User with admin privileges keeps signin in on to my websites

I’m currently looking at a reddit thread dedicated to the subject. Do you have an old version of ACF installed on your site?

Another thing, what consequences did this have on your sites? Just inaccessibility? Data theft?

I discover this night this issues on my two site, in the same hosting space, subfolder (one for production, one for test). New user as admin. Yesterday I received a mail that another editor user changed password. But it’s not. Then my admin password was changed. I entered with the second admin and I changed again all the password. Someone ha set an application password for third parts on my user, I deleted. I connected with FileZilla and I discovered some dirty files, a new theme with file php that duplicate files, some new folder, dirty files. I made backup of database and compared with the last 2 backups, no dirty inside. I compared the files with a backup and clean all (or I think I cleaned all). I changed all the password: wordpress, CPanel, email, databases.
Today this surprise: new strange admin in 2 sites. I connected with FileZilla again and all the space, the system folders too, were dirty. In some links (I have read a lot today… it’s a big issue now) they talk that the web server is probably infected, not only me. I wrote to the provider (no emergency services… damn) to ask for a check.
Any other advice are appreciated. Thanks.

Hello, what plugins and themes are installed?

I am facing the same issue again. I had the same problem months ago, and it was fixed with the new release of WordPress version 6.4.2. However, now I am encountering the same problem again

I am also a victim of the hack with the identifier CVE-2023-6875 [Post SMTP authorization bypass]

All WordPress websites as well as static pages on one of my servers were affected. I have since moved most of the websites to a new server using backups from before the hack. I have also updated all plugins including Post SMTP, as the vulnerability should be fixed from version 2.8.8 (I am using 2.8.11) -> https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/#google_vignette

However, I had to move a single page without a backup and cleaned it up manually beforehand. I installed a fresh WP, copied the Theme folder and restored the database. This went well for about a week until the first obfuscated files reappeared. I have already verified the checksums of the core files using wp-cli and also had Sucuri scan the WordPress instances for malware – everything went smoothly. Has anyone already found a permanent solution to this or any idea what mechanism is used to recreate the files and inject code into existing index.php files?

I am grateful for any input!

I tried to manually remove the obviously malicious Code injected into regular files and the obfuscated files as a whole, checked the core wp files with wp-cli checksums, scanned with sucuri for malware.

I Listed every changes that were made the past days with: find . -mtime -2 -ls and went throught that list.

@phil1352,

It’s likely that the issue occurred because your theme folder got infected and you copied it to your new site.

In my case, I discovered a solution by purchasing a plugin that conducts scans continuously, ensuring the verification of all files. This is crucial because this virus implants backdoors in theme files, creates index.php files in various folders, and infects numerous files.

It was a pain but my site has been running smoothly for the past two months after implementing this solution.

@eduardobartelle
Thanks for the quick reply!

May i ask what plugin you used to clear the files?
I’m currently using sucuri in its free version. While it scans for malware and alerts me when the obfuscated files get created – it doesnt remove them.

Hello, do you have the list of themes / plugins you use? We obviously all have a flaw in common but it would be nice to find it.

@vcr38

The initial vulnerabilty seems to be an older version of post smtp.
There was a authorization bypass that is fixed in version 2.2.8 and up.

But the infection is already done, so im struggling with the cleanup of the aftermath.

Since im having multiple websites for different use cases, i’m also using various plugins, but here is a list of the plugins all my sites have in common:
– Contact Form 7
– Flamingo (for CF7)
– Post SMTP
– YOAST

For the themes i mainly use custom build themes or the Divi Pagebuilder.

• This reply was modified 10 months ago by phil1352.

Ok thank you, the only one I obviously have in common is Contact Form 7. When were you hacked? For me it was between December 23 and 25, 2023.

@phil1352,

I used imunify 360, I have the paid version but they have 7 days free for you to run scans.

I recommend you to install it and keep running scans all the time during the 7 days, it will for sure detect and delete the problem.

In my case it didn′t detect ALL the files in the first scan, but if you keep doing it, probably ir will solve your problem, i mean it worked for me.

If the problem still persist you can buy the plugin and contact their support team, they will take care of things for you from there.

I have a daily backup mechanism up and running so i can track it down to the 13th of january. All Backups before seems to be clean.
The Post SMTP Authorization bypass was published in the beginning of january as far as i know. So you dont use post smtp at all @vcr38?

Absolutely not, but I still got infected.

Another question, have you used the Advanced Custom Field Pro or Free plugin but in an older version?

Contact Form 7

This seems quite a useful hint. We’ve got the same symptoms, where an admin account got created, likely via the code in

> wp-includes/pluggable.php file has also been modified

My suspicion is that the plugin is bad-intentioned to be confused with Contact Form 7 Connector from another author, but perhaps I am wrong and it just was an honest mistake introducing a vulnerability.