• Resolved CSNAssistant

    (@csnassistant)


    Hello. I am experiencing a problem that may be due to a possible security breach.

    I noticed that when I went on to my site here, a new button was created linking me to a site hosted in France. My site deals with medical information while the unauthorized site was linking to a french, bridal gown store. This was not an ad, but was rather integrated into the site and possibly the code.

    I immediately reset the passwords, notified the users, and downloaded Simple History.

    The next day (today) I see on Simple History, that someone tried to log in to the admin account on 141 occasions within the past day.

    My questions:

    1) Is Simple History showing this as a bug or is this an actual person or program?

    2) How can I stop this person/program from doing this and what measures can I take in the United States?

    3) I only saw one thing changed, but how can I run a diagnostic on my site (I have little knowledge on code, but I am a fast learner)

    4) Do you have any suggestions as to what I can do to proceed?

    Thank you to everyone who is reading this.

Viewing 11 replies - 1 through 11 (of 11 total)
  • A scan of your site shows no signs of a hack. Have you tried:

    – deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

    – switching to the default theme to rule out any theme-specific problems.

    resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

    Thread Starter CSNAssistant

    (@csnassistant)

    I have tried to switch themes, but have had no success. I will check the plugins now to see if they are the issue. I do have several plugins that are inactive, so I will delete those as well. Until then, should any other precaution or scan be taken on my part?

    I did scan your site using https://sitecheck.sucuri.net/scanner/ which is usually pretty good but you could also try https://www.unmaskparasites.com/

    Have you gone through your site’s list of Users to ensure that everyone on there is known and trusted by you?

    Thread Starter CSNAssistant

    (@csnassistant)

    We have a 3 users on our site, which are made of people that I work in close contact with every day, so I do trust them. The Admin account is not normally used anymore, so it is just an account that we have in case we need it, which happens to also be the account that someone/something is constantly trying to access according to Simple History.

    User admin failed to log in because they entered the wrong password
    1 hour ago by <Unknown or deleted user> Details
    + 141 occasions

    And under Details it says:

    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11
    HTTP_REFERER:
    REMOTE_ADDR: 193.0.146.118

    Thread Starter CSNAssistant

    (@csnassistant)

    I would like to thank you for taking the time to help me out by the way. There has been no change when I checked the plugins and theme

    User admin failed to log in because they entered the wrong password
    1 hour ago by <Unknown or deleted user> Details
    + 141 occasions

    Does your main Admin user have the username “admin” by any chance? If so, changing it might ward off many of these potential attacks. See https://www.ads-software.com/extend/plugins/admin-renamer-extended/

    You can also install a plugin that will limit these login attempts and block the offending ip address after x attempts for 24 hours. Just be careful that you don’t lock yourself out. If you are still concerned, it wouldn’t hurt to review these resources:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    https://ottopress.com/2009/hacked-wordpress-backdoors/

    I would like to thank you for taking the time to help me out by the way.

    No problem. That’s what we are all here for. ??

    Thread Starter CSNAssistant

    (@csnassistant)

    Thank you. I will take the time to review the material. If I no longer get attempted login messages by tomorrow, then I will close this thread.

    One more quick question: when Simple History says:

    REMOTE_ADDR: 193.0.146.118

    Is that the IP Address?

    I think so, yes.

    Thread Starter CSNAssistant

    (@csnassistant)

    Ok. Then based on a quick look through, I found three distinct IP addresses. Perhaps they will be useful to you in any other future troubleshooting.

    204.152.255.23
    67.18.3.37
    193.0.146.118
    EDIT: 97.79.239.135

    Thank you very much and I will reply with an update as soon as I can. If anyone else has any other suggestions or pieces of advice, then I would be appreciative.

    Thread Starter CSNAssistant

    (@csnassistant)

    Update: It worked. I haven’t gotten any more attempts. Thanks a million!

    To those who are reading this sometime in the future, if you have a similar problem with possible hackers, this is what I suggest, based on my own experience and this thread.

    1) Scan your site using https://sitecheck.sucuri.net/scanner/ or https://www.unmaskparasites.com/

    2) Download Simple History, which can show you if there are anymore changes or failed login attempts.

    3) Check your themes and plugins to verify that it is not the issue.

    4) Finally (This was my problem) Check the admin account. If that is the problem then delete or rename it.

    Thank you esmi for helping me.

    No problem ??

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Possible Security Breach’ is closed to new replies.