Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames

GunterGunter Member
edited December 2013 in Help

I'm on BlueVM shared hosting, and I feel like this might be an error on BlueVM's side so I'm not totally sure. It's occurring for both me and my reseller clients.

But I'm a bit confused how to remedy this issue. Everytime I create a new user to replace bu, the usernames change back to "bu" within 24 hours.

I'm not totally sure if it's a plugin that's doing it, is they any way of ensuring it isn't BlueVMs fault or a plugin?

«13

Comments

  • @darknyan said:
    I'm not totally sure if it's a plugin that's doing it, is they any way of ensuring it isn't BlueVMs fault or a plugin?

    Disable all plugins and check?

  • Have you sent in a support ticket?

  • @darknyan said:
    It took me a few days to update to Wordpress 3.8

    I'm not saying 3.7.x was insecure. 98+% of the time it's due to a bad plugin, theme, permissions, insecure password, etc.

  • More often than not its the plugins your using rather than the core wordpress files.

    Try running a sandbox site or two and test them out for security before you re-build your main site.

  • I reinstalled my main website. I'll wait and see if it benefits me.

    thank you for your help, especially you @Grainga for linking me

  • GunterGunter Member
    edited December 2013

    I was hacked again today with the username: Sjsalim

    Sjsalim is the name of a script kiddie who has uploaded numerous hacking tutorials on Youtube.

    The only plugins I have (including inactive) are: Akismet, WordPress Importer, All In One SEO Pack, Jetpack, and jsDelivr. All of them are trusted plugins.

    I have only 1 theme apart from the included Wordpress themes, and it's entirely different from the original theme I had.

    I have a feeling that BlueVM is leaving some kind of hole open, is that likely?

  • BlueVMBlueVM Member
    edited December 2013

    That'd be highly unlikely or else we'd have 6,000+ reports of "my website was hacked"...

    Also our main website is hosted on the exact same setup (EG: template clone) as all of our shared nodes.

    We have CSF, weekly system scans, abuse detection, SuPHP and many other security measures in place... more than most companies bother to setup. I'd suggest having us terminate your account and recreate it and see if that solves your problem.

  • @BlueVM said:
    That'd be highly unlikely or else we'd have 6,000+ reports of "my website was hacked"...

    Also our main website is hosted on the exact same setup (EG: template clone) as all of our shared nodes.

    I'm looking through his YouTube trying to figure out how he did it.

  • BlueVM said: I'd suggest having us terminate your account and recreate it and see if that solves your problem.

    That's really kind of you :)
    I'll backup my customer and we're set to go.

  • @darknyan - I'll need you to PM me your ticket number though... I recall answering one ticket this morning about a wordpress site issue, but I don't recall the number unfortunately.

  • GunterGunter Member
    edited December 2013

    @BlueVM said:
    darknyan - I'll need you to PM me your ticket number though... I recall answering one ticket this morning about a wordpress site issue, but I don't recall the number unfortunately.

    Done and Done.

    Are you willing to tell us the nature of the ticket you mentioned?

  • @darknyan - It appears your ticket was in fact the ticket I was talking about... it also appears I read it, but did not respond, I wanted to check a few things first.

  • @darknyan - I recreated your account. I HIGHLY suggest you attempt to run the wordpress install with no plugins for a few days and see how it goes.

    Also I just checked and on your server there are 143 WordPress installs via Softaculous. I did a random viewing of 10 of them just to see if they'd been hacked, but they appear fine.

  • RalliasRallias Member
    edited December 2013

    To me it looks like a site called narviaexperiment.com has a shell on it. Was it hacked and not scrubbed?

  • Look at the plugin -- http://wordpress.org/plugins/wordfence/

    • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.

    • Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.

  • GunterGunter Member
    edited December 2013

    @BlueVM said:
    darknyan - I recreated your account. I HIGHLY suggest you attempt to run the wordpress install with no plugins for a few days and see how it goes.

    Also I just checked and on your server there are 143 WordPress installs via Softaculous. I did a random viewing of 10 of them just to see if they'd been hacked, but they appear fine.

    The websites were not defaced at all.

    The usernames and passwords constantly kept changing.

    I will be running the website without any plugins for a couple of days.

  • @darknyan - I understand that I checked their wp_user tables.

  • @BlueVM said:
    darknyan - I understand that I checked their wp_user tables.

    Then odds are I'm just the only one.

  • GunterGunter Member
    edited December 2013

    Once again, both my websites have been hacked.

    This time the only plugin I had enabled was Askimet. The theme and plugin aren't to blame, at this point I'm entirely confused on what to do.

    By this point, I'm convinced that BlueVM is doing something wrong or forgot to update MySQL. sadly I have no conclusive proof.

    BlueVM, is there any way whatsoever this could be related to your web hosting service? I'm not inclined to blame you but I'm pretty much lost at what I did wrong.

    not trying to ruin your reputation. just trying to get to the bottom of this.

    Hell, maybe I should just ask him how he did it.

  • Did the frontpage extension or webdav turned off?

  • @darknyan did you install your WP directly from WordPress site or did you upload the WP from your PC.

    In case you uploaded from your PC, there is a fat chance that the copy from your PC is infected with backdoor.

  • wychwych Member
    edited December 2013

    Are you using the default theme?

    Do you use any security plugins to prevent brute force attacks?

  • @vRozenSch00n said:
    darknyan did you install your WP directly from WordPress site or did you upload the WP from your PC.

    In case you uploaded from your PC, there is a fat chance that the copy from your PC is infected with backdoor.

    I used Softaculous.

    ErawanArifNugroho said: Did the frontpage extension or webdav turned off?

    Frontpage is not installed and I don't think WebDav would be an attack vector in this case.

  • Are you using the default theme?

    One of the websites was using the default theme (no plugin but Askimet) and another was using Hum.

    I don't think Theme has any significance in this case.

  • darknyan said: I used Softaculous.

    After installing from softaculous, did you directly update your WP?

  • GunterGunter Member
    edited December 2013

    @vRozenSch00n said:
    After installing from softaculous, did you directly update your WP?

    softaculous directly installs the latest version of Wordpress, which is 3.8.

    There was no prompt to update Wordpress.

    When logged in, it informs me that I have the latest version.
    And

    "Last checked on December 16, 2013 at 11:53 pm."

  • If it was something from our system the other ~100 WP installs would all be infected.

  • RalliasRallias Member
    edited December 2013

    To be honest, I've not seen ANYTHING to indicate potential compromise on BlueVM's end. And trust me when I say that I've looked hard for such evidence.

    On the other hand, narvinainvestment.com is on DimeNOC servers, so I'm thinking they have a case to deal with.

Sign In or Register to comment.