Support » Fixing WordPress » "Hacker" managed to change email and password of admin

  • Got quite of an interesting situation that happened yesterday when someone managed to receive a new password while also changing the admin email, then doing some cute defacing on the front post with music.

    The signup form was protected with login lockdown as well as limit login attempts, but he came in anyway.

    Does anyone have any idea how this happened?

    He/she/it changed the admin email to [ email redacted ] and even confirmed links through it, any easy way to get the account banned?

    37.59.150.203 - - [01/Jul/2012:22:10:24 +0200] "GET / HTTP/1.0" 302 - "http://www.DOMAINUSINGSYMLINK/logs/log/log/sym.php?sws=sym" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:26 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "http://www.readybooker.com/logs/log/log/sym.php?sws=sym" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:37 +0200] "GET /crossdomain.xml HTTP/1.0" 404 120 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:53 +0200] "GET /wp-signup.php?new=www.google.com HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:08 +0200] "GET / HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:08 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:19 +0200] "GET / HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:20 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:52 +0200] "GET /wp-admin HTTP/1.0" 301 242 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:52 +0200] "GET /wp-admin/ HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:53 +0200] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.MAINSITE%2Fwp-admin%2F&reauth=1 HTTP/1.0" 200 2409 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:44 +0200] "GET /wp-login.php?action=lostpassword HTTP/1.0" 200 1888 "http://www.MAINSITE/wp-login.php?redirect_to=http%3A%2F%2Fwww.MAINSITE%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:47 +0200] "GET /crossdomain.xml HTTP/1.0" 404 137 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:47 +0200] "POST /wp-login.php?action=lostpassword HTTP/1.0" 302 - "http://www.MAINSITE/wp-login.php?action=lostpassword" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:48 +0200] "GET /wp-login.php?checkemail=confirm HTTP/1.0" 200 2341 "http://www.MAINSITE/wp-login.php?action=lostpassword" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:02 +0200] "GET /wp-login.php?action=rp&key=tcNGhyGZotqOPmsz23hS&login=admin HTTP/1.0" 200 3007 "http://us.mg1.mail.yahoo.com/neo/launch?.rand=3a42fcb4kj60a" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:41 +0200] "POST /wp-login.php?action=resetpass&key=tcNGhyGZotqOPmsz23hS&login=admin HTTP/1.0" 200 1143 "http://www.MAINSITE/wp-login.php?action=rp&key=tcNGhyGZotqOPmsz23hS&login=admin" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:45 +0200] "GET /wp-login.php HTTP/1.0" 200 2409 "http://www.MAINSITE/wp-login.php?action=resetpass&key=tcNGhyGZotqOPmsz23hS&login=admin" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:53 +0200] "POST /wp-login.php HTTP/1.0" 302 - "http://www.MAINSITE/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:55 +0200] "GET /wp-admin/ HTTP/1.0" 200 58066 "http://www.MAINSITE/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
Viewing 10 replies - 1 through 10 (of 10 total)
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘"Hacker" managed to change email and password of admin’ is closed to new replies.