Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » Possinle false alarm (adminstrator accounts modified )

  • Hi,
    Just received a “weird” notification from Ninja Firewall claiming that one or more administrator accounts were modified in the database. After having a look at the email it was pointing at my very own ip address and no modifications were made on the two admins of the site. Both can login with own credentials, no emails or anything were changed.

    What i have done is that i logged in to the server for about two to five minutes before the alert email. Any ideas what could have caused it?

    Thanks.

Viewing 8 replies - 1 through 8 (of 8 total)
  • When this happend to me it was an indication of a coinhive hack I found:

    1. an xmr process that was mining on my webserver from the /tmp directory
    2. on one site – modified js files in wp-includes which injected coinhive harvesting code on pages – later clued into by ESET Web Security

    I found that the exploit was lkely made possible by wp-config.old files which had somehow been duplicated and were visible on some sites, giving database access.

    I doubt this is a false warning.

    Wordfence and ninjascanner did not find the infected js files for some reason

    it is weird that it’s your own address, but that could even be an infection from your personal computer or something. Hard to say, still, I’d recommend checking for vulnerabilities, changing DB passwords after, and doing thorough scans and checks

    Plugin Author nintechnet

    (@nintechnet)

    Hi,

    NinjaFirewall takes the data from the all admin accounts (that’s the data that was displayed in the email notification), creates a hash and saves it. When you connected to your site, it did the same, compared both hashes and noticed they didn’t match. That does not mean you were hacked, but it’s odd.

    Your IP in the email message means it was you who triggered the alert, as we cannot know the IP that connected to the DB.

    Check the firewall log for suspicious activities. Make sure to have File Check and File Guard enabled too. Just in case.

    Thank you both for quick replys!

    I surely will have a look at all the things you suggested and try to find the possible infection.

    What i find odd is that nothing really was changed on database. Nothing visible at least as all logins, nicenames, passwords, emails are as they were. That’s the reason i thought it would have been a false alarm, but as said i’ll surely have a close look at possible vunerabilities and exploits.

    I didn’t find specific database changes, I suspect the hacks returned anything to normal after making changes. Or perhaps I just didn’t find something the database yet. still looking…

    It’s worth saying that neither wordfence or ninja/firewall/scanner’s scans or file checks found my hacked .js files – I found them based on a tip I found through twitter based on the URL revealed by my personal computer’s antivirus. Even when I identified the JS files, which are part of WP-core had the virus embeded in them and were the source of the coinhive code on the webpage, they were not identified by either scanning software, even when they were supposed to be comparing them to the WP database.
    Overwriting them with the originals removed the malicious coinhive code from the site.

    Actually that may not be true – I just didn’t notice the changes.

    It appears this log is from the day after the changes were made. Notice the JS files.
    However, there’s also a bunch of others which don’t seem related, so… dunno about that… I don’t believe all of the files below had hack changes in them, but I know that a few of the js files did.

    [!] /var/www/thelanding/wp-includes/widgets/class-wp-widget-media-image.php
    [!] /var/www/thelanding/wp-includes/widgets/class-wp-widget-text.php
    [!] /var/www/thelanding/wp-includes/class-wp-query.php
    [!] /var/www/thelanding/wp-includes/customize/class-wp-customize-nav-menu-control.php
    [!] /var/www/thelanding/wp-includes/capabilities.php
    [!] /var/www/thelanding/wp-includes/functions.php
    [!] /var/www/thelanding/wp-includes/default-filters.php
    [!] /var/www/thelanding/wp-includes/post.php
    [!] /var/www/thelanding/wp-includes/class-wp-customize-manager.php
    [!] /var/www/thelanding/wp-includes/script-loader.php
    [!] /var/www/thelanding/wp-includes/update.php
    [!] /var/www/thelanding/wp-includes/media-template.php
    [!] /var/www/thelanding/wp-includes/class-wp-customize-nav-menus.php
    [!] /var/www/thelanding/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
    [!] /var/www/thelanding/wp-includes/js/wp-emoji-release.min.js
    [!] /var/www/thelanding/wp-includes/js/codemirror/jshint.js
    [!] /var/www/thelanding/wp-includes/js/wp-emoji-loader.min.js
    [!] /var/www/thelanding/wp-includes/js/mediaelement/wp-mediaelement.min.js
    [!] /var/www/thelanding/wp-includes/js/mediaelement/wp-playlist.js
    [!] /var/www/thelanding/wp-includes/js/mediaelement/wp-playlist.min.js
    [!] /var/www/thelanding/wp-includes/js/mediaelement/wp-mediaelement.js
    [!] /var/www/thelanding/wp-includes/js/customize-selective-refresh.js
    [!] /var/www/thelanding/wp-includes/js/twemoji.min.js
    [!] /var/www/thelanding/wp-includes/js/customize-selective-refresh.min.js
    [!] /var/www/thelanding/wp-includes/js/twemoji.js
    [!] /var/www/thelanding/wp-includes/js/wp-emoji-loader.js
    [!] /var/www/thelanding/wp-includes/js/tinymce/tinymce.min.js
    [!] /var/www/thelanding/wp-includes/js/tinymce/wp-tinymce.js.gz
    [!] /var/www/thelanding/wp-includes/js/media-views.js
    [!] /var/www/thelanding/wp-includes/js/media-views.min.js
    [!] /var/www/thelanding/wp-includes/query.php
    [!] /var/www/thelanding/wp-includes/general-template.php
    [!] /var/www/thelanding/wp-includes/version.php
    [!] /var/www/thelanding/wp-includes/formatting.php
    [!] /var/www/thelanding/wp-includes/css/editor.min.css
    [!] /var/www/thelanding/wp-includes/css/editor.css
    [!] /var/www/thelanding/wp-includes/css/editor-rtl.css
    [!] /var/www/thelanding/wp-includes/css/editor-rtl.min.css
    [!] /var/www/thelanding/wp-includes/wp-db.php
    [!] /var/www/thelanding/wp-includes/ms-functions.php
    [!] /var/www/thelanding/wp-admin/customize.php
    [!] /var/www/thelanding/wp-admin/options.php
    [!] /var/www/thelanding/wp-admin/network/site-new.php
    [!] /var/www/thelanding/wp-admin/network/settings.php
    [!] /var/www/thelanding/wp-admin/options-general.php
    [!] /var/www/thelanding/wp-admin/js/editor.min.js
    [!] /var/www/thelanding/wp-admin/js/widgets.min.js
    [!] /var/www/thelanding/wp-admin/js/editor.js
    [!] /var/www/thelanding/wp-admin/js/updates.min.js
    [!] /var/www/thelanding/wp-admin/js/customize-controls.js
    [!] /var/www/thelanding/wp-admin/js/updates.js
    [!] /var/www/thelanding/wp-admin/js/customize-controls.min.js
    [!] /var/www/thelanding/wp-admin/js/widgets.js
    [!] /var/www/thelanding/wp-admin/includes/plugin-install.php
    [!] /var/www/thelanding/wp-admin/includes/update-core.php
    [!] /var/www/thelanding/wp-admin/about.php
    [!] /var/www/thelanding/wp-admin/css/widgets.min.css
    [!] /var/www/thelanding/wp-admin/css/widgets-rtl.min.css
    [!] /var/www/thelanding/wp-admin/css/widgets.css
    [!] /var/www/thelanding/wp-admin/css/widgets-rtl.css
    [!] /var/www/thelanding/readme.html

    @supaiku
    Thank you for your effort on this.

    Now that there’s only two logs (suspicious bots/scanners)in the firewall log on that day before this case and only my logins after it, i can’t leave the shared hosts vunerability out of the picture, can I? Well that kinda would be a relief to be honest.

    Well, I’ll keep on searching and keep posting if i find a solution. Thanks again.

    That notice clued me into vulnerabilities I found otherwise – with no visible database changes.

    Since I host a number of sites on my own server, I looked into pretty closesly – if you’re hosted on a shared server and you’re not the admin – maybe don’t worry so much about it?

    But still, I’d double check your WP hardening (which should eb done anyhow), and in my case I overwrote the hacked files by manually replacing WP via FTP – actually can’t exactly be sure every single file or remnant is resolved, but between overwriting all those which had changed dates, changing all passwords, hardening, and ongoing monitoring I feel pretty good.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Possinle false alarm (adminstrator accounts modified )’ is closed to new replies.