Unauthorized administrator-level users added by hacker

asaracena
(@asaracena)

9 years, 5 months ago

Yesterday all 9 of our WordPress sites had one or more unauthorized usernames added. We are using version 4.0 and the latest version of WordFence (which is how we knew about the successful login attempts). All of these sites are hosted on GoDaddy.

All newly added users either used no email or copied the email of the authorized user to register. This is supposed to be impossible in WordPress. Most of our sites do not use “admin” as a username and have WordFence options set to immediately block any user who uses an invalid name.

All of these sites were hacked by this address: 62-76-177-235.clodo.ru using these usernames: admin, administrator, root or some version of admin + a number.

On one of the sites malicious code was added to one of the WP core files (wp-includes/category.php) – luckily through WordFence I was alerted and reverted to the original file because today so far there have been 10 attempts to login to this site with the usernames the hacker added (and I deleted) yesterday.

How could this happen? I would like to know if this is a possible WordPress vulnerability or an issue with GoDaddy’s security.

Viewing 4 replies - 1 through 4 (of 4 total)

Matt Knowles
(@aestheticdesign)

9 years, 5 months ago

I haven’t used WordFence, but I highly recommend Rename wp-admin so that you can hide the location of the login screen.

I would take a look at the log files and search for that IP address. That will give you some clues to what they did. If you have FTP log files, check those two.

Are all of the 9 hacked sites on the same server at GoDaddy?

Thread Starter asaracena
(@asaracena)

9 years, 5 months ago

Thanks Matt for your response. I’ve been checking FTP and found a few more issues, mainly on sites we don’t manage any more.

I don’t know if all 9 sites were on the same GoDaddy server but in a WordFence post [https://wordpress.org/support/topic/6-sites-have-added-administrator-level-users-added?replies=3#post-6223976] someone else had the same 62-76-177-235.clodo.ru hacker install a rogue plugin on their site – plugin is called research_plugin_8hfT and had a backdoor script inside.

I’ll check out Rename wp-admin but I don’t think they initially went in through the login screen as they were able to add users without an email or an identical email to the real administrator user.

aimlink
(@aimlink)

8 years, 9 months ago

I have dozens of unauthorized users logged in almost daily. Ther email addresses are bogus. How do I stop them?

Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

8 years, 9 months ago

Can you create a new thread to discuss that https://wordpress.org/support/forum/how-to-and-troubleshooting#postform

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Unauthorized administrator-level users added by hacker’ is closed to new replies.

Unauthorized administrator-level users added by hacker

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics