Security – beeing hacked

  • olissongs

    (@olissongs)


    6 years ago

    i suddendly get a message, that a new user get registered as admin.

    is there a security whole in wordpress? i updated may installation when needed.

    so i am wondering how this hack goes and how i can secure may wordpress installation. i though i had everything done.

    • This topic was modified 6 years ago by Steven Stern (sterndata). Reason: removed email from topic title, moved to "fixing"

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 32 total)
  • mzzz

    (@mzzz)

    Same happened to me! I think there must be an unknown vulnerability as I’m also running the latest WordPress version. My server log files suggest that the hackers got in through admin-ajax.php. I removed both users and secured wp-login.php and /wp-admin with basic authentication. Additionally I blocked access to both to all IP addresses but my own. Hopefully this will prevent it from happening again.

    cleancoded

    (@cleancoded)

    There are lots of security options and best practices in place for WordPress.

    First, to address the suspected hacking, please carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    radinou

    (@radinou)

    Hi, same thing with 15 websites i have !
    All have new user get registered as admin

    [moderated]

    Website have wordfence in wordpress 4.9.8. and all differents plugin

    I thinks that its a security breach in wordpress.

    mzzz

    (@mzzz)

    Are you using a GDPR plugin on all of the 15 websites?

    colis

    (@colis)

    Are you using the WP GDPR Compliance plugin?
    Apparently the security issue is related to that plugin. However they released a fix in version 1.4.3.
    Make sure you update the plugin to the latest version.

    radinou

    (@radinou)

    Ho yes i think thats WP GDPR Compliance, the only same plugin in all my website !
    I will make an update in all and see if that fix it.

    Thanks for your help !

    colis

    (@colis)

    Make sure you also delete the fake user ??

    radinou

    (@radinou)

    Yes i update all, then i remove the fake user
    Thanks a lot for your help !

    • This reply was modified 6 years ago by radinou.
    Thread Starter olissongs

    (@olissongs)

    thanks for all recommendations.
    i have the WP GDPR Compliance plugin, but in Version .1.4.3

    @mzzz

    that sounds tha a good solution.
    can you please give more information where and how you made the changes?

    Kris

    (@kriskreativ)

    Thank you for these updates, very helpful. I deactivated the first user, t2trollherten, and t3trollherten popped up. I followed your tips just now and updated the WP GDPR Compliance plugin.

    Have any of you found any issues related to this user creating accounts? Did they do anything in your site besides create an account.

    kirovweb

    (@kirovweb)

    Thank you for these updates, very helpful. I deactivated the first user, t2trollherten, and t3trollherten popped up. I followed your tips just now and updated the WP GDPR Compliance plugin.

    Have any of you found any issues related to this user creating accounts? Did they do anything in your site besides create an account.

    I had the same guy making admin account on 1 of my websites, He made it before 6-7 hours, I found it before 1 hour when he changed his password, then I saw the issue, updated the plugin and removed his 2 accounts.

    I am also interested in this question:

    Have any of you found any issues related to this user creating accounts? Did they do anything in your site besides create an account?

    nickm37

    (@nickm37)

    Here is wordfence info on their blog.
    https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/?utm_source=list&utm_medium=email&utm_campaign=110818&_hsenc=p2ANqtz-8WElFrvxVzEKJkrf1moGbACTWwisqwbqDBaXBGZaKofksGjmcpoa9FLa8ItRVCrmpP6Hk4S5sL2sGP_ltZYHIMxPsmQQ&_hsmi=67358862

    My sites have been hacked too.
    They had a HTTP error 500 code when I visited once I heard about the hack.
    I have now disabled the website. Now to figure out what they did.

    Check Uploads folder to make sure there is nothing in there…

    Cheers

    goenz25

    (@goenz25)

    @nickm37

    I have the same issue- Error Code 500 – i deleted the admin users in the database, deleted the 2 files in the upload folder and refresh the WP GDPR Files in the PluginFolder by replacing with the new files from version 1.4.3.

    Do you have any idea, for solve the problem with the error code ?

    reca26

    (@reca26)

    Hello @ all, –

    I just came across this thread, looking for help as I’m also affected by “t2trollherten”. I have the WP GDPR Compliance plugin installed on ONE WEbsite and this “guy” created a new user with admin rights.
    As a result I can’t view ALL of my websites. I’m always getting this error message:
    Parse error: syntax error, unexpected ‘text’ (T_STRING) in /home/www/wordpress-major-city/wp-includes/class-oembed.php on line 461

    After looking in the class-oembed.php files of 3 of my websites and comparing it with the (original) class-oembed.php-file of a former backup, I found that this user added a huge amount of code on line 461.

    //fotos.bilder-speicher.de/images/image_org/18110906854411.jpg

    To my great amazement this code seems to be added to ALL class-oembed.php files. Even on sites that DON’T USE the WP GDPR Compliance plugin !!!

    reca26

    (@reca26)

    Hello @goenz25

    I’ve read your post with interest.
    Would you be so kind to write a line what kind of uploaads you’ve identified and deleted ? – This would be very great!!

    Kind regards Reca

Viewing 15 replies - 1 through 15 (of 32 total)
  • The topic ‘Security – beeing hacked’ is closed to new replies.

Tags