WordPress hacked – High User ID

  • regnalf

    (@regnalf)


    2 years, 6 months ago

    A WordPress site of mine was hacked twice in the last two days. I am trying to find out where the vulnerability might be.

    WordPress is on version 5.8.1 and I use MySQL server version: 5.6.51-91.0 – Percona Server (GPL), Release 91.0, Revision b59139e

    The attackers manage to create an administrator user and add content to the home page.

    What I noticed, the newly created user has a very high user ID in the database. Currently there are 347 users in the user table, but the newly created user has an ID with 9952! Also the AUTO_INCREMENT value in the database is at this high values.

    To me it doesn’t look like normal WordPress functions are used here to create the user, otherwise it would have to be number 348 normally, am I right?

    Any clue what kind of attack this could be? SQL Injection?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    2 years, 6 months ago

    It sounds like a direct SQL injection where the ID was forced. Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter regnalf

    (@regnalf)

    2 years, 6 months ago

    Thanks for the tips, I’ve already gone through these as well.

    Since the site is still under development, I am using an under construction function of my theme that actually does not allow access to the site without logging in to this under construction page via bypass password or over /wp-admin.

    So there is not much attack surface if you want to try it via input fields. Regarding the Under Construction page, I have already contacted the support of the theme manufacturer.

    I have now also enabled WordFence, which I wanted to do first for the release.

    Furthermore I have read the access logs and found the following interesting lines:

    185.59.157.57	22/Oct/2021:10:22:52 +0200 	POST	/wp-login.php HTTP/1.1	http://dev.sitename.com/wp-login.php?redirect_to=http%3A%2F%2Fdev.sitename.com%2Fwp-admin%2F&reauth=1
185.59.157.57	22/Oct/2021:10:31:20 +0200 	POST	/wp-login.php HTTP/1.1	http://dev.sitename.com/wp-login.php?redirect_to=http%3A%2F%2Fdev.sitename.com%2Fwp-admin%2F&reauth=1
185.59.157.57	22/Oct/2021:10:32:37 +0200 	POST	/wp-login.php HTTP/1.1	http://dev.sitename.com/wp-login.php
185.59.157.57	22/Oct/2021:10:32:44 +0200 	POST	/wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1	http://dev.sitename.com/wp-admin/
185.59.157.57	22/Oct/2021:10:32:44 +0200 	POST	/wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1	http://dev.sitename.com/wp-admin/
185.59.157.57	22/Oct/2021:10:32:44 +0200 	POST	/wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1	http://dev.sitename.com/wp-admin/
185.59.157.57	22/Oct/2021:10:33:00 +0200 	POST	/wp-admin/admin-ajax.php HTTP/1.1	http://dev.sitename.com/wp-admin/post.php?post=105&action=edit

    Could this be a problem related to admin-ajax?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress hacked – High User ID’ is closed to new replies.

Tags