Support » Fixing WordPress » How did spammer get usernames and emails

  • ericr23

    (@ericr23)


    Our editors just got emails (previously reported by others) that “Someone has requested a password reset for the following account: http://ourdomain.com/
    Username: “username”.”

    The return address was wordpress@plus.org.au, and there is an X-PHP-Script header: http://www.plus.org.au/news/wp-login.php for 88.99.89.225.

    So how did they get our email addresses and usernames? (And how might we prevent it in the future?)

    The posts on our domain do not include the authors, let alone their emails.

Viewing 15 replies - 16 through 30 (of 33 total)
  • ericr23

    (@ericr23)

    So the domain name is probably spoofed as well.

    So indeed there seems to be no purpose to them.

    By the way, the Wordfence plugin option “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” appears to have stopped them. https://docs.wordfence.com/en/Wordfence_options#Prevent_discovery_of_usernames_through_.27.3F.2Fauthor.3DN.27_scans

    Client is now getting the fraudulent password resets from ‘wordpress@mybiznetsite.com’

    I am getting the same thing.

    We’ve seen a few of these… anyone learn more? Are the site’s already hacked by the time we seen this?

    I’ve seen no sign of hacking or unauthorized access.

    Hi,

    Someone changed my site url to mybiznetsite.com and I also did not see any signs of unauthorized login. After I changed it back it was changed 1 day later again. Strange thing is that only the site url was changed nothing else.

    I disabled several plugins (including wordfence) and so far no change has occured. Maybe some plugins had security vulnerability (not yet fixed) which allowed this?

    I found someone who figured out what the ‘end game’ of this tactic is.

    https://www.bleepingcomputer.com/news/security/wordpress-zero-day-could-expose-password-reset-emails/

    “If the site admin has enabled an “out-of-office” auto-responder, if the auto-responder includes the original email, then the attacker obtains the password reset email with minimal effort.”

    Basically, they just keep sending those spam password reset emails with spoofed ‘reply-to’ and wait for an auto-response to return a password reset link. Pretty devious. The target sites are not yet hacked, but could be as soon as someone replies or turns on an autoresponder.

    So the issue is over a year old and is being used by malicious actors, and is still not fixed, great.

    Thanks for the link and info @todditron!

    • This reply was modified 1 month, 4 weeks ago by  Ueland.

    Wow, pretty smart.

    I just installed this plugin and disabled the password reset via email for all our editors:
    https://wordpress.org/plugins/plainview-protect-passwords/

    Clever, simple exploit! As the bleepingcomputer article notes, however, autoreplies generally do not include the original email, so the hacker would still not have the reset link.

    Ah, I didn’t catch that autoresponders do not generally include original email. Sounds like they are also looking for bounced messages too. Those would be much more rare, and I guess that is WP team isn’t as concerned with patching this quickly.

    For the record, I ended up going with a PHP script in functions.php to hardcode the reply-to email:

    add_filter( 'wp_mail_from', function( $from_email ) { return 'some_admin@email.com'; } );

    The ‘UseCanonicalName fix’ and ‘WP-SpamShield Plugin fix’ crashed this particular site, which has a huge amount of preexisting custom code and unique server configurations. I don’t think the PHP technique will stop the emails, but it should render them harmless.

    @todditron

    I’m sorry to hear that. When you say “crashed your site”, I’m guessing you mean that you either got a 500 Internal Server Error or a white screen? It’s likely you have a config issue or plugin conflict, as that definitely should not happen. We’ll be happy to help you fix that…Just contact our support team. Take care! 🙂

    – Steven

    @rsm-support ‘UseCanonicalName’ config crashed the site, the WP-SpamShield broke some of the Angular-powered AJAX forms (even with the general form protection disabled).
    From everything I read about the plugin, it seems like a good one and my issue should not reflect badly upon it. We just are working with monstrous Frankenstein-like abomination of a site that we inherited from another developer. My guess is the plugin would work great on any site that vaguely resembled a traditional WordPress site.

    The “vulnerability” that allows the sender to appear as a different domain has apparently been discussed (along with shortcoming of various patches) for a few years: https://core.trac.wordpress.org/ticket/25239

    @todditron,

    We just are working with monstrous Frankenstein-like abomination of a site that we inherited from another developer. My guess is the plugin would work great on any site that vaguely resembled a traditional WordPress site.

    LOL, priceless description. 🙂 I hear you. Definitely have worked on a few of those. No worries…let us know if you ever do need help.

    @ericr23:

    The bottom line in preventing the vulnerability, is to make sure that your site does not allow requests to your site with bad ‘Host’ headers (IP address, secondary domains, etc). If you can’t do it any other way, you can add the following 3 lines to your main site’s .htaccess file. (This is an old trick used for SEO, but it also takes care of this security issue, so it kills two birds with one stone.)

    First, decide what your site’s canonical hostname is, that is, whether you want people to access it via the www or non-www version.

    If your site’s canonical hostname is www.yourdomain.com, the code would look like this:

    
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !=www.yourdomain.com
    RewriteRule ^/?(.*)$ https://www.yourdomain.com/$1 [R=301,L]
    

    Notes:

    • Place this code near the top of your .htaccess file, and before the WordPress code block starts. # BEGIN WordPress
    • Replace www.yourdomain.com with your sites preferred (canonical) domain. (www vs. non-www)
    • If your site does not use https (SSL/TLS), then replace the “https” with “http”.
    • If your .htaccess already has RewriteEngine On, then you can skip that line, as it only needs to be included once, before the first RewriteCond/RewriteRule set. (Having it twice should not cause errors — it just isn’t necessary, so it’s more efficient to only include it once.)

    That’s all. It’s a pretty easy fix. The best way is to set the UseCanonicalName directive in your Apache config, but if you don’t have access to that (eg on shared hosts), or isn’t working, this will work in pinch.

    Hope that helps!

    – Steven

    So I clicked on the link and changed my PW per the spoof email. Am I in trouble?

Viewing 15 replies - 16 through 30 (of 33 total)
  • You must be logged in to reply to this topic.