Administrator accounts were modified

  • Resolved Wendihihihi

    (@wendihihihi)


    6 years ago

    Hi,

    On different websites I’m getting an email warning that administrator accounts were modified in the database. I’m wondering if these are false positives or if people got in. Below is one example.

    Between 07:45 and 07:49 someone was hammering on one page a couple of 100 times.

    128.199.104.110 - - [19/Nov/2018:07:48:17 -0500] "GET /produk HTTP/1.1" 200 0 "https://www.domain.com/" "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Mobile Safari/537.36"
128.199.104.110 - - [19/Nov/2018:07:48:18 -0500] "GET /produk HTTP/1.1" 200 0 "https://www.domain.com/" "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Mobile Safari/537.36"
128.199.104.110 - - [19/Nov/2018:07:48:22 -0500] "GET /produk HTTP/1.1" 500 199 "https://www.domain.com/" "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Mobile Safari/537.36"
128.199.104.110 - - [19/Nov/2018:07:48:19 -0500] "GET /produk HTTP/1.1" 200 0 "https://www.domain.com/" "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Mobile Safari/537.36"

    At 07:48 I got the “Alert: Database changes detected” email, but I don’t see any changes. I’m 100% sure I didn’t change anything and there are no plugins that could make changes to my admin account.

    In the Firewall log I saw these lines that worry me:

    19/Nov/18 17:40:30  #7642992  HIGH       310  144.76.81.29     GET /wp-admin/setup-config.php - Access to a configuration file - [SERVER:SCRIPT_NAME = /wp-admin/setup-config.php] - domain.com
19/Nov/18 19:48:12  #4861949  INFO         -  0.0.0.0          N/A - - Database changes detected - [administrator account] - www.domain.com
19/Nov/18 19:48:12  #3372061  INFO         -  0.0.0.0          N/A - - Database changes detected - [administrator account] - www.domain.com

    Did people get in using the setup-config.php file?

    I just went to that file and I was blocked by Ninja Firewall so I assume that they didn’t get in. But still, why do I get these “Administrator accounts were modified” emails?

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    If you don’t see any changes in the admin account and its password hasn’t been changed, then it might be a false positive. It’s a bit curious that you are receiving notifications from more than one websites, though.

    I would not worry about the setup-config.php file, the firewall blocks any access to it.

    There’s another similar issue there: https://www.ads-software.com/support/topic/strange-log-warning-after-activation-wp-system-info-plugin/
    I don’t think there’s any bug in NinjaFirewall, the way it monitors the DB is very simple.

    Is this a multi-site installation?

    newclaremont

    (@newclaremont)

    Over the last day or so, I too have been receiving lots of alerts relating to db changes:

    20/Nov/18 09:25:31 #8979296 INFO – 0.0.0.0 N/A – – Database changes detected – [administrator account]

    The alerts show an unidentified Admin account, called “custom”. It’s not visible in WP Admin Users list, so I can’t delete it there, and gives a gmail.com email addy. I can’t see any other worrying changes on the site but the NinjaScanner fails immediately so can’t scan for malware.

    Should I worry? Many thanks.

    newclaremont

    (@newclaremont)

    Just to add that deleting the user “custom” from the db directly, through MyPhP, results in the very quick re-creation of a user with that name. The user’s email addy includes “wpinfo” in it.

    Plugin Author nintechnet

    (@nintechnet)

    Yes, I would worry. There’s a line of code somewhere in your WordPress installation files (or theme or plugin files) that is doing that.

    NinjaScanner fails immediately so can’t scan for malware

    Did you try to change the fork method? Go to “NinjaScanner > Settings > Advanced Users Settings > Scanning process” and select “Fork process using WordPress built-in Ajax Process Execution” instead.

    newclaremont

    (@newclaremont)

    Thanks and damn! Scanner started working and is at 4/9. I’ll wait for the results but may well be in contact with you for some direct help.

    Thread Starter Wendihihihi

    (@wendihihihi)

    “Is this a multi-site installation?”

    No, it’s two different websites but on the same (shared) server. Same CPanel.

    I changed all passwords and scanned with Ninja Scanner but nothing found, so I’m hoping it’s a false positive. I don’t see any new admin.

    So, I have now 3 websites with admin modification emails. Two on one server and the other one completely somewhere else. All different themes. The only plugin they have in common is NinjaFirewall.

    newclaremont

    (@newclaremont)

    When you say you don’t see a new admin, are you looking in the db itself or at Users in WP-admin? My ghost didn’t show up in the latter but was nevertheless in the db of users. (Please forgive me if you know this but you can access the db through phpMyAdmin, selecting the db on the left, looking for the users table, and drilling down to the list of users.)

    Thread Starter Wendihihihi

    (@wendihihihi)

    Yes I checked both. Yes I know about phpMyAdmin lol

    Plugin Author nintechnet

    (@nintechnet)

    @wendihihihi : By default, NinjaFirewall’s notification does not include the password hash. We don’t want to send it over email, for security reason. This is the only monitored data that is not included in the notification.
    You can temporarily edit NinjaFirewall to include it in the notification so that you could see whether the hash was changed between two notifications.
    You can edit the /wp-content/plugins/ninjafirewall/lib/nfw_misc.php script line 488. You will find this code:

    	$message.= 'Admin ID : ' . $adm->ID . "\n";
	$message.= '-user_login : ' . $adm->user_login . "\n";
	$message.= '-user_nicename : ' . $adm->user_nicename . "\n";
	$message.= '-user_email : ' . $adm->user_email . "\n";
	$message.= '-user_registered : ' . $adm->user_registered . "\n";
	$message.= '-display_name : ' . $adm->display_name . "\n\n";

    Right below the first line, you can add this code:

    	// Show the password hash too:
	$message.= '-Password hash: '. $adm->user_pass . "\n";

    So that it look like this:

    	$message.= 'Admin ID : ' . $adm->ID . "\n";

	// Show the password hash too:
	$message.= '-Password hash: '. $adm->user_pass . "\n";

	$message.= '-user_login : ' . $adm->user_login . "\n";
	$message.= '-user_nicename : ' . $adm->user_nicename . "\n";
	$message.= '-user_email : ' . $adm->user_email . "\n";
	$message.= '-user_registered : ' . $adm->user_registered . "\n";
	$message.= '-display_name : ' . $adm->display_name . "\n\n";

    Then you just need to compare two notifications in order to see if there is a difference.

    Thread Starter Wendihihihi

    (@wendihihihi)

    Thank you. That saves some time. I already made a backup of all the password hashes in the databases to compare, but for the moment it’s handy.

    On both account no new activities. I’ll monitor it.

    Thanks for all the help and very good plugin! I really don’t understand why so few websites have installed this plugin.

    Thread Starter Wendihihihi

    (@wendihihihi)

    I didn’t get any new messages any more, so I’m going to put this on resolved.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Administrator accounts were modified’ is closed to new replies.