chaplaindoug

THE ANSWER.

In MySQL, I executed the command:

UPDATE databasename.wp_users SET user_pass=MD5(‘plaintextpassword’ WHERE ID=’userid’;

The MD5 encrypted the plain text password the way it wants passwords. This worked for me.

I see now how an editor can attribute a post to whomever they desire. It looks like this had to be a person logging in and doing this (versus a program or entity) as they would have to take the manual step to attribute the post NOT to themselves but to another user. Am I correct in this analysis? Or is there a way for a program or entity to login and make a post attributed to someone else?

CAUGHT MY HACKER TONIGHT! Have a question.

I spent time “cleaning” up our web site trying to remove the “hack” and prevent future hacks. I then monitored the site to see if any more bogus posts came in. NOTHING for two days. Then randomly checking tonight I caught the hacker logged in under another login (one that was set up at the request of my boss to allow a company that wants to take over my job to “evaluate” the web site). Whether this hacker was from that company or was someone who figured out their password (which could have been the case as it was not too complex), I do not know or may never know. HOWEVER, I noticed something that puzzles me:

1. There was a bogus post in edit mode (I saw that it was locked and being edited by the login).
2. It showed that the bogus post was locked by the login in question (it was not the administrative login), but showed the author to be “administrator.”
3. The login in question was only given “editor” role.
4. So how could this person or entity make their post appear to have come from “administrator” rather than themselves???

Lee:

“You might or might not already have your own version of something like either of these in that folder to block malicious php activity:”

Where in the plugins folder would I place these and in what file name?

Thanks Lee. I do not have the post by email set up at all. So that was not a vulnerability. But now I know where to find it. Thank you for helping me.

P.S. Went a night without spam “administrator” posts after I followed some of the tips given.

1. Changed login password to cryptic.
2. Changed MySQL passwords and username to cryptic.
3. Deleted and rebuilt my plugins folder.

It was after item 3 that they stopped coming in. But not holding my breathe. Will continue to monitor and report.

Lee:

Thank you for replying. My site is not FTP accessible. The site is updated (as far as the root directories) securely from within our secure network. I have never used “cPanel” and do not know what it is.

Finally, I have never used “Post via E-Mail.” However, where in my self-hosted site would I find if this is set up or functional?

Thanks again if you can answer the above.

My problem still remains the same. I am getting about 25 bogus posts (posting as administrator) every night. These are POSTS not comments. All the pages on my site are displaying correctly. There are no redirects, etc., Just the bogus posts. I have changed the administrator login password and the username and password for the MySQL database. But the posts are still showing up.

I appreciate those who are posting here to help. I have looked at some of the links, and they are verbose and do not address my issue. Does anyone reading this have a suggestion for how bogus administrator posts are still happening, even after the username and password changes I have made? This has to ring a bell for someone.

Thanks for any further help.

Thank you Jan. I will work my way through the links you gave.

Was able to make the credential changes using MySQL Workbench (Windows Server 2008 R2 with PhP platform). Not sure what 0400 means on permissions. But only SYSTEM, and Administrators (Windows users) have read/write. Let’s see how she goes tonight. The culprit hits overnight (probably in China or somewhere else in the daylight at that time).

A note on the credentials, WordPress I think creates a default user name wordpressuser, which I should not have used. And indeed the password was old and easier to guess perhaps. The username is now changed and more difficult, and the password is much longer and more cryptic. If this nips it in the bud, you get a gold star Lee. God bless.

Great Lee. I understand the instructions and will implement and report back. Thank you so much for responding with a simple procedure. God bless.

Okay. But here is some clarification:

I am self-hosted on my site. I am the administrator.

I am getting posts (not comments) about “ugg boots” and “nike,” etc. They are posting as “administrator.” I cleaned out all the posts and changed the administrator password. But I still keep getting posts every night (about 25 of them per night). I also notice my tags have tags added from these posts. No pages are being added, nor can I find any pages being modified. it appears to just be posts.

How can this be happening and how can I shut it off?

I am reposting this with a different title more specific. Thanks.

There were 5 new spam posts this morning. What can I do to shut off the intrusion?

Clayton: I ran all the tests in the links you gave and they came back clean.

By the way Clayton, I did not find any pages changed or any pages added. I did not find any redirects, and checked the root directory and found no changed files. All I found amiss (so far) was 400+ spam posts (that said administrator was the author), for “ugg boots” and “nike.” I deleted all these posts and changed the administrator password. I have not seen any new posts since. What do you think?