Admin user with the username deleted-l9N2CQti was created outside of WordPress

  • The message in the title was provided to me by WordFence on Nov 5. Running a scan, I additionally found a bunch of possibly malicious files throughout my WordPress installation, themes, plugins and content directories.

    Now, this could obviously be regarded as just an attempted and successful attack on my website, followed by a clean-up from my side. But the reason I’m posting is that this is the second time within a month WordFence has made me aware that “An admin user with the username deleted-XXXXXXXX was created outside of WordPress” (the X’s were different the last time), followed by me finding a bunch of suspicious looking files throughout the file system. Both times, a successful login was made through the newly created user according to the log. And further, this time also an unsuccessful login attempt was made at yet another deleted-XXXXXXXX username.

    To me, this seems too much of a pattern to be regarded a random attack, considering as well that also another post on this forum reported a deleted-XXXXXXXX admin user being created some time ago.

    Does anyone have any clue what this could be? Neither newly created admin account had any details connected to it, such as an email address. Some of the suspicious files look completely random, while some look like core WordPress files with random names. It sort of looks like old deleted files showing up on a broken hard drive, or an installation or update gone wrong halfway through.

    I saved all the suspicious files locally before cleaning my site, should they be of any help.

    Any help or advice appreciated!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @joaka2316, thanks for your detailed message.

    In the thread you highlight specifically, we looked into the customer’s Wordfence (free) license key, and whilst it was valid, it was never checking in with our servers. As connectivity was an issue, they were having scan failures, so we believe the suspicious user may be linked to malware on their server that was never flagged as no scan ever completed to warn them.

    I’m open to the possibility of a link due to how similar the usernames are, but we’d need to establish if the link is related to a compromize, another plugin, or if indeed Wordfence is missing something (before the user created outside of WordPress comes up) that would need to be investigated further.

    If you believe the previously detected files were linked to a compromize, update your passwords for your hosting control panel, FTP, WordPress admin users, and database if you haven’t already.

    I’ll provide our site-cleaning instructions link, just in case any steps were not already taken, or may help you to rule things in/out: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    I would consider reinstalling all plugins/themes if you haven’t already, but if you also notice that Wordfence > Tools > Diagnostics shows any connectivity issues as it did for the other customer, it might be an idea to send us the diagnostic report to wftest @ wordfence . com from this page.

    Click on “Send Report by Email”. Please add your forum username in each case where indicated and respond here after you have sent them.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks,
    Peter.

    Thread Starter joaka2316

    (@joaka2316)

    I have now sent the diagnostic report.

    PS. I was alerted that yet another deleted-XXXXXXXX admin account had been created on my site a few days ago, followed by a successful log in. No suspicious looking files were found during the scan this time, though.

    hi, diagnostics sent, please advise how this user was created, as it keep re-appearing every time I try to remove and scan for malware etc.

    I have the same problem. I have cleaned everything but the deleted-XXXXXXXX admin account come back anyway. Can anyone give a clue on how to stop this hack ?

    • This reply was modified 1 year, 1 month ago by mistifi.

    It obvious your website has been compromised and you’re NOT yet in full control.

    I’ll recommend hardening the website and taking serious measures to secure the website further. A few suggestions:

    • Change all Passwords to very secure passwords – CPanel, WordPress Users
    • Avoid using common login names
    • Delete the suspicious WordPress users
    • Replace WordPress Core Files (in case they’ve been tampered with). Replacing Core files will NOT affect your website if done properly.
    • Update all Plugins/Themes/WordPress
    • Scan your website for any vulnerabilities
    • Remove any unknown Plugins. Remove outdated and unused Themes/Plugins.
    • Some Plugins can monitor File Addition to your WordPress

    I know these items may be high-level, but I hope it helps.

    In my case I even had to clean out hundreds of empty (0 bytes) php files inserted into my server using the commandline.

    All the best.

    I’m having the same problem daily for the last week. Wordfence is active (although once they managed to deactivate it). Passwords changed numerous times. Plugins and theme are up to date. I’m really not sure what else to do.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.