Unauthorized Login with Administrator Access

  • Hello,
    On Sept 20, 2016 Wordfence reported via email that two of my WordPress Sites has an unauthorized Login with administator access as shown below:

    Tuesday 20th of September 2016 at 10:26:53 PM
    A user with username “xxxxxx” who has administrator access signed in to your WordPress site.
    User IP: 173.227.74.5
    User hostname: 173.227.74.5
    User location: Austin, United States

    Tuesday 20th of September 2016 at 10:32:57 PM
    A user with username “xxxxxx” who has administrator access signed in to your WordPress site.
    User IP: 173.227.74.5
    User hostname: 173.227.74.5
    User location: Austin, United States

    I am confused with this situation. Did someone hack my site? If so, I am really confused with how they did this. The username Wordfence reported was correct. Both passwords were strong random passwords with one password being 12 characters(numbers/upper & lower case letters), and the other being 16 characters(numbers/upper & lower case letters/symbols). I have been using Wordfence for over a year, and the options I have configured @ Wordfence > Options > Login Security Options are what I would call strict(Lockout after 6 login failures over 5 minute period, and w/ a 2 hr lockout time). How does someone crack my 12 & 16 character passwords on two of my sites, 6 minutes apart from each other, with the above Wordfence settings??

    Below is the access login as captured by my hosts Raw Access Logs for both of the sites referenced above:

    173.227.74.5 – – [20/Sep/2016:22:26:54 -0500] GET /wp-admin/ HTTP/1.1 200 21272 https://site.com/wp-login.php?redirect_to=http%3A%2F%2Fsite.com%2Fwp-admin%2F&reauth=1 Mozilla/5.0 (X11; Linux i686; rv:34.0; LojKmdU8218L7HlVU0GNgnnIjYNS5ifiOZTgox/lBTk=) Gecko/20100101 Firefox/34.0

    173.227.74.5 – – [20/Sep/2016:22:32:58 -0500] GET /wp-admin/ HTTP/1.1 200 20009 https://site.com/wp-login.php?redirect_to=http%3A%2F%2Fsite.com%2Fwp-admin%2F&reauth=1 Mozilla/5.0 (X11; Linux i686; rv:34.0; LojKmdU8218L7HlVU0GNgnnIjYNS5ifiOZTgox/lBTk=) Gecko/20100101 Firefox/34.0

    I discovered this the next morning about 12 hours later, and I changed the security keys/salts and passwords. I also ran a Wordfence Scan and found nothing. I have not found any unusual or malicious activity. There are 3 sites on this hosting account, and only the two above show the unauthorized access. I am the only one with access to my passwords, and my computer is using the latest version of ESET antivirus.

    I should also note that I have isolated all the activity from this IP Address on both of my sites Raw Access Logs. I would be more than willing to send this information to you for review.

    Thanks for your help,
    Clint

    • This topic was modified 8 years, 5 months ago by cwdv.
    • This topic was modified 8 years, 5 months ago by cwdv.
Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi cwdv,

    Did you find anything out about what happened? Has it happened again? Can you tell if anything changed on your site? Did they add any additional users?

    Even if you have all your themes, plugins, and core updated, it is still possible for a hacker to find a weakness somewhere. One of the most common attacks is an XSS (cross site scripting). So if this was a hacker, it does not mean they guessed/brute forced your password. There are other ways to gain administrator privileges or access to your account. Changing your salts was a good idea and may have been what needed to happen to mitigate the threat if it was a cookie/session based. Plugins are typically the culprits. So make sure you have them updated and delete any unused/unneeded.

    Reference: https://www.wordfence.com/learn/how-to-prevent-cross-site-scripting-attacks/

    • This reply was modified 8 years, 5 months ago by wflandon.
    Thread Starter cwdv

    (@cwdv)

    Hello,
    No I have not found anything else out, and it has not happened again. I have not noticed anything that has changed with my sites, and no additional users were added. I even check the database for additional users and found none.

    Below are the logs prior to the actual successful login:
    <blockquoteGET /wp-admin HTTP/1.1 301 237
    GET /wp-admin/ HTTP/1.1 302 20
    GET /wp-login.php?redirect_to=http%3A%2F%2Fsite.com%2Fwp-admin%2F&reauth=1 HTTP/1.1 200 1708
    GET /wp-content/plugins/jetpack/css/jetpack.css?ver=4.3.1 HTTP/1.1 200 10401
    GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate&ver=????? HTTP/1.1 200 40848
    GET /wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=????? HTTP/1.1 200 38643
    GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/1.1 200 1521
    GET /favicon.ico HTTP/1.1 200 –
    POST /wp-login.php HTTP/1.1 302 20
    GET /wp-admin/ HTTP/1.1 200 21272

    Is there any type of security risk posting the above logs? I removed my site url and replaced what appears to be a 32 character hash output with ????? in two different locations.

    I should note, that I have been having discussions with the plugin “Jetpack by WordPress.com” Support staff, via email, regarding some problems after there latest update. The 4th request in the log is to the plugin “Jetpack”. Can Jetpack support staff login into my site and cause this unauthorized login??
    Thanks again for your help,
    Clint

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Unauthorized Login with Administrator Access’ is closed to new replies.