1 year ago #

    Hey, Finfan, in is not pretty polite to open a new topic in an existing one, as you are distracting the guys from the original one. If you need more people to see yours, create a separate topic!

    But anyway, if you got any access to your hosting account, use it to gain access to your WP - usually changing the email of user with id 1 in wp_users should allow you to reset their password and log in. But in what you are saying, it sounds like you actually got communication problems with the developers, don't you?

  29. vloo
    Member
    Posted 1 year ago #

    Yes, my bad, you did a reinstall, not an update, so you wouldn't get update prompt for subsites.

    At http://yoursite.com/wp-admin/network/site-settings.php?id=2, where 2 is the id of the subsite, you got Upload Path, which is the option that should still point to your wp-content/blogs.dir/4/files folder. So this path should be in the settings and your subsites should be using in urls paths to images like http://www.MyPrimarySite.com/SubSite/files/2012/10/image.jpg

    Anyway, restoring a full db backup from before the reinstall should have fixed the problem, so probably something else is broken on your side. Btw, did you try regenerating the .htaccess file by saving again the current settings for the permalinks? Might help, eventually, as either WordPress or Apache should redirect http://www.MyPrimarySite.com/SubSite/files/2012/10/image.jpg requests to the physical path http://www.MyPrimarySite.com/wp-content/blogs.dir/4/files/2012/10/image.jpg

    I can't help you more than that if you don't give me any other clue, a login or at least a real url to check it out (you got my email in a previous response). I hope all this served you as a lesson not to mess with WordPress without having a proper FILES AND DB BACKUPS in advance, it is vital.

  30. twsimpson
    Member
    Posted 1 year ago #

    So I just spoke to GoDaddy tech support and they are claiming that this is a non-issue created by WordPress. Any thoughts on this?

Topic Closed

This topic has been closed to new replies.

About this Topic