WordPress admin username changed to html404

Looked at some more Wordfence logs and found the following:

Indonesia Jakarta, Indonesia visited https://<<website>>/wp-login.php
2/17/2018 4:51:50 AM (15 hours 11 mins ago)
IP: 114.124.210.13 Hostname: 114.124.210.13
Browser: Chrome version 0.0 running on Win10
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.167 Safari/537.

and right after that the following was in the log:

United States Medina, United States visited https://<<website>>/?_wfsf=detectProxy
2/17/2018 4:51:58 AM (15 hours 12 mins ago)
IP: 69.46.36.20 Hostname: noc4.wordfence.com
Browser: Chrome version 0.0 running on MacOSX
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko)
Chrome/21.0.1180.82 Safari/537.1

No idea what this Wordfence site is, but everything in the Wordfence directory on my site that got hacked got updated according to the file/folder timestamps right around 4:51am. And that’s also around the time when the 404html plugin folder was created and the rogue user got created too.

Oh well, for now the Indonesia IP has been blocked and will continue to closely monitor the site.

Another victim here. Admin username was changed to html404. I’m a complete basic user when it comes to websites, but I was able to figure out how to fix everything so far.

Website is running a self-hosted version of WordPress, 4.9.4. Running Wordfence version 7.

I got an email from Wordfence today at midnight saying html404 password was weak. I was able to log in and change the password. Then I went to cPanel phpMyAdmin and was able to change the username back. I then changed all the passwords associated with the site.

Wordfence also detected some malware. It was able to delete the files, but there was one in the web root index.php that it couldn’t delete. Wordfence showed me the modified and unmodified versions of the file. I had to go through cPanel File Manager on the web root directory to find it and restore it to the original version.

Next I checked my plugins. There was a Simple 301 Redirects plugin that I didn’t install, but it was inactive. I deleted it.

One other weird thing I noticed was that my Akismet Anti-spam plugin is acting funky. For years it would detect a few hundred spam per month. The past six months it’s detected SIX. I have no idea why. Also, I have two Akismet plugins now (not sure there were always two). One is just Akismet and one is Akismet Anit-spam. Only one can be active at a time. If I try to activate the inactive one, I get a fatal error message. Not sure if this has anything to do with anything, but it’s weird.

A few months ago there were some website getting hacked by suryana or some name like that. I also had that happen, but I was able to easily delete the user account they created and had no other problems that I know of.

Just got hacked myself with the same thing and in the process of cleaning everything up. ****If you have two Akismet Anti-spam plugins, one of them is the hack!!!!**** Askimet should be ver. 4.x the hack one was showing version 2.x. I further confirmed this on my plugin folder and had one Askimet folder (the correct one). The html404 folder in the plugins folder is masking itself as Askimet in WordPress. I confirmed this by looking at the php files. I deleted it and now only have one Askimet. The plugin is the one that is creating all the backdoor access to the rest of your site. It has modified/created htaccess files. as well as modified some core wordpress files. I had files all over my site that were added or changed. It’s a hassle but now putting more security steps on my site.

• This reply was modified 6 years, 8 months ago by mwhyo.