Portal Home > Knowledgebase > Articles Database > WordPress Hack Creating Administrator Accounts with Blank Username


WordPress Hack Creating Administrator Accounts with Blank Username




Posted by crucesignati, 10-01-2014, 01:30 PM
Noticed three sites I host this week get hit with some sort of hack that creates new administrator accounts with blank usernames. All sites are WP v3.9x. It must be some type of DB script because the UI in WordPress will not allow you to create an account without a username. I found out because I use WordFence security plugin and it sends me an email anytime an administrator logs in - including their IP address - which I banned immediately. I've also noticed account lock-outs on these and other sites I host due to someone/something attempting to log in with phony username of "admin". This is more of an FYI - I'm monitoring but haven't noticed any file corruption or other aberrant behavior. But if you've encountered similar, please advise.

Posted by mrgeekchris, 10-01-2014, 01:43 PM
I work with WordPress a lot I don't think I've ever heard of this happening. Do you have any further screen shots or database code just keep it brief

Posted by crucesignati, 10-01-2014, 02:30 PM
Unfortunately, I did not take screenshots of the user page which displayed the blank usernames. But, here is a screenshot of the email I received from WordFence: http://imgur.com/7MYeOoU WHOIS indicates IP is Slovenian, so... I use WP quite a bit too and agree, it's unusual. All sites affected are on same VPS so it could be a security exploit unique to that server.

Posted by Kailash12, 10-02-2014, 04:54 AM
Did you check Apache access logs for those website for that certain IP address. Probably you should get more information on which pages are being accessed by the visitor to register a blank admin user.

Posted by DewlanceHosting, 10-02-2014, 05:57 AM
Your wordpress theme is 100% clean? Also don't forget to remove unused old themes and plugins file.

Posted by crucesignati, 10-02-2014, 01:48 PM
Please forgive the length of this reply. Kailish - thank you. I did just that. Access log to that site shows: 93.103.21.231 - - [29/Sep/2014:20:41:47 -0400] "POST /wp-login.php HTTP/1.0" 302 1192 "http://MYDOMAIN.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19" 93.103.21.231 - - [29/Sep/2014:21:45:19 -0400] "POST /wp-login.php HTTP/1.0" 302 1192 "http://MYDOMAIN.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19" 93.103.21.231 - - [29/Sep/2014:21:45:21 -0400] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 53041 "http://MYDOMAIN.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19" 93.103.21.231 - - [29/Sep/2014:23:52:18 -0400] "POST /license.php?cookie=1 HTTP/1.0" 200 153 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" Appears it may be impersonating Googlebot? Also, found license.php in the root of the site. Perhaps base64? http://imgur.com/H8USNid I'm not aware of any valid license.php file being standard with WP, Plesk. Wordfence scan of site shows this: Sep 30 05:25:29:1412069129.615075:2:info] Examining URLs found in posts we scanned for dangerous websites [Sep 30 05:25:29:1412069129.568447:2:info] Adding issue: This file may contain malicious executable code: /wp-admin/includes/inc/freesans.fr.php [Sep 30 05:25:29:1412069129.565983:2:info] Adding issue: This file may contain malicious executable code: /wp-includes/class-wp-sample.php [Sep 30 05:25:29:1412069129.563416:2:info] Adding issue: This file may contain malicious executable code: wp-content/plugins/advanced-post-types-order/include/licence.php [Sep 30 05:25:29:1412069129.560370:2:info] Adding issue: This file may contain malicious executable code: /wp-content/languages/themes/manage.php I have backups and will revert the affected sites tonight. But, wanted to pass along in case anyone has any additional insights into source of problem. Also, perhaps someone with similar behavior will have for reference too. Cheers - and thank you!

Posted by crucesignati, 10-02-2014, 02:25 PM
Update: This issue appears to be related to this. A lot of common symptoms in post and comments sections too. http://blog.sucuri.net/2014/07/malwa...ess-sites.html

Posted by RRWH, 10-02-2014, 07:37 PM
ah, so an old version of a plugin that was announced to be vulnerable a couple of months ago.... Sorry, but if you don't keep up with the security of your site including the core, themes and all plugins installed (even inactive ones) then you only have yourself to blame. Yes, best thing you can do is to restore from a clean backup and then update everything.

Posted by thewebexpert, 10-03-2014, 06:40 PM
google the modsec rules for wp-login, regardless of your plugins you install if someone is trying to brute force any of your clients, it will be blocked at the firewall. perfect!

Posted by VisakhBC, 10-04-2014, 02:24 AM
As @thewebexpert said, deploy a Web Application Firewall like mod_security. Free rules for mod_security is available from waf.comodo.com. If you are using a cPanel server, they even have a cPanel plugin for Comodo rules. It may not be always possible to be on top of evolving security threats. The best defense is to block common methods of attack using a WAF.

Posted by thewebexpert, 10-04-2014, 08:44 AM
wow I have never seen the comodo waf stuff, it is amazing, and even better is it does more then just the wp-admin rule I found, this does joomla as well. I think WAF should be pinned, why is it not as common place as CSF?

Posted by VisakhBC, 10-04-2014, 09:20 AM
In my experience more than 99% of hacks can be prevented through a well configured WAF (with commercial WAF rules). With free rules like Comodo WAF, you can get well above 95% malware protection. And you are right, this should be more widely known than it is now. Will make life better for a lot of web hosts.

Posted by thewebexpert, 10-04-2014, 09:25 PM
I just installed it on a 3 servers tonight, the install was really good, it does not have the brute force attack on by default, so OP if you are going to use the comodo stuff, you need to go in and turn on brute force protection after installing the latest update. I tested it and it worked great.

Posted by VisakhBC, 10-06-2014, 02:46 AM
Great to know that its working well for you. God speed!

Posted by Brijesh-soft, 10-08-2014, 09:48 AM
Hi, Did you check if the user with "no username" actually exists in the WordPress database users table ?



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read