cgw

Thank you for getting back to me! I think I have found a work-around until I have more time to investigate as our club website is in constant heavy use during Covid-19 for weekly zoom meetings and photo competitions.

The work-around is to use the Bulk Edit Options for the Radio Button field where it looks as though I have been able to add additional options once again. I’ll be testing it throughout the day.

Many thanks for your response, and thanks for a very excellent plug-in.
Best wishes,
Chris

Many thanks for the update, and best regards.

Rick,

Many thanks for your info – very much appreciated. Yes, like you, I find this problem very disheartening but I am hoping that with enough information, we will discover where the vulnerability lies. I’ll check my own site for wp-functions.

Very sorry to hear of yet another attack. It might help if you can give a few further details. In my case, my attack last July was from a Russian-based IP. My web host is Justhost.

One problem is that now every new user that you now add will have an ID 88889, 88890, 88891, etc which for some reason makes me very nervous and I don’t know how to reset the database so that it continues as before. Does anyone know if the user id of “88888” is significant in anyway? (e.g. is there a limit within WordPress for the maximum number of users?)

I’m still very puzzled what the attack achieved and other than new users having ID’s greater than 88888, I can find no lasting damage to my files or database.

My interest in this stems from exactly the same login by a user id 88888 and name systemwpadmin 5 months ago (July). Details are on the forum thread “Unknown user “systemwpadmin” “: thanks to itpixie for alerting me to your new thread which I will watch with keen interest. As far as I know, only two other people have had similar problems so it does not appear to be widespread at present.

For information,

1) My web site definitely does not have any timthumb according to the timthumb scanner plugin.

2) The only other time the log-in occurred was 11th November and my web host confirmed there had been a problem on another account on the shared server.

3) In July, I think I did initially find a user 88888 in the database but next time I looked, it wasn’t there: I can’t be 100% certain because I was still in the throes of recovering from a major hack the previous month when I had to totally rebuild the site files and database.

As far as I can ascertain, no damage was done to my files or database on either occasion but of course it is not easy to prove no damage was done, or won’t happen again. It’s all so disheartening. I’ve been through the “hardening_wordpress” recommendations even though they stretch my understanding and knowledge. If it is a server-related issue, then I just don’t have the skill to investigate but I am fairly certain that my web-host does have everything up to date.

Hope this background helps. Best regards to all.

… and just checked with Timthumb does not exist on my server

To mow_bell and itpixie

Thanks for your posts. Yes, my mystery user had id of 88888. Need to look at itpixie’s thoughts about Timthumb but don’t think it applies to my site (but will double check). This definitely needs to be sorted!

Could you please both confirm whether or not you use Artisteer as I would like to eliminate that so we can concentrate on the core which is where I think the problem lies. It would also be good to know which host you use in case that is a common factor.

And even more creepy – my site has just been accessed by systemwpadmin just one hour ago with user id 88888. I haven’t had time to investigate yet.

Need to check database – last time this happened I think I found systemwpadmin as a user. Will try to take a look later today.

As you have a clean install, did you have any plug-ins running? I originally wondered if it was one of my plug-ins that had a vunerability. The theme I’m using was created with Artisteer.

Many thanks, I’ll try to learn how to do this!

Regards,

Chris

Sorry, I should have given more details!

I’m using potd in the home page of https://shaftesburycameraclub.org.uk (i.e. not a post or widget).

I’ve only just noticed it but think it is only the last update that leaves the text hard up against the photo. I try to keep right up to date with your updates but last week I was away so I may have jumped an update.

Regards,

Chris

Thanks.

Sucuri and several other scanners show nothing but I have found a hidden post with author id of 88888 in the database which disappeared as soon as I tried to investigate. I also managed to confirm that the log-in was at administrator level. Very worrying that they were able to log straight in without any failed attempts.

Another recent report I found using the same user name managed to delete template files, so I have to assume as I have a pretty hardened installation that there is a weakness somewhere either in the core or a plugin (which include several security ones!)

I’ll leave everything alone for a few days to see if there are any other reports that might throw any more light on what’s happening. There’s certainly no point rebuilding or continuing with the website without having some clue how to stop it happening again.

Many thanks for your suggestions. Even if we can’t solve it now, this thread might help someone else in the future.

‘fraid I’ve been already there, and done it all after the hack two months ago.

What I’m seeking is suggestions on how to find out if the site is now compromised, and how to track down what the vulnerability was likely to be.

Suggestions as to how to proceed please!

Just investigating a bit more as the size of this plugin is stopping my wordpress backups running…

I have just downloaded the plug-in direct from the repository, version 4.5.6. and I have found around 7 extra copies of most files in the following directories:
/4.5.0 (4MBytes)
/4.5.3 (8MB)
/4.5.4 (16MB)

These directories are alongside the expected /images, /langs, /theme, /watermarks and the wppa-***.php files.

I assume it’s safe just to delete these folders, which brings the total size of the plug-in files back to around 4MB.

Chris

ps. I’m referring to Nextgen Gallery Version 1.8.1 with WP 3.1.4. The Slideshow works fine on other pages or when the post is viewed via the archive! Not to be able to use it on the Home page (the default location for posts) seems a major shortcoming, so I assume it must be something I’ve overlooked!