An admin user with the username zdemon was created outside of WordPress.

  • I installed Wordfence a few months ago but in January I noticed that I was no longer getting email updates. When I went on my site, Wordfence was no longer installed and I had 2 new admin users that had been created. My site was riddled with injected code. I cleaned it all and removed the 2 admin users and reinstalled Wordfence.
    A scan of my website shows no issues.
    Last night an admin user logged on with the same name zdemon as in January.
    I checked Wordfence ran a scan, looked at the live traffic and could see the culprit from Egypt moving through my website. The scan reported “An admin user with the username zdemon was created outside of WordPress.” they then logged in as an admin and added some code to the wp-load.php page.
    I don’t understand how this can be happening as Wordfence is installed and updated?
    I never had any admin accounts created maliciously or code injected until I installed Wordfence as a firewall!!!! I know this because when I ran the Wordfence scan when I first installed it there were no issues. What I’ve experienced is issues ever since I installed it!!!
    Can someone please help me, I want to stop these admin accounts being created.

Viewing 8 replies - 1 through 8 (of 8 total)

  • “An admin user with the username zdemon was created outside of WordPress.”

    They penetrated mysql database, I have seen that. They don’t even need to login into phpmyadmin, I have seen that as well.
    There are many vectors nowadays to get hacked, some of them are vulnerable php version. See the latest php version and compare with your host’s php.
    First off, change your database credentials.
    You can change your wp-config.php file permission as well to get it harder to access. Keep in mind, some plugins would stop working, check them out.
    I would say you are a mark already, the best way is to change your environment, meaning to find a better host.

    Hi @slhatton,

    It is possible that an attacker has gained access to your FTP/SSH credentials and can simply access your host directly.

    I would recommend doing a clean install of your host’s operating system (done through your host provider’s website). From there, you can reinstall WordPress, then Wordfence, then any other plugins.

    Dave

    Hi @slhatton

    I’m investigating a very similar issue on another website – a admin user called ‘zdemon’ appeared along with some code added to wp-load.php.

    The site didn’t have Wordfence installed.

    I’d be interested to know, did you have WooCommerce installed? Are you using the web hosts Tsohost? This is an odd question but does your domain start with the letter ‘S’? I’m trying to figure out how and when this happened, and if the vulnerability was in site code, or a server security breach.

    Best wishes and thanks for any help!

    Josh

    Hi @joshharrison, same environment as you, had the same issue.

    Domain started with a ‘c’ though.

    Have you by any chance tried to remote admin your MySQL db. I opened this up to use Navicat on the database, can’t exactly remember the issue but TSO wasn’t letting Navicat connect (long time ago). So I pulled my IP from the remote access table.

    Swear blind this action of adding/deleting an IP opened up a door to MySQL on TSO as I’m running Wordfence and Sucuri, then a whole host of htaccess rules to stop remote connections on the file system.

    My theory is, remote access to MySQL is disabled by default on the server, adding your IP to remote access switches it on, but there’s no option to turn it off, so in effect removing your IP says to the remote access table let any IP connect.

    Been a good 10 days since I re-added my IP to the table to lock off remote access to just my IP and not seen zdemon since.

    Hope this helps, Aaron

    Hi @aaronjh – I never used remote access on the site in question.

    Ah strange, can’t be certain whether they’ve got bored with my clients site then or there still is a vulnerability somewhere on the TSO remote access system, as zdemon would have normally shown up by now but they’re nowhere to be seen, along with a suspicious file update in the core.

    The only plugins I’m not 100% on regards security are the woocommerce ones, as I keep reasonably up to date with wp plugins and what’s got holes in it via quite a few security sites and podcasts.

    The Woocommerce plugins we use are: Table Rates and PayPal Pro. Like you mentioned about wpload it looks like they’re trying to send the credit card details in the paypal form to an email of theirs.

    Same issue here. Also on Tsohost. I have used remote access, so thanks Aaron – I’ll try that.

    I’m having the exact same issue as this with TSO. What worked for you guys in the end?

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘An admin user with the username zdemon was created outside of WordPress.’ is closed to new replies.