Unknown admin account? Is my site hacked?

ekallu
(@ekallu)

5 years, 7 months ago
Hello! Possibly a stupid question…

Short while ago my Wordfence -plugin gave alarm about unknown admin-account, which by Wordfence, was created outside of WordPress. Account name was: “Administrator”, role: admin/superuser, email: “support@wordpress.org”.

Is this some new feature of WordPress, something created by plugins, or is my site hacked? Is this a faux account which pretends to be official WP support profile, so it would appear more reliable?

I deleted the account, but it keeps appearing back. Latest thing I did, is I changed the role of the account to susbcriber (I’m not sure is the name correct, I have finnish language localization). But I mean I changed the role to lowest level role. For now, it has remained like that.

I did run Wordfence scan and some on-line malware scans. None had found any malware or any other suspicious activity. Wordfence didn’t found file changes either.

I also looked uploads-folder, but I didn’t found anything suspicious. And I looked root folder and wp-admin folder, and didn’t see anything that I would straight away find suspicious.

Unknown admin-account is only weird thing. Site is working normally. And I can log in and operate all administrative tasks normally.

Anyone know what this is about.

Thanks.

Kalle

edit: typo.
- This topic was modified 5 years, 7 months ago by ekallu.

Viewing 9 replies - 1 through 9 (of 9 total)

Wurpe Hosting
(@wurpe)

5 years, 7 months ago

Hi, just to confirm, your WordPress username is *not* Administrator, correct?

WordPress or anyone from WordPress.org will never create an account on your WordPress site. Please follow standard procedure for securing your site from a hack which includes changing the password (use a strong and unique password for each account) for your hosting account, database, WordPress, FTP and anything else that may be used to access your site. Make sure to delete the unknown administrator account.

Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

5 years, 7 months ago

Side note, @quttera, lose the signature (the bit where you say ‘best regards, your name, your company & team’)
Wurpe Hosting
(@wurpe)

5 years, 7 months ago
Hi again, a member from Wordfence was so kind as to provide us (wordpress.org forum volunteers) with an update regarding this type of hack. This type of hack is still being investigated as to what is the cause of it. Make sure if you have Jetpack integrated to change your wordpress.com password. Also, if you’re using the Ultimate Member plugin make sure you have the latest version installed (and probably best to update all other plugins).
- This reply was modified 5 years, 7 months ago by Wurpe Hosting. Reason: Clarification
Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

5 years, 7 months ago

That’s a hypothesis, not a fact. Are you using Jetpack’s centralized management feature?

Thread Starter ekallu
(@ekallu)

5 years, 7 months ago

Thank you all for the information.

“Hi, just to confirm, your WordPress username is *not* Administrator, correct?”

No, “administrator” is the faux one.

I don’t have Jetpack or Ultimate Member plugin. Also, all plugins have latest versions installed.

Thread Starter ekallu
(@ekallu)

5 years, 7 months ago

I have WP Security Audit Log -plugin, but log didn’t show any suspicious changes.

Wordfence is showing warning on a plugin file: wp-content/plugins/wp-security-audit-log/readme.txt. Comparison shows that some lines are changed, but I don’t know if it’s relevant. I don’t see any code in that file. It seems to be plain textfile.

Sucuri Sitecheck (free scan) didn’t find anything.

Quttera.com scan results is clean.
Thread Starter ekallu
(@ekallu)

5 years, 7 months ago
Cloacked Link Checker alarms on “Checking for cloaking”. Other tests doesn’t alarm. Cloack test gives: “There is a difference of 532 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that’s trying to hide from browsers but make Google think there’s something else on the page.”

Output is: [ Completely deleted ]
- This reply was modified 5 years, 7 months ago by ekallu.
- This reply was modified 5 years, 7 months ago by Jan Dembowski. Reason: Removed malware code
Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

5 years, 7 months ago

@ekallu Do not post that code here again. It adds zero value and is not for these forums.

Your site was hacked and you need to delouse it starting with these instructions above.

https://wordpress.org/support/topic/unknown-admin-account-is-my-site-hacked/?view=all#post-10649184

Which basically is this.

Please remain calm and give this a good read.

https://codex.wordpress.org/FAQ_My_site_was_hacked

When you have successfully deloused your site then consider giving this a read too.

https://codex.wordpress.org/Hardening_WordPress

Thread Starter ekallu
(@ekallu)

5 years, 7 months ago

Thank you for the information.

Those instructions advice search wp-content with grep -command via SSH, and investigate modified files with find -command. Are those actions necessary, or is it enough to run complete scan with Wordfence? Wordfence will scan file changes. Is there a difference between what WF scan does, and what these command line commands do?

Problem with grep output is, that I don’t understand it enough to tell what is relevant and what is not.