New Admin user registered from outside

E-Support
(@xxlescort)

6 years, 10 months ago
Yesterday someone registered a new admin user, without any login before in dashboard in this steps:

at first he updated the default role to admin user
then re activate the registriations for new users.
and then he register a new user.

i got and email with “a new user registered….”

later he redirect the home start url to: [ deleted ]

it not was a bruteforce attac, because i have a block for this, and in activity logs my admin user dont was login.

i have the wordpress version WordPress 4.9.10

all plugins are updates, and i have only ninjaform and header and footer plugin there. i had no ftp accesss.

here are the log:
—
1 Tag ago
19/03/2019
10:37:33 N/A 86.109.170.200 User Created adminzax
1 Tag ago
19/03/2019
10:37:30 N/A 86.109.170.200 Options Updated users_can_register
1 Tag ago
19/03/2019
10:37:30 N/A 86.109.170.200 Options Updated default_role
—

Does anyone have a idea, how this inject works? the ip: 86.109.170.200 is not mine or from my server, its from a unknown computer.

best regards.
- This topic was modified 6 years, 10 months ago by Jan Dembowski.
- This topic was modified 6 years, 10 months ago by Jan Dembowski.

Viewing 6 replies - 1 through 6 (of 6 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

6 years, 10 months ago

Are *all* of your plugins up-to-date?

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

6 years, 10 months ago

Moved to Fixing WordPress, this is not an Everything else WordPress topic.

I also fixed the title and removed the link to the attackers site. There is no reason to post their link and your site was compromised. Please delouse your site using the instructions Steven provided you with.

pexys
(@pexys)

6 years, 6 months ago

Hello @xxlescort,

I also have the same problem, an AdminZax user added to the site while I have no place of connection on the site, plus he was an administrator, weird, so I passed it in Subscriber. Then the next day, 2 new users in subscriber status. Odd no?

So I deleted them today and here I update my plugins, themes and WordPress. I had in the Contact Form 7 updates that potentially had a security hole, did they go through it? I do not know…

And now I do not know if I have infected files, I have Wordfence on the site for several months and I have not been alerted by anything. The automatic scan tells me only plugins and themes and WordPress updates to do.

Thread Starter E-Support
(@xxlescort)

6 years, 6 months ago

hi pexys

it is a old version from easy smtp plugin

update this and the door is close

pexys
(@pexys)

6 years, 6 months ago

I did not have the Easy SMTP plugin personally.

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

6 years, 6 months ago

@pexys, If you need support then per the forum guidelines please start your own topic.

A lot more people will see your post, and that way you stand a good chance of getting the assistance you want. Despite any similarity in symptoms, your issue is likely to be completely different because of possible differences in physical servers, accounts, hosts, plugins, theme, configurations, etc. Thus one problem, on one setup is not indicative of the functionality and reliability of an application as a whole.

https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

https://wordpress.org/support/guidelines/#post-in-the-best-place

You can do so here:

https://wordpress.org/support/forum/how-to-and-troubleshooting/#new-post

I’ll be archiving your post and mine to not spam the original poster and detract from their question.

Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘New Admin user registered from outside’ is closed to new replies.

New Admin user registered from outside

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics