New User created | Blog got hacked

This is likely due to a problem with a particular plugin. See https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Thank you.

However I haven’t updated the site in nearly a month and also didn’t installed any new plugins. So I’m not really sure how a plugin can cause this problem :/

• This reply was modified 6 years ago by jeanneer.
• This reply was modified 6 years ago by jeanneer.

if you were using that plugin, you were vulnerable.

Hi,

We have had the same thing happen to us today. I noticed two new users ‘t2trollherten’ & ‘t3trollherten’ created accounts a few hours ago. I was suspicious but thought “People have weird email addresses these days” and put no pass on it as we have good security measures in place. A few minutes ago we received an email stating that one of the above users updated their passwords. This made me more suspicious, which lead me to then search the username to find this post.

We have deleted both users, the GDPR Compliance plugin and are now following Stevens advice above.

I will keep you posted on the outcome

Thanks for creating this post and thanks for the advice Steven!

Robert

Hi,

I have the same issue with being hacked via t2trollherten who created a user account then changed their password even though new users were disabled. I did have the GDPR plugin installed. My site is totally messed up now and when I navigate to my page and admin login I can the below

Parse error: syntax error, unexpected ‘text’ (T_STRING) in /mounted-storage/home5/sub033/sc87784-VPMR/dirtyvortex.net/wp-includes/class-oembed.php on line 461

I’ve locked my site via web host control panel and checked the folder name of the site on the server. How can I go about resolving this hack? Is it even possible?

We’ve cleaned up a few sites today, same users being used. They are also injecting a backdoor/file into the uploads folder.

Check the databases for hidden admin users which do not show up in the WP admin.

The WP GDPR compliance plugin is the cause.

which file is being injected into the uploads folder? i can’t access my site at all after this hack How do i get it back? I can’t access my admin panel at all.

OK, I seemed to have resolved the hack by replacing all files that the hacker messed around with and removing the new user they managed to create via my hosting control panel. Site is back up and running.

We have just found the same hack by “t2trollherten” has happened to us. We have deleted the user, checked to see any files were recently modified on the server (they were not) and deleted the vulnerable plugins (GDPR Compliance & Contact Form 7).

Feeling understandably concerned now, how thoroughly need we clean our site? Is a fresh install of WordPress & restore from backup necessary?

Stress ??

Elido, yes. Once a site has been hacked, don’t trust it.

Steven, thank you so much for your advice it’s much appreciated.

We are quite new to WordPress and we’ve been using the Updraft plugin to backup our site daily. I see an option in Updraft to “Restore” from one of our backups, will this suffice or will we have to delete WordPress first and do a fresh install?

If a full deletion is required, how would we then go about restoring from one of our backups?

Apologies for the plethora of vague questions!

Same here they created a new user with admin permissions. Checked apache log files and it Looks like a bot issued some HTTP requests to attempt registration.

POST /wp-login.php?action=register HTTP/1.1″ 302 377 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

“GET /wp-login.php?checkemail=registered HTTP/1.1” 200 14713 “SITENAME”/wp-login.php?action=register” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

The user was deleted and we updated the WP-GDPR plugin. File system checked for modifications, all clear. Then surprise surprise a few hours later an attempt by the hacker to log in using the previously created user login details.

This attempt failed. It seems the bot exploits the vulnerability in the plugin and creates a user account ready for the user to come along later and change or add malicious files.

@elldo, if you have a question about how to use Updraft, please post a qeustion in their sub-forum.

All — this thread is getting overloaded. Good info here, but I don’t think we need too many more “me, too” posts so I’m going to close it.