This happened on my WP 1.5 install that gets hits with spam.
I have other WP 1.5 and 1.2 installs that do not get hit with spam.
Just to be clear about it.
I do know I’ve seen the “someone has asked to reset …” email before, when working with a WP 1.2 install, I think. Whatever though, it’s just that it wasn’t me doing the password changing, and all I got were the 7 emails that I referenced above.
The IP of the ‘thing’ logged as a RIPE Moscow RU owned IP when looked up at ARIN whois and then searching the RIPE db there.
—–
I just checked my site and when you load wp-login.php it does provide a link to click if you have lost your password. That form then requires one to enter the User Name and the Email Address of the User to have it sent.
The User Name and the Email Address must match the internal records.
So how is someone outside then going in and entering ‘admin’ as user, as is easy to do if you know WP of course, and then getting any email sent to me, as I don’t have my email address listed on my WP sites. Sure they might be able to find it elsewhere online, but that’d take work.
What I did, I tried to log in as a real user on my blog, not admin but an old user I had from importing wrong before, to login with that USER NAME and a wrong password brought up the screen that let me access the “lost password” form. [actually that link is available on the wp-login.php page too]
When I input a wrong email address into that form I got this:
Sorry, that user does not seem to exist in our database. Perhaps you have the wrong username or e-mail address? Try again.
so inputting a wrong USER NAME or PASSWORD or EMAIL ADDRESS gives that same message.
How did 7 emails, 5 that were actual new passwords generated and two that were “password changed” get sent.
Here’s the WP Message and the EMAIL I actually just got from my site when I input for a lostpassword :
admin
and my real email address
I got this result:
The e-mail was sent successfully to admin's e-mail address.
Click here to login!
and THIS EMAIL:
subj: Password Reset
Someone has asked to reset a password for the login this site
Login: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen.
(I didn’t include the text of the links.)
—–
So it works right. Someone fiddled then to do something different on my site. Here’s the actual body and subj of the two kinds of emails that I had upon waking this morning:
—————————–
subj: Your New Password
Login: admin
Password: 822294e
—–
——————————-
subj: Password Lost/Changed
Password Lost and Changed for user: admin
——————————–
The first one of the two above I got 5 of, with different passwords generated.
The second of the two above I got 2 of.
All were very very plain and blah looking, compared to the email I do get if I truly myself do the work to get a new password.
So I generated a new password to be sent to me, then went to login and logged in with my regular old password, no problem. I was in fine.
So I’m not comfortable about this at all suddenly. Did someone somehow get into my site? Or not, or what?
I mean, how could they get my password changed and me not get a real email, they bypassed the real system somehow, did something odd, something … I can’t put my finger on it, my brain is a bit fuzzy … I’m coming down with a virus and so this isn’t my best day to be confronted with this.
I did search this forum as best I could before posting this original thread, but couldn’t come up with anything, as it’s hard to put it into words … sigh.
It’s then like this. I got the emails of wierdom this morning. Went to my site, and couldn’t log in.
So I fixed my password in phpmyadmin, and could get in, noticing nothing “wrong” in my WP install, so far.
That bugs me. I couldn’t replicate that … so something weird happened, the person used something somehow to do something and it’s really bothering me more now that I’ve written all of this.
I have several sites, all on one server. Only this ONE BLOG is affected with spam and now this weirdo thing. Urg!
