Support » Fixing WordPress » unknown new user in database

  • ktosiex

    (@ktosiex)


    hello,

    help- a new user appeared in my wp page.

    it shows no creation date in database, no login date in wp-admin.

    was it created by some bot and noone logged in yet? or is it some error?

    wordfence shows no malware

    thank you very much in advance

Viewing 4 replies - 1 through 4 (of 4 total)
  • threadi

    (@threadi)

    Where exactly do you see the user? Can you see him in wp-admin under Users? Have you already tried to delete him? Have you installed all pending updates, both for wordpress and plugins and theme?

    Thread Starter ktosiex

    (@ktosiex)

    hello,

    could you please have a look if this is suspicious? sorry if not

    i understand first request was to get licence of a buggy plugin I uninstalled long ago? then got an ok from xmlrpc?

    81.161.229.112 – – [25/Jan/2023:00:38:09 +0000] “GET //wp-includes/ID3/license.txt HTTP/1.1” 200 1361 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:09 +0000] “GET //feed/ HTTP/1.1” 301 – “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:10 +0000] “GET //xmlrpc.php?rsd HTTP/1.1” 200 817 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:11 +0000] “GET //?author=1 HTTP/1.1” 404 41510 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:11 +0000] “GET //wp-json/wp/v2/users/ HTTP/1.1” 401 151 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:12 +0000] “GET //wp-json/oembed/1.0/embed?url=https://REMOVED/ HTTP/1.1” 200 2691 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
    81.161.229.112 – – [25/Jan/2023:00:38:13 +0000] “POST //xmlrpc.php HTTP/1.1” 403 10123 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.46

    No, a HTTP status 403 is not an OK but a “Forbidden”. So everything is correct.

    Also correct is the request for the license of ID3, which is part of the WordPress core and has nothing to do with any plugin you use.

    Of course, the order of the requests is strange, but nothing of it has attacked or caused anything with you. Unfortunately, this is the normal madness on the Internet.

    And unfortunately you did not answer my questions, which is why one can hardly help you here.

    Thread Starter ktosiex

    (@ktosiex)

    Hello,

    thank you for the response and sorry for not answering.

    i noticed the user in wp interface, yet in the database it had no creation date but had admin privilages and what I think is curious email address from my domain, which does not exist. i deleted it obvously.

    BR

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.