am i hacked? user login with ip of admin

  • Resolved mrjanvier

    (@mrjanvier)


    5 years, 7 months ago

    Dear,

    I would like to inform my self if you have any solution for my wordpress site.
    A couple a weeks ago i noticed many spambots where getting true my security messures. I become suspicous when i noticed spam was created as a new group by the admin (me). I clicked on the icon of group admin that created the new spam group and it came back to my profile. So i removed all the created spam/users and started to do some investigation. Looking in the all in one wp security, I noticed under failed login another user with my ip adress. This user had a bizare name (93e60…) During last 2 weeks he/she changed alot his/here username. Im 100 % shure that i’m the only person at home that use the site. There are onley 6 experimental users, while i’m still in the building up and testing fase. It’s remarkable The user with my ip adres has no email adres in the all in one security. Anoter plugin i installed was stop spammers. It confirmed that an author with my ip adress by the name (93e60…) had a good cache in /wp-login.php, again there was no email adres.

    Did someone placed malicious code on my site? How can it be that they use my ip adress? I did a virus scan on my pc. Nothing was found. I contacted my host. They did a malware scan on the site, nothing was found. But the user with my ip is still there. what could cause that?I don’t know what to do.

    I did some expermiment. I deactived all in one wp security. I noticed the plugin stop spammers didn’t register an other username with my ip. I changed my ip adress, after 3 days I activated all in wp security plugin. 1 minit after i activated it, stopspammers and all in one wp security detect an user with name 5fd177543b that used my new ip adress. I’m confused.

    Could you help me with advise what i should do next?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I am sorry to hear your site was hacked. This is something no one ever wants happening to them.

    Please carry out the following steps to completely delete the plugin so that you can install a fresh copy.

    – FTP to your host and delete the plugin’s folder. Although this is normally carried out when you deactivate and delete the plugin as the website administrator.

    – FTP the .htaccess file from your site to your computer and edit and remove all the code between and including the following tags: Make sure you upload the .htaccess file back into the same location you downloaded the file from via FTP.

    # BEGIN All In One WP Security
    # END All In One WP Security

    – Log into phpMyAdmin and locate the database for the website you are working on. Look for any table entry with the following name aiowps and delete those tables. There should be 6 tables associated with this plugin, in addition to the options settings. There will also be other entries for transients and plugin version etc. The following is a list of tables and entries found in the database.

    Note: You might like to check the following URL Remove All In One WP Security Database Tables to learn how to search for the plugins tables in your database.

    | aiowps_events |
    | aiowps_failed_logins |
    | aiowps_global_meta |
    | aiowps_login_activity |
    | aiowps_login_lockdown |
    | aiowps_permanent_block |
    | commentmeta |
    | comments |

    -There are other aiowps settings saved in the WordPress “options” table, under the option name “aio_wp_security_configs”. You should also delete the “aio_wp_security_configs” row in the options table.

    The above steps will delete the plugin completely from your database and allow you to start from scratch. Then please carry out another test to see if that fictitious user is added again to your site.

    Kind regards

    Thread Starter mrjanvier

    (@mrjanvier)

    Hi,

    Thank you for youre advise. I’m gonna follow to steps you recommanded.
    It’s strange that in my wordpress dasboard at the menu users, there is no such user with that name. Somehow all in one wp security register a failed login with user nr 0 with that strange name. The user also always login the 1e time at exact the same moment as me. I’m first gonna deactivate all the plugin, to see off it can come from one of them. If that don’t work, im gonna delete the plugin from database like you suggested.

    What should i do if the user still there?

    again, thanks for you tips, greetings

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi,

    The user also always login the 1e time at exact the same moment as me. I’m first gonna deactivate all the plugin, to see off it can come from one of them. If that don’t work, im gonna delete the plugin from database like you suggested.

    Are you saying the other user is login in at the same time as you? Are both of you using the same IP address or different IP addresses?

    Regards

    • This reply was modified 5 years, 7 months ago by mbrsolution.
    Thread Starter mrjanvier

    (@mrjanvier)

    Hi,

    I did a small investigation and indeed, the other users login the first time at exact the same moment as me. I changed my theme, and i did see the user no more ( i always see them under failed login. Then when i change back to my original (premium paid) theme, there is a user 0 that login exact the same moment as me. I’m confused. Even if i leave my site, that day, i see in the all in one wp sucurity plugin under failed login: the user with my ip. The stop spammers plugin shows a log report where the user with my ip log in at exact the same moment as me. So, could it be that my premium theme synchronise with me at the moment i login? I’m a bit confused.

    Thank you.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, you might want to speak to the premium theme developers about this issue. Let me know what they say.

    Kind regards

    Thread Starter mrjanvier

    (@mrjanvier)

    Hi,

    Thank you for youre help. It’s about 2 months ago that i posted my problem here. Finaly I found an solution. I installed many security plugin even bought some but the problem was still there. Then One day I started to do 2 things. First I removed all the page that where not necessairy for my site. Second what I did was I removed couple plugins that where there but just in deactivation mode. Those 2 combination did the trick. Ore there was a plugin that was doing strange things ore it got confused off all the diffrente page in the background that i didnd’t needed. I easily removed 30 page.

    I hope one day if a person experience the same problem as me that this can guide him to a solution.

    Many greetings
    and BIG THANKS

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I am glad to know that you finally fixed your issue ??

    All the best.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘am i hacked? user login with ip of admin’ is closed to new replies.