WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacker knows my users? (9 posts)

  1. ITPiraten
    Member
    Posted 2 years ago #

    I recently got hit by a hacker on my site. The hacker (originating from Denmark) didn't get into my server, but according to all the security logs he did know all my users.

    It was a brute-force attempt so he was constantly spamming with different passwords, which is quite normal. But how can he know all my registered users "username"?

    The only administrator on my wordpress is me, and the only person that can see other users on my system is me.

    Some of the users can be collected due to their comments and so on, but even people that never ever write anything had been targeted by this hacker!?

    Anyone got an idea, because this question is eating me up. The wordpress installation and database are intact (as far as I can tell). And there are no "strange users" on the system. I can't see anything that would suggest the hacker could get his/her hands on the users of the wordpress installation.

    Any idea?

  2. ragzor
    Member
    Posted 2 years ago #

    yes, he can know all the users registered on ur site..its pretty simple with brute force. eg.. the bruteforce program enters a username:admin and password: xyz if there are no registered user called "admin" the login screen would return "invalid username" and if there is a username called "admin" it will return "invalid password"...So he can make out which are the valid usernames.

    prolly this plugin might annoy him and he'd give up bothering u =D

    login lockdown

    sorry for bad english.
    good luck!

  3. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 2 years ago #

    As ragzor says, login-lockdown or a similar plugin would be recommended to prevent the brute-force attempt successfully discovering any passwords. In addition to that, if all the attempts are coming from a single IP address, a plugin such as IP ban or similar might also be useful.

  4. ITPiraten
    Member
    Posted 2 years ago #

    Thanks for your replies, but the theory given by Ragzor doesn't fit the pattern that the hacker used.

    He didn't try random user names, he targeted exactly the users that are registered on my site. Everything is logged, including passwords tried and such. There was no attempt on any non-existing user.

    I have banned the IPs on server level, so there is no way he can try again. And I have automatic banning after 4 tries, so that's not a problem either.

    What I consider strange with this hacker is that he have, without a doubt, access to all my users usernames. However, he don't have access to any passwords or such information.

    Anyone heard of something like this before? Or is this a new way of hacking wordpress sites?

    To prohibit leading you on the wrong way again, let me explain what counter measures are up on my site.

    * Login limit (4)
    * Anti virus
    * Anti tamper
    * No register of new users
    * Site reports back all actions thru mail
    * Logging of actions
    * Server banning of brute force hacks thru IP
    * Limited user rights (UAM)
    * No user are allowed to see other users
    * No user can communicate directly to other users
    * No weak passwords allowed (except for lowest rank members)
    * All themes are made by me, so no external code there

    In other words, my WordPress site is pretty safe. Still, somehow, a hacker managed to target my users directly. Not even one letter or number was entered in error, except for the passwords.

    He didn't have any clue what status the members have on my site either. Since he targeted mainly the onces that registered for commenting only.

    There doesn't seem to be anything wrong with either the db or anything else on the site. The hacker didn't access any accounts and had no access to anything on the server.

    Checking the IP logs of the server shows no former match of the IP on any registered user, so the hacker wasn't a registered user of any kind. According to the logs, he had never visited my site using any IP used while trying to hack the site.

    I'm clueless about how he/she did this. But I'm not worried about my security. Still, I'd love to know how he/she managed to get the information without me knowing it. That's the question that eats me up.

    Sorry for ramling, but I wanted to give you the situation as it is.

  5. ragzor
    Member
    Posted 2 years ago #

    oh...well he might have found an exploit to one of ur plugins or maybe even used an email spider.. not sure if he can get the usernames with those emails tho, its very hard to tell how he got those usernames :/ w/o burte force but as u say ur wordpress looks pretty secure and u have banned him so i dont think u shuld be worrying

  6. ITPiraten
    Member
    Posted 2 years ago #

    I'm currently checking all my plugins. But there isn't a plugin that should be able to collect any user information. However, I'm going to disable all unused plugins, just to be on the safe side.

    It's just strange. But as I said, I'm not worried about the security. I'm just curious about how it was done. =)

  7. fonglh
    Member
    Posted 2 years ago #

    Maybe he got the users table from your database. The passwords are hashed so he won't have those. The usernames are all there.

    Just a possibility.

  8. ITPiraten
    Member
    Posted 2 years ago #

    I got custom table prefix set. Could someone actually read my database without the correct username and password? Shouldn't it be very hard to do something like this?

    To be honest, I'm not that good on the database workings, since I got a hosting company that provide me with everything I need.

  9. To get your database info, he had to have access to your database. If they did that you have a heck of a lot more issues (like having your password!). Id you use the SAME user ID and password for SSH/FTP as you do for your database, I suggest you make an SQL ID instead and use that. Minor security, but it helps.

Topic Closed

This topic has been closed to new replies.

About this Topic