suspicious user names in wp_users

… in wp_users I have an instance of a username ‘WordPress’ that is an administrator

I’m using version 2.1.3.

and your site has been exploited.

Also in the users table I keep seeing many users with random user names ie: ‘KbhLNmKJCPVDyZAZ’…

those could be registration spammers or not.

my first response above is the one thats more important.

thanks whooami, I was 99% certain this user wasn’t suppose to be there, just thought it may have been some sort of system account or something.

Anyhow the user is now gone, as well as all the random generated user names.

Do you know if there is a some sort of database of reported attacks someplace. I’m afraid I may have missed something and it would be nice to check against known issues.

this has been reported, at least on these forums.

The best advice I can give you is to is to change any and all passwords, including your mysql password.

then, you need to systematically upgrade your site — taking care to delete EVERYTHING inside wp-includes/ and wp-admin/ and wp-content/ that is NOT customized.

the same goes for the root directory of your install (where wp-config.php is)

Note that i said not customized. That means you dont delete your wp-config.php, or your theme, or your plugins.

Afrer you have deleted those core unmodified files, you upload fresh ones and go through the upgrade process.

The reason why you want to delete first is because exploits get hidden in directories, and the all too common practice of overwriting files, not only leaves stray wordpress files around, it doesnt do anything to clean out any files that were placed on the server as a result of a successful exploit. You do NOT want to leave a malicious script on the server to be accessed after youve upgraded.

So, delete first, the upload new files. When I do paid work, like this, I go directory by directory..

Thanks again for your response, I understand various blogs reporting it, but there is no one place that has all the exploits?

I guess I’m paranoid like you are and have already changed the passwords to DB and asking the owner of the blog to change all the passwords for all the admins and authors as well.

I have just learned that there are hidden links peppered in the comments… this blog is not very big so I’ll do and export and then a search for anything suspicious in a text editor, then import it back in.

I already performed the upgrade and deleted all except the wp_content directory and the wp-config.php at the root. I’m going to go through the content directory and check everything in there. There seem to be to many plugin, I’ll see about deleting those as well.

guess I’m paranoid like you …

its not paranoia that drives me ??

I understand various blogs reporting it, but there is no one place that has all the exploits?

Like a database of wordpress exploits? no, and thats a bad idea anyway.

You can, of course, report this [email protected] but given the version, you can expect any response to be “we already know, thats why were one 2.6.3”

exploits for 2.1.3 are actually on the WWW for anyone to use. see milw0rm.com and search for wordpress. Some of them only need a quick copy and paste.