• These IPs were able to log into my WP site using blank user names, and with admin rights according to my Succuri Plugin. Here’s what it says ..
    This is from my recent logins report, BTW ..
    ( ) 77.79.40.195 hst-40-195.splius.lt 3 weeks ago
    ( ) 93.103.21.231 93-103-21-231.static.t-2.net 4 weeks ago

    The blank brackets usually indicate the user name.

    BTW, these logins also show up in Wordfence ..

    Lithuania Siauliai, Lithuania logged in successfully as ” “
    IP: 77.79.40.195 [block]
    Hostname: hst-40-195.splius.lt
    26 days 1 hour ago
    Slovenia Kranj, Slovenia logged in successfully as ” “
    IP: 93.103.21.231 [block]
    Hostname: 93-103-21-231.static.t-2.net
    28 days 3 hours ago

    HOW THE HELL DOES A BLANK LOGIN WORK?????????????????? ARGGG!!!!!!! There has to be some back door that they used to sidestep the usual login method.

    First and foremost I would recommend that you go to your user list and see if you have a blank admin user in your accounts.

    Second, I would guess we need to start comparing plugins. When these logins occurred I could not figure out how access was achieved and I reset the site. That required trimming out edits of all the php files on my site (actually there are 2 sites that this happened to but only of them was damaged via atttacking the php files. The IP addresses from the hacks were the same on both sites. There is a name for this attack and it was historically known as generic.029.

    BTW, there ought to be a set of forums specifically for security issues.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter BreezyOhio

    (@breezyohio)

    One more thing .. here is a post of relentless IP attacks on WP sites that are ongoing and I think related to this the actions listed in the previous posts.

    Note that the IPs that constantly attack by trying to login as “admin” are largely on the same network, but not the same IPs as the ones listed above.

    https://www.ads-software.com/support/topic/repeated-attempts-to-log-in-to-admin/page/3?replies=72#post-6632838

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    BTW, there ought to be a set of forums specifically for security issues.

    Security problems really are for “How-To and Troubleshooting” which I’ve moved this topic into.

    These IPs were able to log into my WP site using blank user names, and with admin rights according to my Succuri Plugin. Here’s what it says ..

    It’s a stock answer but it really applies and can help you. Though it is a lot of work.

    You need to start working your way through these resources:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    https://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    Hardening WordPress
    https://sitecheck.sucuri.net/scanner/
    https://www.unmaskparasites.com/
    https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

    Thread Starter BreezyOhio

    (@breezyohio)

    Jan, thanks for the reply. This isn’t my first rodeo, and I’ve been to these same sites when my site was hacked in October of 2014. The site was resurected from a very old backup to ensure that it was a clean backup and it was on a new site build by the hosting company. I run Succuri and Wordfence together and both were running when this “no user name” hack got into my site.

    BTW, in addition I do NOT edit my php files and only run common plugins, and not many of those. I also shut down all my FTP connections and deleted any unused themes so I’m pretty vigilant about site security, though I’m sure that I could do more.

    However, this “no user name admin hack” has me very concerned. It had to come from a vulnerability and with the 2 sites that I have .. they share no common plugins or themes .. it kind of suggests that it was done via a WordPress vulnerability.

    I cannot understand the logic of not dedicating a separate forum to hacking methods and site vulnerabilities. Day by day, WP attacks seem to go up.

    BTW, unmaskparasites.com is shutting down.

    Thread Starter BreezyOhio

    (@breezyohio)

    Oh one more critical details I forgot to mention .. around the time of these no user name accesses all my plugins were disabled via a rewrite of the index.php file in the plugins folder. This was a bit clever because it disabled all the automatic security measures I have in place such as Succuri and Wordfence .. both of which are plugins.

    I noticed it right way because I wasn’t getting any reports from either. BTW at that same point all of my php files were rewritten to include hacked code, called the generic.029 attack by Sucurri. That attack is associated with a plugin I have never used on any site. I would guess that the author of that attack found a way to hack a WP site independent of plugin.

    It’s possible that the server your sites are on was compromised – have you checked with the hosting company?

    Thread Starter BreezyOhio

    (@breezyohio)

    Yes, I’ve even pleaded with them to search the hosting box for any of these vulnerabilities, which in the case of the generic.029 attack is pretty easy because of the long identical text it inserts in php files. They had no interest and claimed, of course, that all their servers are constantly monitored and scanned. blah blah blah ..

    That’s one of the many problems you get in trying to decipher an attack and plug holes. As a hosting customer you only get to see part of the story. It also annoys me to no end how a file can be modified without changing the file date. Not much I can do about that stuff though. I’m with a “very good” hosting company.

    It seems to me that the Internet backbone and integrity erodes by the day .. something that only works 98% of the time just isn’t reliable enough to bank on these days .. just reflect on what’s happened to emails .. now many people don’t even read them because they have lost faith in them being anything other than a sales message. Of course most of those are people that cannot/do not manage email security. They are incapable to manage security and just want stuff to happen. Yeah, I want stuff to just happen too .. but that is not the way the Internet is today. Hosting every presence .. website, blog, sales platforms, merchanting, emails .. they all require more time and effort than most people realize.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘There appears to be a serious vulnerability here ..’ is closed to new replies.