Online casino free welcome bonus philippines,Nexusi8 com login register.Recharge Every day and Get Bonus up-to 50%!

(@mzzz)

Hi all,

My blog (running on WordPress 4.9.8) has very recently been hacked: someone managed to create two new users with administrator roles. I’m currently trying to find out how they got in. This is how the access log looks for the time at which the new user account was generated:


xx - - [08/Nov/2018:13:39:33 +0100] "GET / HTTP/1.1" 200 17229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx - - [08/Nov/2018:13:39:33 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 53 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx - - [08/Nov/2018:13:39:34 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 53 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx - - [08/Nov/2018:13:39:36 +0100] "POST /wp-login.php?action=register HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx - - [08/Nov/2018:13:39:36 +0100] "GET /wp-login.php?checkemail=registered HTTP/1.1" 200 1395 ".
com/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safa
ri/537.36"
109.234.37.214 - - [08/Nov/2018:13:39:36 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 53 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx - - [08/Nov/2018:13:39:37 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 53 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

To me this suggests that there must be some kind of vulnerability in admin-ajax.php as it’s the only file that was accessed prior to confirming the registration. Perhaps someone has an idea what happened?

I’ve already taken measures to secure my blog. Luckily I received an email notification when a new user registered which made me suspicious – I disabled user registration on my blog. After logging in, I saw 2 new users listed as administrators who I immediately removed again. I also secured my blog by configuring basic authentication for wp-login.php and /wp-admin, and additionally blocked any IP address but mine from accessing any of the two pages.

This topic was modified 6 years ago by mzzz.

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

6 years ago

If you are using a particular GDPR plugin, please update it immediately.

Thread Starter mzzz
(@mzzz)

6 years ago

Thank you! I have deactivated the GDPR plugin and will not use it again.

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

6 years ago

The version that was released today fixes the vulnerability.

Wordfence Security
(@mmaunder)

6 years ago

The GDPR plugin is an exploit via admin-ajax.php so your logs indicate this _may_ be the vector. But they are post requests so we cant see the payload.

More info here: https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘admin-ajax.php vulnerability? I got hacked!’ is closed to new replies.

admin-ajax.php vulnerability? I got hacked!

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics