The only thing you somehow didn’t mention in your list is that you also adjusted the access data to the hosting in this context. Have you done that? Hacked FTP access can also end badly.
Yes, changing all the FTP logins was one of the first things I did. Just neglected to mention it.
If these are all the websites you maintain, it could also be a virus on your computer that read the access data you kept.
That’s the tricky part. My computer has been acting weird the last couple of weeks (internet disconnects randomly, resources are running super hot, etc.) so I think there might be something going on there.
At the same time, it doesn’t feel right. If they had that kind of access, they could just change all the passwords and lock us out entirely. Why go to the trouble of creating new admin accounts outside of the WP interface if you have the keys to the kingdom?
If you have already clarified this, my further recommendation would be a more detailed analysis of log files – both from the web and from FTP and possibly other ways in which one can log on to the hostings. If you can limit a hack to a specific time, the search should be easier.
I’ve only done server log analysis a couple of times in the past, and it’s a little out of my pay grade, but that’s what I’m trying now.
I have the exact time that they created one of the admin accounts on one of the sites (Oct 13, 2023, 10:53?AM PST), and I’m currently going through the log files to see if anything matches up. I think that “2605:6440:3000:3000:b3be:11f7:915b:21c2” entry is the one:
78.128.1.190 - [13/Oct/2023:17:52:58 +0000] "POST /wp-cron.php?doing_wp_cron=1697219577.785880 0888061523437500" 200 0 - 7875 9950 0.373 8388608 69.62% 10.71% "/wp-cron.php?doing_wp_cron=169 7219577.7858800888061523437500"
2605:6440:3000:3000:b3be:11f7:915b:21c2 - [13/Oct/2023:17:53:01 +0000] "GET /wp-admin/admin-aja x.php?action=wp_service_worker" 200 0 - 7875 9950 1.114 16777216 41.30% 6.28% "/wp-admin/admin- ajax.php?action=wp_service_worker"
2600:1700:4c40:4730:e936:d9bc:d795:452 - [13/Oct/2023:17:53:02 +0000] "GET /index.php" 200 0 - 7875 9950 0.129 2097152 7.78% 7.78% "/who-is-responsible-for-roof-repairs-in-a-townhouse/"
2600:1700:4c40:4730:e936:d9bc:d795:452 - [13/Oct/2023:17:53:03 +0000] "GET /index.php" 200 0 - 7875 9950 0.928 12582912 36.64% 6.47% "/wp-json/wp/v2/web-app-manifest"
2600:1700:4c40:4730:e936:d9bc:d795:452 - [13/Oct/2023:17:53:09 +0000] "GET /index.php" 200 0 - 7875 9995 0.517 25165824 56.10% 25.15% "/wp.serviceworker"
2605:6440:3000:3000:b3be:11f7:915b:21c2 - [13/Oct/2023:17:53:09 +0000] "POST /wp-admin/user-new .php" 302 282 - 7875 9993 1.848 35651584 24.89% 7.57% "/wp-admin/user-new.php"
2600:1700:4c40:4730:e936:d9bc:d795:452 - [13/Oct/2023:17:53:10 +0000] "GET /index.php?wp_error_ template=offline" 200 0 - 7875 9995 0.372 12582912 69.97% 21.53% "/?wp_error_template=offline"
2605:6440:3000:3000:b3be:11f7:915b:21c2 - [13/Oct/2023:17:53:11 +0000] "GET /wp-admin/users.php ?update=add&id=4" 200 0 - 7875 9993 0.918 14680064 52.32% 8.72% "/wp-admin/users.php?update=add &id=4"
2600:1700:4c40:4730:e936:d9bc:d795:452 - [13/Oct/2023:17:53:11 +0000] "GET /index.php?wp_error_ template=500" 200 0 - 7875 9995 0.743 8388608 44.39% 5.38% "/?wp_error_template=500"
2605:6440:3000:3000:b3be:11f7:915b:21c2 - [13/Oct/2023:17:53:14 +0000] "GET /wp-admin/admin-aja x.php?action=wp_service_worker" 200 0 - 7875 9995 0.433 16777216 78.59% 20.80% "/wp-admin/admin -ajax.php?action=wp_service_worker"
5.161.201.176 - [13/Oct/2023:17:53:56 +0000] "POST /wp-load.php?1ce755=8030" 200 1800 - 7875 10 058 0.130 10485760 46.28% 30.85% "/wp-load.php?1ce755=8030"
178.128.1.190 - [13/Oct/2023:17:54:02 +0000] "POST /wp-cron.php?doing_wp_cron=1697219642.621449 9473571777343750" 200 0 - 7875 10067 0.621 23068672 51.53% 16.10% "/wp-cron.php?doing_wp_cron=1 697219642.6214499473571777343750"