How did spammer get usernames and emails
-
Our editors just got emails (previously reported by others) that “Someone has requested a password reset for the following account: http://ourdomain.com/
Username: “username”.”The return address was wordpress@plus.org.au, and there is an X-PHP-Script header: http://www.plus.org.au/news/wp-login.php for 88.99.89.225.
So how did they get our email addresses and usernames? (And how might we prevent it in the future?)
The posts on our domain do not include the authors, let alone their emails.
-
So the domain name is probably spoofed as well.
So indeed there seems to be no purpose to them.
By the way, the Wordfence plugin option “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” appears to have stopped them. https://docs.wordfence.com/en/Wordfence_options#Prevent_discovery_of_usernames_through_.27.3F.2Fauthor.3DN.27_scans
Client is now getting the fraudulent password resets from ‘wordpress@mybiznetsite.com’
I am getting the same thing.
We’ve seen a few of these… anyone learn more? Are the site’s already hacked by the time we seen this?
I’ve seen no sign of hacking or unauthorized access.
Hi,
Someone changed my site url to mybiznetsite.com and I also did not see any signs of unauthorized login. After I changed it back it was changed 1 day later again. Strange thing is that only the site url was changed nothing else.
I disabled several plugins (including wordfence) and so far no change has occured. Maybe some plugins had security vulnerability (not yet fixed) which allowed this?
So the issue is over a year old and is being used by malicious actors, and is still not fixed, great.
Thanks for the link and info @todditron!
- This reply was modified 6 years, 7 months ago by ueland.
Wow, pretty smart.
I just installed this plugin and disabled the password reset via email for all our editors:
https://wordpress.org/plugins/plainview-protect-passwords/Clever, simple exploit! As the bleepingcomputer article notes, however, autoreplies generally do not include the original email, so the hacker would still not have the reset link.
Ah, I didn’t catch that autoresponders do not generally include original email. Sounds like they are also looking for bounced messages too. Those would be much more rare, and I guess that is WP team isn’t as concerned with patching this quickly.
For the record, I ended up going with a PHP script in functions.php to hardcode the reply-to email:
add_filter( 'wp_mail_from', function( $from_email ) { return 'some_admin@email.com'; } );
The ‘UseCanonicalName fix’ and ‘WP-SpamShield Plugin fix’ crashed this particular site, which has a huge amount of preexisting custom code and unique server configurations. I don’t think the PHP technique will stop the emails, but it should render them harmless.
I’m sorry to hear that. When you say “crashed your site”, I’m guessing you mean that you either got a 500 Internal Server Error or a white screen? It’s likely you have a config issue or plugin conflict, as that definitely should not happen. We’ll be happy to help you fix that…Just contact our support team. Take care! 🙂
– Steven
@rsm-support ‘UseCanonicalName’ config crashed the site, the WP-SpamShield broke some of the Angular-powered AJAX forms (even with the general form protection disabled).
From everything I read about the plugin, it seems like a good one and my issue should not reflect badly upon it. We just are working with monstrous Frankenstein-like abomination of a site that we inherited from another developer. My guess is the plugin would work great on any site that vaguely resembled a traditional WordPress site.The “vulnerability” that allows the sender to appear as a different domain has apparently been discussed (along with shortcoming of various patches) for a few years: https://core.trac.wordpress.org/ticket/25239
We just are working with monstrous Frankenstein-like abomination of a site that we inherited from another developer. My guess is the plugin would work great on any site that vaguely resembled a traditional WordPress site.
LOL, priceless description. 🙂 I hear you. Definitely have worked on a few of those. No worries…let us know if you ever do need help.
The bottom line in preventing the vulnerability, is to make sure that your site does not allow requests to your site with bad ‘Host’ headers (IP address, secondary domains, etc). If you can’t do it any other way, you can add the following 3 lines to your main site’s
.htaccess
file. (This is an old trick used for SEO, but it also takes care of this security issue, so it kills two birds with one stone.)First, decide what your site’s
canonical hostname
is, that is, whether you want people to access it via the www or non-www version.If your site’s canonical hostname is
www.yourdomain.com
, the code would look like this:RewriteEngine On RewriteCond %{HTTP_HOST} !=www.yourdomain.com RewriteRule ^/?(.*)$ https://www.yourdomain.com/$1 [R=301,L]
Notes:
- Place this code near the top of your
.htaccess
file, and before the WordPress code block starts.# BEGIN WordPress
- Replace
www.yourdomain.com
with your sites preferred (canonical) domain. (www vs. non-www) - If your site does not use https (SSL/TLS), then replace the “https” with “http”.
- If your
.htaccess
already hasRewriteEngine On
, then you can skip that line, as it only needs to be included once, before the firstRewriteCond/RewriteRule
set. (Having it twice should not cause errors — it just isn’t necessary, so it’s more efficient to only include it once.)
That’s all. It’s a pretty easy fix. The best way is to set the
UseCanonicalName
directive in your Apache config, but if you don’t have access to that (eg on shared hosts), or isn’t working, this will work in pinch.Hope that helps!
– Steven
So I clicked on the link and changed my PW per the spoof email. Am I in trouble?
Based on my understanding, you should be fine. It should be a valid password reset link in these emails.
You only get in trouble if you happen to reply to the email, thereby delivering the password reset link to the hackers themselves.
- The topic ‘How did spammer get usernames and emails’ is closed to new replies.