Unauthorized Log In

  • Resolved markf1

    (@markf1)


    9 years, 4 months ago

    Yikes! I got an alert form WordFence that a user with admin access had logged into the site. There are two users only for the site. A new user was somehow added. New user had email address reset@mainwall.org

    I deleted the user and then went to run a WordFence scan but the WordFence Plug In had been removed!

    I re-installed the WordFence and ran a scan and it came back with not alerts or notice of any problem.

    Can I assume all is OK? Any ideas how this was even possible?

Viewing 6 replies - 1 through 6 (of 6 total)
  • wfalaa

    (@wfalaa)

    9 years, 4 months ago

    Hi markf1,
    If this new admin user was not created by you or any other admin users on your website, then I’m afraid to tell that your website was hacked, although what you did so far by deleting this user is a good thing, but I recommend following these steps mentioned in “How to Clean a Hacked WordPress Site using Wordfence” article.

    It’s possible that there was a vulnerable/outdated plugin or theme on your website that someone exploited it and managed to create this user, or any of your FTP/Dashboard credentials were compromised and in this case I suggest securing your working environment.

    Let me know if you have any further question,
    Thanks.

    Thread Starter markf1

    (@markf1)

    9 years, 4 months ago

    Hi and thanks for your reply. I was able to pretty conclusively determine that the site owners log in credentials were hacked. It does not appear after several different scans including a WordFence scan that any malicious code or etc was added. I caught it in time thanks to the WordFence alert I got. I had done a full offline backup of the site a few days prior to this event (got lucky) so I have that to fall back on.

    To recap, an unknown person logged in using the site owners credentials. That unknown person changed the site owners user email address, created a new user admin account and removed the WordFence plug in. I got an email that a username I did not recognize had logged into the WordPress dashboard. I checked it out and was able to delete the new user, delete the hacked user, and run several site scans,and re-install WordFence.

    mvandemar

    (@mvandemar)

    9 years, 3 months ago

    @markf1 – there is a plugin named Delete All Comments that was compromised. It has since been removed from the WP repositories, but the mainwall.org domain is associated with the hack. If you still have that plugin installed you need to delete it or you will just get hit again.

    @wfalaa – unless you guys manually added that plugin to your detection list, nothing in the code would trigger a WF alert. You might want to do so. There is another fake plugin that gets added wp-spam-shield-pro that posts data to mainwall.org letting the hackers know they’ve infected another site.

    -Michael

    Thread Starter markf1

    (@markf1)

    9 years, 3 months ago

    Michael,

    Thank you so much! The site in question did indeed have the Delete All Comments plug in installed. I have removed it.

    Thanks again!

    wfalaa

    (@wfalaa)

    9 years, 3 months ago

    Hi Michael,
    Thanks for your input, I want to confirm that our team has already added a specific rule to the firewall protecting from “Delete all comments” plugin vulnerability, knowing that the community version of the firewall rules will include this rule after 30 days, check this link for more information.

    Thanks.

    mvandemar

    (@mvandemar)

    9 years, 3 months ago

    @wfalaa I wasn’t actually referring to the firewall, I meant the scan. This infection is already in the wild and the plugin in question was compromised at the end of September, I believe, and I don’t think it was pulled from the repositories until a little over a week ago.

    -Michael

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Unauthorized Log In’ is closed to new replies.