Support » Fixing WordPress » Have I been hacked? Username: “amin”

  • I’ve had a username: “amin” with the name: as “…” show up as an administrative user mysteriously on a personal WordPress blog of mine. I was suspicious, deleted the user, and did a quick google search to see if I could find anything about a security breach. I didn’t find anything so I just shrugged of the concern.

    Today I discovered the same “amin” user on a much bigger wordpress site I had built for a client; again with administrative privileges. Woah! Not cool.

    These usernames were not added nor would in either case an administrative privilege be given. I’m running the most current version of WordPress 2.9.2 on both blogs and I’m a little nervous about the very real possibility that these blogs are being hacked.

    Has anyone else noticed anything similar? Or share my concern?

Viewing 15 replies - 16 through 30 (of 63 total)
  • w8lifter, to answer your question, when I was looking at a Rackspace account that had been compromised, I spotted a few hacks beyond the creation of the amin user account:
    1. The attacker installed malware into both the wordpress database and into the wordpress source code. This allowed the attacker to distribute malware to site visitors. Some of these attacks were trickily hidden.
    2. The attacker created a C99 shell server. This helps the attacker launch further attacks on affected sites. (In this case, the server was named “l.php”, but note that they can name this file anything they want.)

    Do you know the specific location in both the database and the file tree for these hacks?

    Hi w8lifter2000,

    In this specific case, the attacker modified footer.php inside the wordpress themes directory to add a hidden iframe. The attack was cloaked using base64_decode and only showed up in the HTML the first time a visitor was on the site.

    The attacker also added a C99 shell to the website, also cloaked using base64_decode. The C99 shell was added both to the root directory of the website and to the wordpress directory.

    In the database, the attacker edited the most recent post on the website to add a hidden script include. It referenced http://zlu.emapis.org/js/jquery.min.js, which interestingly returns different content depending on the number of times you have loaded the page. The first time you load the javascript from a particular IP address, it returns the suspected malware script content; after the first load, it then returns an innocuous script. I saved the suspected malware version of the script at http://pastebin.ca/1882657 for further analysis in case anyone wants to take a closer look at the attack code.

    We have the exact same issue, and we have the same fake admin user “amin” that we keep deleting along all the files, scripts, iframes he keeps putting all over our site (and we’re on WP2.9 with latest plugins, we refreshed passwords etc). Our site has been hacked since Friday and every time we think we clean it, the hacker comes back in and puts more malware. WordPress team, please take a look, it’s our worst hack to date and seeing the posts, it’s spreading to more sites.

    Are you on Rackspace CloudSites as well Pro99?

    davidjamesca, is it possible that the only thing done was install this ‘amin’ account? I am having a terrible time finding anything beyond that. Can you suggest any methods to utilize to look for the effects of this hack? I also noticed some accounts with wordpress@www but that was only on a few.

    @w8lifter2000 yes indeed, Rackspace. Now all our sites are infected… this is a tough one. I hired a security expert who is looking into them, and is finding code everywhere, in themes, uploads folder, root folder, in the database, nuts.

    if there ends up being a definite solution to stopping this from happening I would be keen to know about it.

    @pro99 what is the specific code you are finding? I’m just very concerned because I am having a heck of a time finding anything beyond that initial amin account.

    Best way for you to start is test your site at http://www.unmaskparasites.com/. See if it finds issues. If not, you may be lucky to only have “amin” in your control panel. If the site returns links or scripts that you don’t know about (even if they are not flagged as suspicious), then you probably have code here and there. It would be too long to cut & paste all the code here, and we’re heads down into cleaning the sites, but the test above should give you a starting point. I’ll be back tomorrow with more info.

    @pro99 I have put about 10 sites in there so far with varying pages and all come back clean so far. I spent a good bit of time 5 days ago when I initially reported to Rackspace removing that account from tons of sites and putting additional measures in place. Rackspace needs to credit their clients in somekind of way if this is in fact due to the security bug in phpmyadmin. We pay for this amount of money for a reason.

    @pro99 If in fact you can offer even a piece of code or a keyword that can be searched in the database or the files themselves than that would be greatly appreciated. Just to alleviate my fears. Thanks for all the help.

    Here is what we know at this point.

    1. user amin injected into a variety of wp databases – all seem to be on rackspace – me included – I have 5 blogs on rscs – all with different clients, different databases, etc. all infected with amin.

    2. all blogs got a script code added to the first post – same as user davidjamesca noted

    3. on all my blogs i had htpasswd set on wp-admin folder. they still got in

    4. w8lifter – search for jquery, <script and <h5

    5. if you are on rackspace, you should login and look at the customer forums – there is more discussion of this over there.

    The only places I am seeing those in the db is wp_options and they have entries like _transient_feed_d6cfc08a6692d799c9f341ff6f5734d5

    I just found ‘AMIN’ user with admin privileges in my WP as well. I also host with Rackspace Cloud. Luckily I can not find any code anywhere yet. So it’s possible I caught it early.

Viewing 15 replies - 16 through 30 (of 63 total)
  • The topic ‘Have I been hacked? Username: “amin”’ is closed to new replies.