Hacker registered user

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

I received an email this morning stating that another person had been granted access to my account and I don’t recognize the name or address. Is there anything different I should do besides read all of the above and try and implement them?

Hi,
I came across the same wp.service.controller.dZYmV new unwanted user + new files on the server (test.php, 404.end.php, end.php, …)

@autori76 have you found the problem and solution ?

Thanks a lot

Hi,

Yes, same problem here. I found a user with Admin status – wp.service.controller.zgcdI

Also, similar .php files with names like ‘case’, ‘air’, ‘student’

Can anyone say how this happens?

Thanks in advance.

Hi – same here – is it safe to delete this user?

Hi,

It’s not just safe to delete this user but it’s absolutely necessary too. Since my above post i have found out that’s it’s an indication that you’ve been hacked and could be sending visitors elsewhere. I think you should go to webmaster tools console and check the security issues section for your site.

Then you could use a tool like WordFence to scan your site fully. See here – https://productforums.google.com/forum/#!msg/webmasters/u_YEfk6UPUM/aV_15l6QEQAJ

Good luck.

We’ve been seeing this with some accounts and it’s typically been that the hackers have the password to an admin level account in your WordPress. This might be due to a password stealing trojan on someone’s local computer. Even Macs

Mine was a brute force attack gaining access to one admin account which in turn created another admin account, wp.service.controller.xxxx. Definitely malware and redirects, because the .htaccess and index.php files had been modified. Also a directory named 4fc2 (the numbers are random), kept appearing in various folders on the site (wp-content/uploads was a favorite).

Recommendation:
-Take site offline
-Remove any suspicious files or directories from uploads and child theme folders
-Reset credentials for FTP, MySQL and all Administrators on your site
-Upload a clean version of WP and any plugins or themes you’re using
-Run a site check at Sucuri or similar to make sure you got it all

I’m having the same issue on Bluehost. What ISPs are you folks on? In fact, it seams to me that all of my shared hosting sites are infected. I’m not sure exactly what these hackers want, or why they are doing it. One thing is for sure though, it’s forcing me to learn how to be a sysadmin. I have about 20 sites on Bluehost, and I’m moving them to Amazon AWS because I’ve decided I have to take total control of my sites. My new plan is to be able to delete and restore every site I own. Very disappointed with Bluehost, but I’m not sure who is at fault! Maybe it’s a fundamental WordPress issue. However, on the sites I’ve migrated to AWS, I haven’t had any problems yet. Maybe I’m just not a target there. If you want to learn how to migrate your site to a cloud environment that you have total control over, email me! [email protected]

• This reply was modified 7 years, 9 months ago by CustomRayGuns.

I have this too, on a site I just installed like…two days ago. Only plugins:

Akismet
iThemes Security
Jetpack
Logonizer
WordFence
WP Supercache
Yoast

So this is fairly nasty to work through, GotMLS.net’s AntiMalware plugin will initially identify a number of potential threat files, but removing these is not sufficient. NB, these files will contain php include statements calling other files or executing other scripts that this hack has injected somewhere(s) deep within your public_html.

Once you do this, Sucuri will also mark the site as clean, and Google’s Webmaster Tools won’t identify any problems, either, but you’re still not fixed.

You’ll need to review your Database. In mine, there were several malicious entries in the “Posts” table, which contained presumably a base64 encoded string that fed something else.

There’s also a rogue sitemap that’s been created, and presumably submitted to google (I think there was a secondary verification .html file in my root, I deleted it before I could really be sure), which causing Google to repetitively crawl *thousands* of URL’s on my domain which have never existed, leading to a CPU spike (this was how my hosting company, SiteGround, initially found the problem).

Finally I noticed the malicious user with no permission/role assigned, when reviewing the DB for further changes.

I’m not out of the woods yet, but finding this malicious user account, removing the malicious DB entries, changing my DB user AND password, changing my WP password, my cpanel password, etc., and cleaning/fixing/deleting all of the files identified by AntiMalware is where I’m at now.

Running additional tests & keeping a very close eye on visits, CPU usage, etc., fingers crossed…

(NB: my account hosted via Siteground)

I just deloused a website for a friend. I found that same type of user registered. He was using “admin” as his login ID, so I created a new ID for him and password, and deleted the admin user.
I’ve installed wordfence and used it to find any files I missed, and set up its firewall.
I’ll go through the DB now, too, I was wondering about that.

@probablepossible my domain has been clean for 2+ weeks now, it is a nasty one to work through but once you get rid of that user account, provided you’ve also removed all of the hacked/injected files and content, you should be in the clear. Good luck!

Just a follow up to CustomRayGuns:
I’ve had a similar issue at Justhost (which is basically a re-brand of bluehost) – so maybe their servers had an outbreak. Or we were just unliucky at the same time…..

I had a bunch of low traffic sites on their shared hosting which all got hit with the same hack and kept re-spawning – As soon as I fixed one site it was re-infected by one of the others.

Justhost support was largely ineffective – mostly wanted to keep upselling me some security package. Even on a call to their tech support I pressed an option to ‘talk to a rep about security’ and was redirected to sales in this external company!
In the end I had to delete !everything! from my hosted account, get them to re-activate the account, then restore and verify each site and database from backups. A nightmare waste of time – but i seem to be back now.

Had same problem for ages. To be exact for 4 months already. Cleaned my sites every 4 days. Total nightmare !
Finally I figured it out.
It doesn’t depend on hosting or on plugins you are using.
Looks like the very first time my websites where hacked via old joomla website. Then they injected tons of files inside (on all websites on sharing account)
They also injected code in WP config, settings and index.php files. Other random files were infected as well. They put fake favicon files, which I was missing in early cleaning stages.
I was looking for solution for ages, but did’t find any proper solution.

I don’t know if my solution is perfect but you can try.

1. Ask you hosting provider to scan your websites for malware and send you infected files list.
2. Try to delete / clean injected files
3. Update wordpress to latest possible version.
4. Update all plugins as well.
5. Check for fake admin users and remove them if present.
6. Install wordfence and do a full scan. Restore injected files and delete all fake files.
7. Install Anti-Malware from GOTMLS.NET and scan all files. Review all files especially php and favicon ones. Delete or clean infected.
8. Leave only one FTP account and change password. Or change for all FTP accounts.
9. Change cpanel password.
10. I made files index.php, settings.php and config.php 444 permission.

Monitor your websites constantly with wordfence. It can tell you when it is hacked. I could not figure out exact date and which website was hacked. But this solution looks like helps a bit.