Support » Plugin: Wordfence Security - Firewall & Malware Scan » WordPress admin username changed to html404

  • Resolved Bodhi

    (@bodhirayo)


    Posting this as a public service alert to the Wordfence community. For the general community I have started a similar thread in the ‘Everything else WordPress’ forum here: wordpress-admin-username-changed-to-html404.

    My client’s admin account was hacked this morning, admin user account name was replaced with ‘html404’

    Iā€™m still in the process of conducting a forensic analysis on the website access logs. Will post findings on the community thread (see above link).

    Website is running a selfhosted version of WordPress, 4.9.2. Running Wordfence version 6.3.22.

    I immediately:
    – logged in and confirmed user html404 appeared in user list.
    – opened the html404 user profile in the profile editor
    – logged user out of all sessions
    – changed the user email and password
    – created another admin profile to replace the hacked profile
    – deleted the hacked profile, attributing all its content to the new
    admin profile

    Thanks and blessings to the Wordfence team for their awesome plugin which alerted me to this issue. You folks rock!!! šŸ’ššŸ˜Š

Viewing 15 replies - 1 through 15 (of 18 total)
  • I should mention that I enabled WF options to ‘scan images, binary, and other files as if they were executable’ and ‘Enable HIGH SENSITIVITY’ and performed scan, results: negative.

    I should also mention this was my first hacked site.

    Following the sage advice provided my @jdembowski (thanks Jan!) I reviewed the excellent WP article here FAQ_My_site_was_hacked and took the recommended preliminary steps to minimize any remaining threats until I log a request with the folks at Wordfence (tomorrow AM when their office opens) to have them perform a comprehensive security review and if necessary, final clean-up.

    Also adding topic tag ‘hacked’ to this thread to make it more visible to the rest of the WordPress community.

    On your site, it appears that you are running a significantly outdated version of WordPress (v2.9.2), so it is very likely you were compromised because of old security vulnerabilities long since fixed in the latest versions.

    Before anything else, you seriously need to upgrade WordPress on your site.

    Dear @bluebearmedia – just curious mate, how did you arrive at the conclusion that the site is running WP 2.9.2? Kind regards, B. šŸ’ššŸ˜Š

    Update – access log shows attacker html404 used their admin user privileges to log in January 18 2018 at 06:01:38 AM, which triggered the alert email from Wordfence. It took them about 2 minutes to install a rogue plugin and invoke its code here: wp-content/plugins/html404/wso25.php, which appears to have included instructions to delete itself after executing (it was gone by the time I looked). I performed a normal WF scan of the website which showed no infection. I then enabled the ‘scan images, binary, and other files as if they were executable’ and ‘Enable HIGH SENSITIVITY scanning’ options in WF and performed another scan. Again same results – no infection present. It appears the attacker had overwritten the existing username using SQL injection some time before the Jan 18 attack. I finally resolved to log a Site Cleaning request and did so yesterday with the support team at Defiant. Chloe at Defiant was very helpful fielding my questions and concerns (Thanks Chloe, you rock!). Looks like one of their analysts has since performed a triage on the website. I’m waiting to hear back about the results from the triage and cleanup effort, and plan to post them on this thread. And I’m looking forward to having a free year of Wordfence Pro to play with on this website. šŸ™‚

    I ran a web site scan (can’t remember which – either security or WordPress) on the site listed in your profile and it indicated the outdated WP version.

    Bodhi

    (@bodhirayo)

    @bluebearmedia – thanks for the heads-up! I just updated the website address in my profile. That old address no longer exists. Regarding the scan, that’s weird. I do have a wordpress blog installed there but it’s running 4.9.2. In any case, the affected site belongs to a client and is at a different location altogether. šŸ™‚

    Bodhi

    (@bodhirayo)

    I am happy to report that the Wordfence security analyst found no evidence of malware on the website. I remain extremely grateful for the Wordfence plugin which alerted me to the security breach, allowing me to quickly remove the offending user profile before further intrusion could occur. šŸ™‚

    Thanks @bodhi for your nice words, we are glad to know that Wordfence helped in cleaning your site, I suggest reading these tips about “Enhancing your WordPress security with Wordfence“.

    Thanks.

    I just had the same problem happen. I noticed that one of my login/upload plugins, WPLR Sync wasn’t working. When I went to login to the site, I couldn’t using my username but was able to using my email address. Once I was in there, I saw that my username had been changed to html404. I did a site backup, then went in and changed the username back in phpmyadmin and found the rogue plugin as well. The Wordfence plugin was also deactivated, I don’t think I did this either.

    Once my login was restored, I changed my password, I am also changing it for my hosting company and I reactivated wordfence.

    Bodhi

    (@bodhirayo)

    @jtrue thanks for chiming in! šŸ™‚ Interesting. Attack seems to be evolving. This thread has a high profile on Google. Perhaps our attacker is eavesdropping here? In any case, to better protect my website clients, I’d like to know more. If you are willing, I’d like to contact you privately. What’s the best way to do this? Your photography website? Facebook?

    Bodhi

    (@bodhirayo)

    @jtrue PS.just PM’d you on FB šŸ™‚

    My site has been hacked as well, but its looks like the bot didnt finish it’s job, as I could still find the 404html plugin installed. I made a copy before deleting it.
    I’ve read the files briefly and I could find that it takes all the info from your sever, files such as sileLock settings, or cPanel settings, and of course wp-admin, among others.
    It has a file to run dos shell commands and the possibility to ‘mass deface’ or ‘mass delete’ all the site.
    But as I could see, the main target is to modify the akismet plugin to create a backdoor to be able to inject adds to the site. They can make profit with a working site with their adds.
    I’m still reading the files, it probably does a lot more than this.

    I want to point out as well that my site didn’t have Wordfence Security plugin installed when it was hacked.

    UGH! Just had an old, rarely used site experience this same hack. NOTE: when I say old I mean an old site, but WordPress and plugins are updated and maintained on a regular basis.

    Noticed that the site was compromised when an email from Wordfence indicated that a new user ‘404html’ had a week password. Since this site had only one user and this wasn’t it, I knew something was up. Had to update the password via the ‘user’ table to this new rogue account, logged into WP, created a new admin, then deleted the rogue account and changed all other passwords and keys related to the site.

    Also found that the ‘plugin’ directory had a new ‘404html’ folder in it, which antivirus software confirmed had some bad stuff in it. Zipped up the folder for future analysis and then deleted it.

    Only other REALLY odd thing I noticed on the site is that the EVERYTHING in the Wordfence folder had a NEW timestamp on it that was really close (as in same date and almost same time) as the ‘404html’ login and directory were setup…? Also close to a timestamp found in a WP table.

    All other sites I have and manage have a ‘Last Modified Date’ of Feb 14 for all Wordfence files/folders, which I’m guessing is when it last Auto-Updated to version 7.0.5 — I’m finding it VERY ODD that this one site had the Wordfence files timestamp modified so close to the rogue user that was setup???

    Anyway, cleared everything to the best of my knowledge, ran scans, all looks good, and now will be monitoring closely. If anyone else comes across this one, please dump any info you find. Going to keep researching this one. Very interested in how they got in?

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘WordPress admin username changed to html404’ is closed to new replies.