Unknown new subscriber

  • Resolved wesleypeace

    (@wesleypeace)


    4 years, 10 months ago

    Over the past 2 months I’ve noticed new subscribers being created on one of my websites. The ability to create subscribers is disabled, but these appear to be created by the system from a part of the world that has no need to access this website.

    The latest account creation shows a number of sessions with what appears to be programmatic creation of user account information, but there are references to WordFence in the diagnostics I’m getting from WP Security Audit Log. Custom fields are being created

    Changed the value of a custom field in the user profile yolalo1
    Custom field: wfls-last-login
    Previous value: 1588594526
    New value: 1588594533
    Role: subscriber
    First name: NULL
    Last name: NULL
    User profile page

    I’m at a loss to what is creating these users, how to diagnose further or how to prevent the creation. WordFence is not even showing the attempts.

Viewing 12 replies - 1 through 12 (of 12 total)

  • We experienced the exact same thing yesterday as you Tobo on the exact same pieces of software minus Wordfence.

    Not sure if it is related.
    Contacting support…

    https://uaelementor.com/changelog/

    Version 1.24.2
    4 May 2020

    Security Improvement : Since this release contains a security fix, please update UAE to the version 1.24.2 as soon as possible.

    it is very danger A sign that says your WordPress website has been hacked If the registration on your site is closed and you notice the registration of a new user in WordPress, your website is most likely hacked

    Armando

    (@kmzerowebmarketing)

    Same things for me, same software, Astra Theme with Elementor and Premium Addons for Elementor + Ultimate Addons for Elementor no Wordfence.

    • This reply was modified 4 years, 10 months ago by Armando.

    did you installed any nulled plugins or theme? check wordfence scan for any virus and backdoors
    I think you have scan the whole website if you love your website 1-first delete those users 2-change your wordpress password-hosting password -and database password 3-export all of your data with tools in wordpress(you have check this file you get after export it is clean 4- go on your host panel if it is cpanel click “settings” in the top right of the file manager.
    Check the box titled “Show Hidden Files (dotfiles) & click Save.try scan whole website and check all of your wordpress folders for any Suspicious codes and files like .ico or php file with weird names ggh34553.php and any type of virus formats delete all of them..5-if you cant check codes and files first get backup then ask your hosting delete every files you have Except wp-content and database(if you are sure your data base is not infected) 6- change wp-contnent name to wp-content1 7 istall wordpress again then go wp-content1/uploads delete any files expect your pictures folders their names is like 2017 2018 2019 2020 save them!! then check inside all of your picture folders and Delete all files that do not have image format for sure 8- When you make sure picture folders is cleared from any weird files go back and copy uploads folder to wp-content in your new wordpress installation then go your wordpress panel and import data your website is clean now ! i hope this help you

    Had this happen to 2 of my sites yesterday.

    Elementor + Astra + Ultimate Addons + Wordfence.

    yolalo1 was the user too. They uploaded a few code files and a txt file to the media.

    Also noticed a “wp-xmlrpc.php” file in my site files that was able to get a whole ton of info.

    @miosam881 anything from UAE?

    Tobo

    (@infonetzlichtcom)

    At my side nothing was uploaded or changed. Only the user was added.

    exactly same plugins… Exactly same situation. Elementor + Astra + Ultimate Addons + Wordfence. yolalo1 user. He/she uploaded few files into upload/elementor/-1 folder .json file php and .pw
    WHOEVER STILL HAS THESE FILES COULD YOU PLEASE LET ME KNOW THE CONTENTS or send them over to me? I deleted them as soon as I found them in my media folder. And I can’t find them in my backup… My programmer asked for files to analyze…
    I’m wondering if they used it to modify something or if i’m actually hacked right now. I do not see anything changed on my website yet but just to be safe

    • This reply was modified 4 years, 10 months ago by pycckuu4ejl.

    Hello guys,
    ?
    I’m Sujay from the Brainstorm Force team that makes Ultimate Addons for Elementor plugin.

    ?We’re so sorry for the trouble. We take security very seriously. Any bugs we encounter are patched as soon as we find them. We also transparently get in touch with our customers, let them know about the security fix, and advise to update their websites as soon as they can. When we discovered the bug, we patched it in 4 hours, released the update, and notified all our customers via email.
    ?
    ?The bug we have patched, allowed people to register as a “subscriber” level user on your website. Users with the subscriber user role cannot write posts, view comments, or do anything at all inside your WordPress admin area.
    ?
    ?If you have noticed extra files in uploads folder in an Elementor folder called custom-icons, this must be due to another bug that we have noticed in Elementor Pro’s custom icons module. We have already shared it with the Elementor team and they are working on the patch.
    ?
    ?If your site was hacked, here is what you can do:
    ?
    ?1. Update all plugins and themes. Make sure Ultimate Addons for Elementor is version 1.24.2 or greater.
    ?2. Delete any unwanted “subscriber” level users on your site (caused by the bug in our plugin)
    ?
    3. Delete unwanted files within the /wp-content/uploads/elementor/custom-icons (caused by a bug in Elementor Pro which we have reported to them)
    ?4. Delete any other unwanted files you might notice such as wp-xmlrpc.php in the root installation of WordPress (caused by a bug in Elementor Pro which we have reported to them)
    ?
    5. Scan your site with security plugins such as WordFence to make sure there are no extra unwanted malicious files on your server.
    ?
    ?6. If you use WooCommerce or any other plugin where user accounts are created on your site; and if you use Elementor Pro – please be aware the bug is in the Elementor Pro plugin. It allows any registered user on your website to upload files in the /wp-content/uploads/elementor/custom-icons directory. We have already reported it to their team.
    ?
    ?If you need any further help, please feel free to get in touch through our website. We will be happy to help: https://uaelementor.com/contact/

    Tobo

    (@infonetzlichtcom)

    Hi there,

    no files were uploaded at my sites because they didn’t have the folder and I hardened security regarding uploading files.

    @ BSF please inform all customers about the exact problem that you posted here. Because between updating the plugin and hacker used the bug were only couple of hours. I think many people could be affected….

    Armando

    (@kmzerowebmarketing)

    At my side nothing was uploaded or changed. Only the user was added. Also no problems founded with the Wordfence scan.

    Hey @brainstormforce,

    Thanks for chiming in, and the transparency. These things happen, and we appreciate the patch. I’ve also shared this thread with the Wordfence Team. If they have any further questions or input I’ll update you here.

    If anyone has any other questions that I can help with, please let me know.

    Thanks,

    Gerroald

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Unknown new subscriber’ is closed to new replies.