User registered as admin when registration is disabled

  • Hi,

    So I noticed a user had registered themselves on a page I run which has registration disabled. The worrying thing? They registered as admin. The options specify a newly registered user would be set to subscriber.

    So I thought we had had a breach. That one account would have had a weak password, or something along those lines. With 5 users, we all changed passwords, and I installed the plugin User Action Log in case it would happen again.

    And so it did. Roughly one and half a month later, the same thing happened again. New user, random name and e-mail, and admin role. UAL shows they weren’t registered by another user (as it does if I register somebody via the admin interface), but rather that they simply registered.

    UAL also shows a period of failed login attempts at a few attempts per day, and 12th to 13th November about 70 attempts. A few days pause in login attempts, and then the user was registered. The user never logged in or did anything except for registering. As admin.

    If MySQL or FTP were breached, it would be baffling that they only registered a user and nothing else. And the passwords used there are 30+ characters, non-words. So a breach seems unlikely, as logs don’t show anybody was logged in to any account prior to the user being registered.

    Is there an exploit? Or how does this happen? The users are probably spam bots, given the nature of their chosen nicknames and mail addresses, but this is completely weird. And worrying if it were to have consequences.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator t-p

    (@t-p)

    – Try using Sucuri online scanner or a plugin to check for exploits and malware:
    https://sitecheck.sucuri.net/scanner/
    https://www.ads-software.com/plugins/search.php?q=scanner

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    From our experience dealing with lots of hacked websites, hackers don’t always exploit the access they have gained immediately, so it wouldn’t be baffling for a hack to have only lead to an account being created in the beginning.

    If someone has access to the database they can create new users directly in that and the user’s creation wouldn’t show up in a logging plugin’s data. The user_registered field in the wp_users table will sometimes provide strong evidence that the users was not created through normal means, if either that field is empty or it has a date and time listed that is obviously incorrect.

    If something were being exploited on the website, say a vulnerability in a plugin, evidence of that should would show up in the log of HTTP activity. Have you reviewed that from the time periods when the users were created?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘User registered as admin when registration is disabled’ is closed to new replies.