Support » Fixing WordPress » New Admin user registered from outside

  • Yesterday someone registered a new admin user, without any login before in dashboard in this steps:

    at first he updated the default role to admin user
    then re activate the registriations for new users.
    and then he register a new user.

    i got and email with “a new user registered….”

    later he redirect the home start url to: [ deleted ]

    it not was a bruteforce attac, because i have a block for this, and in activity logs my admin user dont was login.

    i have the wordpress version WordPress 4.9.10

    all plugins are updates, and i have only ninjaform and header and footer plugin there. i had no ftp accesss.

    here are the log:

    1 Tag ago
    19/03/2019
    10:37:33 N/A 86.109.170.200 User Created adminzax
    1 Tag ago
    19/03/2019
    10:37:30 N/A 86.109.170.200 Options Updated users_can_register
    1 Tag ago
    19/03/2019
    10:37:30 N/A 86.109.170.200 Options Updated default_role

    Does anyone have a idea, how this inject works? the ip: 86.109.170.200 is not mine or from my server, its from a unknown computer.

    best regards.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Are *all* of your plugins up-to-date?

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    I also fixed the title and removed the link to the attackers site. There is no reason to post their link and your site was compromised. Please delouse your site using the instructions Steven provided you with.

    Hello @xxlescort,

    I also have the same problem, an AdminZax user added to the site while I have no place of connection on the site, plus he was an administrator, weird, so I passed it in Subscriber. Then the next day, 2 new users in subscriber status. Odd no?

    So I deleted them today and here I update my plugins, themes and WordPress. I had in the Contact Form 7 updates that potentially had a security hole, did they go through it? I do not know…

    And now I do not know if I have infected files, I have Wordfence on the site for several months and I have not been alerted by anything. The automatic scan tells me only plugins and themes and WordPress updates to do.

    Thread Starter xxlescort

    (@xxlescort)

    hi pexys

    it is a old version from easy smtp plugin

    update this and the door is close

    I did not have the Easy SMTP plugin personally.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    @pexys, If you need support then per the forum guidelines please start your own topic.

    A lot more people will see your post, and that way you stand a good chance of getting the assistance you want. Despite any similarity in symptoms, your issue is likely to be completely different because of possible differences in physical servers, accounts, hosts, plugins, theme, configurations, etc. Thus one problem, on one setup is not indicative of the functionality and reliability of an application as a whole.

    Frequently Asked Questions

    Forum Guidelines

    You can do so here:

    https://wordpress.org/support/forum/how-to-and-troubleshooting/#new-post

    I’ll be archiving your post and mine to not spam the original poster and detract from their question.

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘New Admin user registered from outside’ is closed to new replies.