Successful login of unauthorized user to my blog site

  • Hi:

    I have detected that a user, that has not been created in my website, has successfully login to my blog site.

    The exact message is:

    Login Info:
    Time: november 30, 2014 2:30 am
    Website Info:
    Site:
    IP Address: 107.150.14.26
    Notification:
    User logged in: systemwpadmin

    I have not created that user systemwpadmin.

    I have only created only one user account that I use to manage and update my website from WordPress.

    I have performed the following actions since I have received that message:

    – I have updated 3 plugins to wordpress to its latest version. The rest of the installed plugins were already updated.
    – I have two plugins that check for security issues to my blog: Wordfence Scan and Securi Security. They reported everything ok: no vulnerabilities, no malware files, no changes in core WordPress files against originals.
    – I have blocked that IP (107.150.14.26) from accessing the site
    – I have changed the security keys to invalidate all existing cookies, forcing all users to login again
    – I can’ t see any post or comment by systemwpadmin until now.

    I appreciate your help:

    – to know how to check if my site is under attack or hacked
    – to know what activities has been commited by systemwpadmin
    – to understand how that user could successfully login to my website
    – What other actions i have to take to avoid that user access my website and to prevent this type of unauthorized access occurs again.

    Thank you in advance,

    Regards,

    Luis

Viewing 6 replies - 1 through 6 (of 6 total)

  • I would recommend a Linux Malware Detect and FindBot.pl scan & analysis at the command line level by a professional.

    Tim Nash

    (@tnash)

    Spam hunter

    A lot of sites reported seeing this username with a UID of 8888 in the user table about a year ago, it would appear that it was a common part of a payload being used to exploit timthumb vulnerability.

    Check that the user is not in your database via phpmyadmin
    Check your theme or another plugin is not using timthumb

    If this is a commercial site, be aware it is almost certainly compromised and should be treat as such.

    You are best of looking to get a professional to help recover the site, if the user logged in and could access the file editor (theme/plugin editor) or media uploader then they may well have planted other nasties in your system. Securi and similar might not necessarily detect a file outside of WordPress or sitting in uploads folder.

    Same issue here, 7 hours ago an unknown user logged in from Germany IP address 5.175.146.225 as an invalid user named systemwpadmin.

    They compromised the functions.php file in TwentyFourteen theme. Still looking for more damage.

    I was alerted to the problem by WordFence.

    I also found a suspicious file named “index_indesit.php” under the themes directory.

    Tim Nash

    (@tnash)

    Spam hunter

    Hi Bev if you have any additional questions specific to your circumstances then you should start a new topic. See the forum welcome for more details on how and when to start a topic.

    Unfortunately as in both of your cases it would appear both files and users are compromised I can only offer general advice:

    The initial attack vector is most likely another theme or plugin and most likely using timthumb. Unfortunately at this point it maybe quicker and safer, to export the data or use a backup and rebuild the site.

    If you don’t choose this route, you need to find the original attack vector and plug it, and any other nasties they have added. If this is a commercial site then probably getting someone to assist you.

    My post was intended to help the OP, not ask a new question.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Successful login of unauthorized user to my blog site’ is closed to new replies.