WordPress.org

Support

Support » How-To and Troubleshooting » Have I been hacked? Username: “amin”

Have I been hacked? Username: “amin”

  • craighobson
    Participant

    @craighobson

    I’ve had a username: “amin” with the name: as “…” show up as an administrative user mysteriously on a personal WordPress blog of mine. I was suspicious, deleted the user, and did a quick google search to see if I could find anything about a security breach. I didn’t find anything so I just shrugged of the concern.

    Today I discovered the same “amin” user on a much bigger wordpress site I had built for a client; again with administrative privileges. Woah! Not cool.

    These usernames were not added nor would in either case an administrative privilege be given. I’m running the most current version of WordPress 2.9.2 on both blogs and I’m a little nervous about the very real possibility that these blogs are being hacked.

    Has anyone else noticed anything similar? Or share my concern?

Viewing 15 replies - 16 through 30 (of 63 total)
  • davidjamesca
    Member

    @davidjamesca

    w8lifter, to answer your question, when I was looking at a Rackspace account that had been compromised, I spotted a few hacks beyond the creation of the amin user account:
    1. The attacker installed malware into both the wordpress database and into the wordpress source code. This allowed the attacker to distribute malware to site visitors. Some of these attacks were trickily hidden.
    2. The attacker created a C99 shell server. This helps the attacker launch further attacks on affected sites. (In this case, the server was named “l.php”, but note that they can name this file anything they want.)

    w8lifter2000
    Member

    @w8lifter2000

    Do you know the specific location in both the database and the file tree for these hacks?

    davidjamesca
    Member

    @davidjamesca

    Hi w8lifter2000,

    In this specific case, the attacker modified footer.php inside the wordpress themes directory to add a hidden iframe. The attack was cloaked using base64_decode and only showed up in the HTML the first time a visitor was on the site.

    The attacker also added a C99 shell to the website, also cloaked using base64_decode. The C99 shell was added both to the root directory of the website and to the wordpress directory.

    In the database, the attacker edited the most recent post on the website to add a hidden script include. It referenced http://zlu.emapis.org/js/jquery.min.js, which interestingly returns different content depending on the number of times you have loaded the page. The first time you load the javascript from a particular IP address, it returns the suspected malware script content; after the first load, it then returns an innocuous script. I saved the suspected malware version of the script at http://pastebin.ca/1882657 for further analysis in case anyone wants to take a closer look at the attack code.

    pro99
    Participant

    @pro99

    We have the exact same issue, and we have the same fake admin user “amin” that we keep deleting along all the files, scripts, iframes he keeps putting all over our site (and we’re on WP2.9 with latest plugins, we refreshed passwords etc). Our site has been hacked since Friday and every time we think we clean it, the hacker comes back in and puts more malware. WordPress team, please take a look, it’s our worst hack to date and seeing the posts, it’s spreading to more sites.

    w8lifter2000
    Member

    @w8lifter2000

    Are you on Rackspace CloudSites as well Pro99?

    w8lifter2000
    Member

    @w8lifter2000

    davidjamesca, is it possible that the only thing done was install this ‘amin’ account? I am having a terrible time finding anything beyond that. Can you suggest any methods to utilize to look for the effects of this hack? I also noticed some accounts with wordpress@www but that was only on a few.

    pro99
    Participant

    @pro99

    @w8lifter2000 yes indeed, Rackspace. Now all our sites are infected… this is a tough one. I hired a security expert who is looking into them, and is finding code everywhere, in themes, uploads folder, root folder, in the database, nuts.

    Jeremy Dawes
    Participant

    @jezweb

    if there ends up being a definite solution to stopping this from happening I would be keen to know about it.

    w8lifter2000
    Member

    @w8lifter2000

    @pro99 what is the specific code you are finding? I’m just very concerned because I am having a heck of a time finding anything beyond that initial amin account.

    pro99
    Participant

    @pro99

    Best way for you to start is test your site at http://www.unmaskparasites.com/. See if it finds issues. If not, you may be lucky to only have “amin” in your control panel. If the site returns links or scripts that you don’t know about (even if they are not flagged as suspicious), then you probably have code here and there. It would be too long to cut & paste all the code here, and we’re heads down into cleaning the sites, but the test above should give you a starting point. I’ll be back tomorrow with more info.

    w8lifter2000
    Member

    @w8lifter2000

    @pro99 I have put about 10 sites in there so far with varying pages and all come back clean so far. I spent a good bit of time 5 days ago when I initially reported to Rackspace removing that account from tons of sites and putting additional measures in place. Rackspace needs to credit their clients in somekind of way if this is in fact due to the security bug in phpmyadmin. We pay for this amount of money for a reason.

    w8lifter2000
    Member

    @w8lifter2000

    @pro99 If in fact you can offer even a piece of code or a keyword that can be searched in the database or the files themselves than that would be greatly appreciated. Just to alleviate my fears. Thanks for all the help.

    Here is what we know at this point.

    1. user amin injected into a variety of wp databases – all seem to be on rackspace – me included – I have 5 blogs on rscs – all with different clients, different databases, etc. all infected with amin.

    2. all blogs got a script code added to the first post – same as user davidjamesca noted

    3. on all my blogs i had htpasswd set on wp-admin folder. they still got in

    4. w8lifter – search for jquery, <script and <h5

    5. if you are on rackspace, you should login and look at the customer forums – there is more discussion of this over there.

    w8lifter2000
    Member

    @w8lifter2000

    The only places I am seeing those in the db is wp_options and they have entries like _transient_feed_d6cfc08a6692d799c9f341ff6f5734d5

    I just found ‘AMIN’ user with admin privileges in my WP as well. I also host with Rackspace Cloud. Luckily I can not find any code anywhere yet. So it’s possible I caught it early.

Viewing 15 replies - 16 through 30 (of 63 total)
  • The topic ‘Have I been hacked? Username: “amin”’ is closed to new replies.