1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked: Strange WP Admin Login. What do I do?

Discussion in 'BlackHat Lounge' started by matrix79, Oct 24, 2016.

  1. matrix79

    matrix79 Junior Member

    Joined:
    Jan 20, 2013
    Messages:
    123
    Likes Received:
    27
    Hey everyone,

    Wordfence alerted me that there was an admin login to my WordPress site with a username I didn't create from another country. It was only one hour ago. When I look at the site, things look normal. I am also able to log in with my own admin and everything looks normal in my dashboard as well. Also, I don't see their admin username (the one they used to log in to my site) in the list of users.

    What do I do now?

    Thanks!
     
  2. Abhi Abhi

    Abhi Abhi Newbie

    Joined:
    Oct 6, 2016
    Messages:
    14
    Likes Received:
    0
    Gender:
    Male
    May be, he is one of your registered user? logging in doesn't matter but what privileges you gave him matters, if he is normal registered user then it won't affect your site.
     
  3. matrix79

    matrix79 Junior Member

    Joined:
    Jan 20, 2013
    Messages:
    123
    Likes Received:
    27
    No, that was an admin login. Also I didn't have any other users than me on that site.

    I have an update though: Although their username didn't appear in my dashboard, I found it and their email in my PHPMyadmin database. They created that user yesterday. Also there is one thing I can see they did: They deleted my Wordfence plugin.

    Needless to say, I deleted their user via database, changed my admin password and installed back Wordfence. But what else do I have to do? I can't believe all they did is to delete Wordfence. Also I don't know through which door they entered in the first place.

    Any suggestions?
     
  4. Heisenberg

    Heisenberg Jr. VIP Jr. VIP

    Joined:
    Sep 11, 2014
    Messages:
    720
    Likes Received:
    375
    Occupation:
    Freelancer
    Location:
    Croatia
    Are you using any nulled plugin/theme? if so they might be a backdoor.
     
    • Thanks Thanks x 1
  5. Sristy

    Sristy Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 17, 2010
    Messages:
    1,841
    Likes Received:
    491
    Gender:
    Female
    Location:
    In My Blog Network
    Home Page:
    Yes, backdoor has to be from a theme/plugin. If they deleted wordfence only, it is just so that next time they login you dot get alerted and they can do whatever they want to. How do you know they didn't do anything: what if they have added a script or code to redirect some part of your traffic to one of their own.
     
    • Thanks Thanks x 1
  6. Purush

    Purush Senior Member

    Joined:
    Jul 12, 2016
    Messages:
    1,163
    Likes Received:
    188
    Gender:
    Male
    quiet strange following for answer.
     
    • Thanks Thanks x 1
  7. PHPInjected

    PHPInjected Elite Member

    Joined:
    Apr 25, 2014
    Messages:
    2,148
    Likes Received:
    1,918
    Occupation:
    100% Unique Content Writer
    Location:
    Overriding Methods
    I'm thinking they got in through a plugin or nulled plugin/theme. The uploads folder too. Perhaps you should try scanning your wordpress installation with Sucuri.It's a malware scanner.
     
    • Thanks Thanks x 1
  8. Juneja

    Juneja Elite Member

    Joined:
    Jun 12, 2016
    Messages:
    1,644
    Likes Received:
    245
    Location:
    Internet
    Are you using some nulled theme or plugin?
     
    • Thanks Thanks x 1
  9. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    588
    Delete present installation, reinstall from backup, change admin name and pw from default, then install sql injection protection in htaccess.

    Code:
    # Chinese networks
    deny from 42.120.0.0/15
    deny from 180.76.5.0/24
    deny from 180.76.6.0/24
    deny from 182.112.0.0/12
    deny from 202.105.0.0/16
    deny from 101.224.0.0/13
    deny from 74.52.0.0/14
    # IPTelligent
    deny from 96.47.224.0/23
    deny from 110.85.124.0/24
    #IPIntelligent
    deny from 173.44.32.0/19
    deny from 178.151.216.0/24
    # Repeated hack attempt
    deny from 37.221.160.0/21
    # ahrefs
    deny from 173.199.115.104
    deny from 173.199.115.105
    deny from 173.199.115.106
    deny from 173.199.115.107
    deny from 173.199.115.108
    deny from 173.199.115.109
    deny from 173.199.115.110
    deny from 173.199.115.111
    ## Chinese Spammers
    deny from 14.144.0.0/12
    deny from 60.166.0.0/15
    deny from 60.168.0.0/13
    deny from 27.153.128.0/17
    deny from 202.46.32.0/19
    deny from 58.240.0.0/15
    deny from 110.80.0.0/13
    # Romainian Porn links
    deny from 89.42.38.0/23
    
    ## Can be commented out if causes errors
    Options +FollowSymLinks
    
    ## Mod_rewrite in use.
    
    RewriteEngine On
    
    ## change non www to www
    RewriteCond %{HTTP_HOST} ^somesite \.tld$ [NC]
    RewriteRule ^(.*)$ http://www.somesite.tld/$1 [R=301,L]
    
    ##BLOCK BAD BOTS
    ## BLOCK BAD BOTS
    #RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} .*AhrefsBot.* [NC]
    #RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
    #RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
    RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetZIP [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Nutch [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Octopus [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} panscient.com [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^pavuk [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} PECL::HTTP [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^PeoplePal [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} PHPCrawl [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} PleaseCrawl [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^RealDownload [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^ReGet [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Rippers\ 0 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} SBIder [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^SeaMonkey$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^sitecheck\.internetseer\.com [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Snoopy [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Steeler [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperBot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Surfbot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Toata\ dragostea\ mea\ pentru\ diavola [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^TurnitinBot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*TurnitinBot.* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} URI::Fetch [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} urllib [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} User-Agent [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Web\ Sucker [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} webalta [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebAuto [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} WebCollage [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebCopier [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebFetch [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebReaper [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebSauger [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebStripper [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebZIP [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Wells\ Search\ II [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} WEP\ Search [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Widow [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WWW-Mechanize [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} zermelo [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Zeus\.*Webster [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ZyBorg [NC]
    RewriteRule ^(.*)$ – [F,L]
    
    ## Prevent hot Linking
    ## Section commented out 9-19-2012
    #RewriteCond %{HTTP_REFERER} !^$
    ## Original
    #RewriteCond %{HTTP_REFERER} !^http://(www.)?somesite.nl/.*$ [NC]
    #RewriteRule \.(gif|jpe?g|png|html)$ - [F]
    ## ADDED
    #RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesite.tld [NC]
    #RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesiteothersite.tld [NC]
    #RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesiteothersite.tld [NC]
    #RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
    #RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
    
    #Next Two Lines deny Googlebot
    #RewriteCond %{HTTP_USER_AGENT} Googlebot
    #RewriteRule ^.*$ "http\:\/\/somesite \.tld" [R=301,L]
    
    ## redirect blog to /blog
    RewriteCond %{HTTP_HOST} www.somesite/blog/
    RewriteCond %{REQUEST_URI} !^/blog
    RewriteRule ^(.*)$ blog/$1 [L]
    
    ## redirect Forum to /Forum
    RewriteCond %{HTTP_HOST} www.somesite.tld/forum/
    RewriteCond %{REQUEST_URI} !^/Forum
    RewriteRule ^(.*)$ Forum/$1 [L]
    
    ## Begin - Rewrite rules to block out some common exploits.
    # If you experience problems on your site block out the operations listed below
    # This attempts to block the most common type of exploit `attempts` to Joomla!
    #
    # Block out any script trying to base64_encode data within the URL.
    RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
    # Block out any script that includes a <script> tag in URL.
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    # Block out any script trying to set a PHP GLOBALS variable via URL.
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    # Block out any script trying to modify a _REQUEST variable via URL.
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    # Return 403 Forbidden header and show the content of the root homepage
    RewriteRule .* index.php [F]
    #
    ## End - Rewrite rules to block out some common exploits.
    
    ## Begin - Custom redirects
    #
    # If you need to redirect some pages, or set a canonical non-www to
    # www redirect (or vice versa), place that code here. Ensure those
    # redirects use the correct RewriteRule syntax and the [R=301,L] flags.
    #
    ## End - Custom redirects
    
    ##
    # Uncomment following line if your webservers URL
    # is not directly related to physical file paths.
    # Update Your Joomla! Directory (just / for root).
    ##
    
    # RewriteBase /
    
    #
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    #
    # If the requested path and file is not /index.php and the request
    # has not already been internally rewritten to the index.php script
    RewriteCond %{REQUEST_URI} !^/index\.php
    # and the request is for something within the component folder,
    # or for the site root, or for an extensionless URL, or the
    # requested URL ends with one of the listed extensions
    RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
    # and the requested path and file does not directly match a physical file
    RewriteCond %{REQUEST_FILENAME} !-f
    # and the requested path and file does not directly match a physical folder
    RewriteCond %{REQUEST_FILENAME} !-d
    # internally rewrite the request to the index.php script
    RewriteRule .* index.php [L]
    #
    
    Options -Indexes
    ### Prevent wget, curl, and email harvesting
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(libwww|libwww-perl|curl|wget|python|nikto|scan).* [NC]
    RewriteRule ^(.*)$ – [F,L]
    ### END Prevent wget, curl, and email harvesting
    
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    
    ### Not sure about these yet 11/16/2012 ###
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    
    <files README.txt>
    Order allow,deny
    Deny from all
    </files>
    
    <files configuration.php-bak>
    Order allow,deny
    Deny from all
    </files>
    
    <files web.config.txt>
    Order allow,deny
    Deny from all
    </files>
    
    <files htaccess.txt>
    Order allow,deny
    Deny from all
    </files>
    
    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>
    
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    ### END NOT SURE ###
    
    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>
    ErrorDocument 404 http://somesite.tld/error/404.php
    
    ## DENY UNWANTED BOTS AND KNOWN HACKER IPS ##
    ### hostile scanning ahrefs
    ## ahrefs.com
    ### end ahrefs.com
    ### Baidu crawler
    ## hostile scanning
    ### Joe Ellis botnets
    ## all calpop servers
    ## liveperson.net
    ## joe ellis IP cidr range @ NETBLK-THEPLANET-BLK
    ## end joe ellis botnets
    ##successful hack IPs
    ## end successful hack IPs
    # National advertising
    #deny from 91.205.234.0/16
    ## russian crawler
    #deny from 77.0.0.0/8
    ## END DENY  ################################
    AddHandler application/x-httpd-php53 .php .php5 .php4 .php3
    
    deny from 208.73.210.128
    deny from 23.21.250.45
    deny from 50.28.23.235
    deny from 61.18.62.46
    deny from 64.27.0.0/19
    deny from 64.27.29.28
    deny from 67.227.159.10
    deny from 88.80.11.71
    deny from 208.73.210.125
    deny from 207.44.192.64
    deny from 204.13.160.52
    deny from 204.13.160.53
    deny from 204.13.162.11
    deny from 204.13.162.127
    deny from 204.13.161.177
    deny from 208.73.210.52
    deny from 208.89.12.169
    deny from 74.52.0.0/14
    deny from 178.137.83.41
    deny from 178.137.92.57
    deny from 178.137.160.68
    deny from 178.137.165.172
    deny from 193.41.60.108
    deny from 180.76.5.0/24
    deny from 180.76.6.0/24
    RewriteCond %{HTTP_HOST} ^somesite\.biz$ [OR]
    RewriteCond %{HTTP_HOST} ^www\.somesite\.biz$
    RewriteRule ^/?$ "http\:\/\/www\.somesite\.tld\/Parked\/index\.htm" [R=301,L]
    ga\.biz$ [OR]
    RewriteCond %{HTTP_HOST} ^www\.somesite\.biz$
    RewriteRule ^/?$ "http\:\/\/www\.somesite\.nl\/Parked\/index\.htm" [R=301,L]
    
    #AuthType Basic
    #AuthName "admin"
    #AuthUserFile "/home/somesi/.htpasswds/public_html/passwd"
    #require valid-user
    
    
    
    
     
    • Thanks Thanks x 2
    Last edited: Oct 24, 2016
  10. Vapys

    Vapys Regular Member

    Joined:
    Aug 17, 2016
    Messages:
    433
    Likes Received:
    227
    Do as JustUs mentioned and install securi WP plugin as well. You can use both with no problem just and your own I.P in white list so you don't lock yourself out.
     
    • Thanks Thanks x 1
  11. matrix79

    matrix79 Junior Member

    Joined:
    Jan 20, 2013
    Messages:
    123
    Likes Received:
    27
    Thanks everyone! All my plugins are updated and for theme I am using Genesis Epik. I do use one old plugin because I have to. It's called .html on pages. I also used "Delete All Comments" plugin that was recently updated and I realized it lost its functionality after the latest update. I cannot be sure though. I just got rid of it.

    Wordfence scan only showed two readme.txt files were modified. It cannot be it, can it? I mean you can't be hacked with a readme.txt file, can you?

    I will go install Sucuri as well and implement other suggestions.

    The site behaves as usual. No weird ads. No redirects. At least I don't see anything like it. Thanks again.
     
  12. sunbros

    sunbros Regular Member

    Joined:
    Apr 14, 2010
    Messages:
    379
    Likes Received:
    125
    You can also install a two-step authentication plugin.

     
    • Thanks Thanks x 1
  13. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    588
    You probably do not want to do that, in spite of the hoopla behind it. The Posesta emails were gotten through knowing the telephone number of Podesta, contacting and social engineering the telco, and taking over the email.
     
    • Thanks Thanks x 1
  14. bzy39

    bzy39 Regular Member

    Joined:
    Jan 15, 2009
    Messages:
    439
    Likes Received:
    241
    maybe it just login attempt, someone trying to brute force with guessing admin username, well it happen on my multiple site too,
     
  15. youtalkmedia

    youtalkmedia Senior Member

    Joined:
    Dec 5, 2011
    Messages:
    850
    Likes Received:
    382
    Occupation:
    Web Developer
    Location:
    Toronto
    Home Page:
    Check your plaugins/themes for any new code added. Had something similar happen to a clients wordpress, they installed a backdoor into one of the plugins that they could use to login without a trace.
     
    • Thanks Thanks x 1
  16. matrix79

    matrix79 Junior Member

    Joined:
    Jan 20, 2013
    Messages:
    123
    Likes Received:
    27
    In my cPanel I discovered a newly modified (and probably newly created directory) called login-protect-ninja. It appears to be a plugin, but

    1. I never installed it.
    2. It doesn't appear in my normal WP dashboard, only in cPanel.

    Got rid of it.
     
  17. mazilla

    mazilla Newbie

    Joined:
    Apr 22, 2016
    Messages:
    25
    Likes Received:
    4
    I advise you to check every file once again, cause hacker could create 2 or 3 backdoors (new files or just a suspicious php-code for example)
     
    • Thanks Thanks x 1
  18. tb303

    tb303 Senior Member

    Joined:
    Dec 18, 2011
    Messages:
    851
    Likes Received:
    539
    you say you changed you admin password? Did you also change the SQL database password?

    Also try using screaming frog or something to crawl your site and list all external links.

    If you are on a static IP then use a htaccess to limit /wp-admin to just your own IP (no good if your IP is dynamic though)
     
    • Thanks Thanks x 1
  19. islandman1010

    islandman1010 Elite Member

    Joined:
    May 10, 2008
    Messages:
    1,761
    Likes Received:
    273
    Also use one of the plugins so you can rename your login page to a custom name and not the default wplogin page.
     
    • Thanks Thanks x 1
  20. umerjutt00

    umerjutt00 Jr. VIP Jr. VIP

    Joined:
    Oct 28, 2011
    Messages:
    3,909
    Likes Received:
    2,170
    Occupation:
    Ninja
    • Thanks Thanks x 1