WordPress.org

Forums

suspicious user names in wp_users (6 posts)

  1. senixon
    Member
    Posted 6 years ago #

    I'm in the process of upgrading to the latest version and have been inspecting the SQL dump that was generated from the backup and after scanning something struck me as odd, I'd like some confirmation from the community as to it's existence and origin. The blog is currently hacked and infected and I want to be extra careful what data I'll be moving over.

    in wp_users I have an instance of a username 'WordPress' that is an administrator, reason I find it suspicious is it also exists in the "staging" version of the blog also the creation timestamps is all zeroes, and does not appear in the User Admin page... any thoughts?

    Also in the users table I keep seeing many users with random user names ie: 'KbhLNmKJCPVDyZAZ'... they appear to be subscribers, but this just looks like something a bot would use to register... does anyone else see these in their database

    Thanks in advance!

    Correction: I'm using version 2.1.3.

  2. whooami
    Member
    Posted 6 years ago #

    ... in wp_users I have an instance of a username 'WordPress' that is an administrator

    I'm using version 2.1.3.

    and your site has been exploited.

    Also in the users table I keep seeing many users with random user names ie: 'KbhLNmKJCPVDyZAZ'...

    those could be registration spammers or not.

    my first response above is the one thats more important.

  3. senixon
    Member
    Posted 6 years ago #

    thanks whooami, I was 99% certain this user wasn't suppose to be there, just thought it may have been some sort of system account or something.

    Anyhow the user is now gone, as well as all the random generated user names.

    Do you know if there is a some sort of database of reported attacks someplace. I'm afraid I may have missed something and it would be nice to check against known issues.

  4. whooami
    Member
    Posted 6 years ago #

    this has been reported, at least on these forums.

    The best advice I can give you is to is to change any and all passwords, including your mysql password.

    then, you need to systematically upgrade your site -- taking care to delete EVERYTHING inside wp-includes/ and wp-admin/ and wp-content/ that is NOT customized.

    the same goes for the root directory of your install (where wp-config.php is)

    Note that i said not customized. That means you dont delete your wp-config.php, or your theme, or your plugins.

    Afrer you have deleted those core unmodified files, you upload fresh ones and go through the upgrade process.

    The reason why you want to delete first is because exploits get hidden in directories, and the all too common practice of overwriting files, not only leaves stray wordpress files around, it doesnt do anything to clean out any files that were placed on the server as a result of a successful exploit. You do NOT want to leave a malicious script on the server to be accessed after youve upgraded.

    So, delete first, the upload new files. When I do paid work, like this, I go directory by directory..

  5. senixon
    Member
    Posted 6 years ago #

    Thanks again for your response, I understand various blogs reporting it, but there is no one place that has all the exploits?

    I guess I'm paranoid like you are and have already changed the passwords to DB and asking the owner of the blog to change all the passwords for all the admins and authors as well.

    I have just learned that there are hidden links peppered in the comments... this blog is not very big so I'll do and export and then a search for anything suspicious in a text editor, then import it back in.

    I already performed the upgrade and deleted all except the wp_content directory and the wp-config.php at the root. I'm going to go through the content directory and check everything in there. There seem to be to many plugin, I'll see about deleting those as well.

  6. whooami
    Member
    Posted 6 years ago #

    guess I'm paranoid like you ...

    its not paranoia that drives me :)

    I understand various blogs reporting it, but there is no one place that has all the exploits?

    Like a database of wordpress exploits? no, and thats a bad idea anyway.

    You can, of course, report this security@wordpress.org but given the version, you can expect any response to be "we already know, thats why were one 2.6.3"

    exploits for 2.1.3 are actually on the WWW for anyone to use. see milw0rm.com and search for wordpress. Some of them only need a quick copy and paste.

Topic Closed

This topic has been closed to new replies.

About this Topic