Forcefully logging in

  • Has anyone else seen this happening – ? Someone from Germany is logging in to wordpress site by creating a username Backup ?

    It is a bruteforce attack but any idea how this is happening ?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Geoffrey Shilling

    (@geoffreyshilling)

    Volunteer Moderator

    I just recently came across a “backup” user on a site. Open up any file with a .php extension, such as index.php. Do you have what looks like a bunch of random characters at the top of the file? In the case I saw, every .php file had some code inserted.

    Thread Starter EasywebIreland

    (@easywebireland)

    You are right but I got him before he could go any further because I had wordfence installed that gave me notification. Did you have the same ip that had created the backup user ?

    —-
    pls see the details from wordfence –
    A user with username “backup” who has administrator access signed in to your WordPress site.
    User IP: 151.236.15.143
    User hostname: 143-15-236-151.static.edis.at
    User location: Germany

    ——

    Geoffrey Shilling

    (@geoffreyshilling)

    Volunteer Moderator

    Unfortunately, this wasn’t a site I manage, just one I was helping with and I was not able to tell where the access came from; there was no security plugin installed.

    The issue I saw was likely due to file permissions that were too open for everybody.

    Same here. Multiple sites with this same user “backup” w/ admin privileges, same IP in Germany. Not seeing any random code in php files. One strange thing is unable to update plugins or themes, or re-install WP (Running 4.4). Getting permissions errors.

    Anyone else affected? I’ve deleted the user on all sites but wondering what vulnerabilities may have been inserted.

    I have one as well. Happened at 8:02am GMT:

    A user with username “backup” who has administrator access signed in to your WordPress site.
    User IP: 151.236.15.143
    User hostname: 143-15-236-151.static.edis.at
    User location: Germany

    I have deleted the user and no .php files have been changed.

    Running Wordfence and Divi theme. This is a hidden, non search indexed, website. I have no idea how it was discovered or how this was created. All plugin and themes are up to date, as is WordPress iteself. No idea if this is an attack or a plugin feature…

    FYI: User “backup” just tried to login again from IP 178.162.193.233 (Germany). Thanks to Wordfence for detecting and blocking.

    Could this be related? https://www.wordfence.com/blog/2015/12/aethera-botnet-attacks-wordpress-sites/

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Forcefully logging in’ is closed to new replies.