User with admin privileges keeps signin in on to my websites

Hi @eduardobartelle, thanks for getting in touch.

Are you experiencing the exact same username format coming up on multiple sites? If these users keep showing up even after deletion, it’s possible that there’s some obfuscated code or another file present that’s regenerating them. If multiple sites are seeing the same thing, this could point to a specific plugin present.

A more thorough site-cleaning process may be required but I recommend firstly changing the password all the key attack-vectors such as your hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.

Could you send us a diagnostic report from at least 2 affected sites? Send it to wftest @ wordfence . com so we can take a look at the configuration. Use the link at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username in each case where indicated and respond here after you have sent them.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,
Peter.

I’m having a very similar issue. I have both Sucuri and Wordfence installed.

This is the report from Sucuri:

Event: Post Update
Website: https://coventrysoap.co.za
IP Address: 51.68.215.97
Reverse IP: vps-30b425d9.vps.ovh.net
Date/Time: November 4, 2023 7:49 pm
User: wp_update-1699123160 (wp_update-1699123160)

Message: Post status has been changed; details: ID: 810,Old status: new,New status: auto-draft,Title: Auto Draft

I’ve deleted the user (which had admin privileges), but this has happened several times.

~ Dave Coventry

Hello @dgcov , did you find the solution? I am currently encountering the same type of malware.

Hi am experiencing the same issue… and took my sites from the web meanwhile. From de-obfuscating a few files, I can tell that the attackers can include and run (include()) files that are uploaded somewhere in a web form. Further, they can execute arbitrary code (eval()) that is contained in a form’s post or in cookies divided by a hashtag ‘#’.

If you have those users in your system, look for suspicious PHP files, e.g. in your wordpress’s root directory. Names look like ha2q4l7f.php. Further, files like wp-config.php might include additional files with very suspicious pathes deep inside your wordpress directory tree.

Good luck!

Good morning @markuzzi,

Thanks for your feedback. Did you find the cause of this hack? A specific plugin or software/code editor?
Did the problem return after you cleaned it?
Did you only go through the Wordfence scan?

Thanks for your help.

I am not using Wordfence at all. My provider found the “virus” in a routine scan. I am still looking for the cause and did not yet redeploy anything.

Ok thank you, I’m looking on my side too, I’m interested in your investigations if you find anything.

Ok thank you, I’m looking on my side too, I’m interested in your investigations if you find anything.
By any chance, do you use the plugins: Light start – maintenance mode or All in one wp security? What about the Nova code editor? Currently these are the common points on my two affected sites.

No, I have none of these plugins installed. I thought I might be wp-courseware.

Do you have a file like wp-includes/blocks/pullquote/.9c53ce5f.ccss? This contains lot’s of binary code that was included in wp-config.php. This is what I will investigate next.

Hello everyone, I wanted to share the solution I found for dealing with a malware issue on my server. I used Imunify 360 to conduct server-level scans and scheduled them to run at 3 am.

Upon inspection, I discovered that a significant number of files were infected, making it challenging for the initial full scan to detect every compromised file. However, after running scheduled scans for a week, Imunify 360 effectively removed the malware.

One notable observation was the creation of a theme file during the infection. I recommend checking your WordPress themes folder for any suspiciously named directories.

I’m confident in the malware removal because the user responsible for repeated unsuccessful login attempts is now unable to access the system. My suspicion is that the malware inserted a code in certain files, triggering a function to create a user. This user would then attempt to sign in, spreading the infection to other files.

I don’t have wp-includes/blocks/pullquote/.9c53ce5f.ccss

Yes, the malware creates some css files with strange names, imunify identified those as virus and deleted them.

Do you use elementor ?

Have you found the entry point for the virus?

For my part the wp-includes/pluggable.php file has also been modified

I use Divi Builder.

On October 23rd, someone discovered my password and accessed one of my sites. Since I have several sites in the same cPanel, they managed to infect every site in that account.

I discovered this by reviewing the login activities on my sites. It seems that after gaining access, the attacker possibly opened a backdoor to continually reinfect my sites, as the files kept reappearing despite my efforts.

To address this issue, I took the following steps:

1. Isolated each website in its own cPanel.
2. Ran numerous scans and removed infected files.
3. Monitored the files and conducted daily rescans to ensure the complete removal of malware.

I learned that merely discovering and deleting one infected file wasn’t sufficient, as there was a high likelihood of another one being infected and recreating the deleted file.

One of the changes I observed is that the wp-settings.php mode changed from 644 to 755.

Also, regarding the pluggable.php, did it change to include something about a wpsdt4_license_key?