brackenbury

I had an issue with someone unknown creating an admin user.

WordPress 3.5.0 I have multiple domains several of which run WordPress, all hosted within the one rented space. This morning I got an e-mail saying:
>> New user registration on your site Meldrew:
>>Username: Lmbbin96
>>E-mail: redacted

I locked down that domain using htaccess and looked to see what had been changed. Database had new user with admin privileges. Also to my surprise the site is now set to allow anyone to register and get admin privileges when they do. I am absolutely sure I did not set these so either this was part of a hack or it came as a WordPress default (unlikely).

Suspicious stuff in .htaccess either put there by WordPress or a hack or our hosting tech support?:

#RewriteEngine On
#RewriteBase /
# Allow applications in cgi-bin directory
#RewriteRule ^(cgi-bin)(/)?$ $1/header.php [R=301,L]
#RewriteRule ^cgi-bin/$ - [F]
#RewriteRule ^cgi-bin/. - [L]
#RewriteRule . - [G]
# BEGIN WordPress
# END WordPress

There is no cgi-bin directory in the root of this domain.
Apart from that no obvious new or modified files.

The WordPress install was over top of old one to get the latest version and was unused – just a backup install of an old weblog.

If the intruder could add or modify files on this site s/he could write code to get at sensitive info for all my sites stored above /public_html.

Any suggestions about how the intruder could have got in? Or how “anyone can register” and “as administrator” could have been set? And whether the .htaccess code is suspicious or not?

Appreciated. …Ian.