Total Administrators Spam

That’s odd that it returned non-admin users, because it uses the WordPress API (get_users() function) to retrieve the list of admin users and it should be reliable. Did you have any database issues lately? Was there someone working on the DB when it occurred?
You can try this script:
1. Save this code to a script named whatever.php.
2. Upload it into the WP root folder, where your wp-config.php script is located.
3. Go to https://your-site/whatever.php and check the results. Reload the page a few times to see if it returns the same results. Do you see anything wrong?
4. Delete the script afterwards.

<?php
header('Content-type: text/plain');
require('wp-config.php');
$adm_users = get_users(
   array( 'role' => 'administrator',
      'fields' => array(
         'ID', 'user_login', 'user_pass', 'user_nicename',
         'user_email', 'user_registered', 'display_name'
      )
   )
);
echo "Total admin users found: ". count( $adm_users ) ."\n\n";
foreach( $adm_users as $adm ) {
   echo "Admin ID : {$adm->ID}\n";
   echo "-user_login : {$adm->user_login}\n";
   echo "-user_nicename : {$adm->user_nicename}\n";
   echo "-user_email : {$adm->user_email}\n";
   echo "-user_registered : {$adm->user_registered}\n";
   echo "-display_name : {$adm->display_name}\n\n";
}
exit;

I have the same issue, but when I log in and look at my user list, everything looks fine.

And each time I get the spam, it’s coming from a different IP address.

• This reply was modified 5 years, 12 months ago by jmdorst.

@jmdorst : Can you run the above script?

I seem to be getting a variation of this. I received two alerts tonight like this.

Alert: Database changes detected

The first one claimed there were 542 changed administrator accounts. It was one long blank list with the titles for the fields but no actual data.

The second alert showed just one account changed – my one and only admin account. I checked my user account and can find no changes but did change my password to be on the safe side.

I looked at my SQL tables and it didn’t show any accounts other than the small handful that exist on my site. And I used the script above for extra measure. It also gave me one admin account, my own.

When I look at Ninjafirewall log it does show it blocked a visitor who was trying to enumerate authors.

HEAD /index.php – User enumeration scan (author archives) – [author=1]
GET /index.php – User enumeration scan (author archives) – [author=1]

Several times over. No idea if there’s any connection.

The user IP listed in the email is mine which is the weird thing. I am logged in but before the alert I had not changed anything, password, etc. for my account. I was updating a widget in my sidebar.

The user IP is from the person that triggered the alert, not the changes. It is not important and can be unreliable. We will remove it in the next version because it is confusing.

Can you try to edit the “wp-content/plugins/ninjafirewall/ninjafirewall.php” script?
1. Open the file and search for add_action('shutdown', 'nf_check_dbdata', 1);.
2. Replace it with add_action('init', 'nf_check_dbdata', 1);.

Then wait and see if you are still receiving false alerts.

Ran the whatever script above. Received normal/expected results.
Still getting paired notification as follows:

1st one:
[x] Total administrators (anywhere from 2 to 150+)
Random IP address
details then show blank entries… in the case of 2 I get
Admin ID :
-user_login :
-user_nicename :
-user_email :
-user_registered :
-display_name :

Admin ID :
-user_login :
-user_nicename :
-user_email :
-user_registered :
-display_name :

2nd notification
I receive a correct number from my current IP address with the information completed equal to what is received in the whatever.php results.

Ideas what is causing this odd occurrence?

I also ran the whatever.php script and the correct admin accounts returned. I applied the change to the ninjafirewall.php file and will post back if the spam emails return.

Thanks

Let’s wait and see: if the change you applied to the ninjafirewall.php solve the problem, it is likely a conflict with another plugin.

Did the change to the plugin. I’ve continued to get the alerts but only just now had time to check back and find out what the fix may be. I will report back whether or not the alerts stop.

The number has grown. I get two emails each time. One indicating my actual admin account has changed and another one telling me that thousands of admin accounts have changed but it’s just one blank entry after another. I’ve looked both ways and there just aren’t any other admin accounts besides mine.

Anyway, will report back.

PS To clarify, I was continuing to get the alerts and have now tried the fix. The way I worded that was not entirely clear. It’s late!

• This reply was modified 5 years, 11 months ago by Mark.

So far, so good. First day I have not received those two messages warning me about admin changes.

Knock on wood!

Do you have any caching plugin or a plugin to optimize your blog? Would you mind to list your active plugins?

Hi, the issue remains. WPROCKET is the only optimization plugin we have on this website.

I think it has to do with caching. Maybe object or DB caching. I’m still trying to find it out but it’s odd that the changes to the ninjafirewall.php script didn’t work for you.
If you have database caching enabled, could you try to flush its cache?

Just received this email on 1 of my sites:

NinjaFirewall has detected that one or more administrator accounts were modified in the database:

****
User IP: 34.233.208.215
Date: December 10, 2018 @ 07:02:18 (UTC -0500)

Total administrators : 522
****

Then this repeated 522 times:

****
Admin ID :
-user_login :
-user_nicename :
-user_email :
-user_registered :
-display_name :
****

When I logged it, everything looked fine.

So far changing that one line of code has fixed this for me.

I am using a caching plugin – LiteSpeed Cache for WordPress

Those alerts were coming when I was active on my site. Every time I add a new post/page/etc. the cache is cleared. Connected to whatever was causing those alerts maybe?

And above is exactly what I was getting. The last one claimed that over a thousand admin had modified accounts and there’s only one admin account.

Mark