Hacked – New admin user occured

  • Dear forum users,

    yesterday I looked on my websites (https://www.fitnesswarrior.de/) user list and found a new admin user with the following data:

    Name: updater
    Mail: [email protected]
    Website: https://wordpress.com1

    When I noticed the new user my WordPress Version was 4.5. In the meanwhile I updated to 4.5.1.

    My websites login is secured with google captcha, limit login attempts and of course I deleted the first admin user. The actual admin user’s got a name with combination of figures and letters. For published sites and posts I created new user accounts with only publisher rights, so that the admin is not revealed. I also ripped the author tags out of the output html code trough functions.php.

    So I have no idea how the new admin user got there.
    First thing what I did when I noticed was downgrading the new users rights to subscriber. After finished editing WordPress wanted me to give him a nicename, cause it was blank until this time.

    Then I installed WordFence and did a whole scan. The only thing I found was, that the readme files of some of my plugins are not up-to-date with the newest version of the plugin . (Does this hack prevent plugins from updating? Maybe thats why the user is called updater?). With “Unmask Parasites” and “https://sitecheck.sucuri.net/scanner/” nothing suspicious were found.

    Now I wanted to look in the database since when the user is created and it has the absolutely same date and time as my administrator account.

    Is there anybody out there who noticed the same as me?
    What can I do to figure out where this comes from?
    What should I do next?
    Should I change the suspicious users password?
    How can I check my WordPress has been really updated to 4.5.1 and not only changed its version number?

    Kind regards
    -reeve90

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Hi @reeve,

    What plugins do you have on your site? Mind pasting them? Having a good password policy won’t protect against exploits /vulns on the plugins or themes you have.

    We see these injections often and most of the time they always come with hidden backdoors inside your themes or plugins that allow them to come back. So just removing the user might not be enough to be protected moving forward.

    thanks,

    Thread Starter Norman H?hne

    (@reeve)

    Hey Daniel,

    Sure! Some of them are not very clear so I putted an hyperlink for more understanding. There you go:

    Active ones

    • Antispam Bee
    • Author Archive Disabler
    • BackWPup
    • Broken Link Checker
    • Contact Form 7
    • Crazy Lazy
    • EC Stars Rating
    • Edit Author Slug
    • Endnotes
    • Featured Custom Post Type Widget for Genesis
    • Fluid Video Embeds
    • Genesis Columns Advanced
    • Genesis eNews Extended
    • Genesis Simple Hooks
    • Google Captcha (reCAPTCHA) by BestWebSoft
    • HootProof Like Box
    • Limit Attempts by BestWebSoft
    • Prosodia VGW OS für Z?hlmarken (VG WORT)
    • Redirection
    • Shariff Wrapper
    • Simple Image Sizes
    • Subscribe To “Double-Opt-In” Comments
    • TinyMCE Advanced
    • upPrev
    • User Role Editor
    • WP-Sweep
    • WP Retina 2x
    • Yoast SEO
    • and last but not least a custom post type I wrote as a plugin

    Inactive ones

    I considered now to reinstall the whole system anyways with reinstalling most of the plugins again. What do you think: Which ones I’d rather omit?

    Yesterday I compared the actual SQL Database with a DB from a backup where the suspicious admin user didn’t existed. Except the tables under “user” and “usermeta” I didn’t found anything suspicious.

    That’s why I want to make a new search trough the .sql again. Do you have any ideas what to look for?

    Thank you so much

    EDIT

    I’m using the Genesis framework

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked – New admin user occured’ is closed to new replies.

Tags