[wp-hackers] wp-hackers Digest, Vol 67, Issue 76

Andrew Gray andrew at graymerica.com
Sat Aug 21 13:29:21 UTC 2010 

Otto,

Most of the sites do not have registration enabled.

Also, there is no time stamp on the user, which means it was added directly to the DB, not via WP add user function or traditional registration.

Also,  the same password and username pattern was added to 20 sites on one server.  All in different databases  

Also, they were added as admin users, where none of the sites have anything more that Subscriber as the default level.

If no one else has seen this, maybe it was a custom attack, but it sure was weird.

Andrew


On Aug 21, 2010, at 12:01 AM, wp-hackers-request at lists.automattic.com wrote:

> Do you have user registration enabled? If so, then it's just spam
> registrations. If not, then you likely got hacked.
> 
> -Otto
> 
> 
> 
> On Fri, Aug 20, 2010 at 3:18 PM, Andrew Gray <andrew at graymerica.com> wrote:
>> I just noticed that some of my databases for my installs had a bunch of random users.
>> 
>> Across multiple Databases, with the same password and style. ?I am sure it is because I was lazy and used a master password in a bunch of my Wordpress installs on that server.
>> 
>> At this point, I have fixed the problem, but has anyone else seen this? ? Is is a bad plugin or something else.
>> 
>> Here is an example of what was in all my DBs,
>> 
>> No timestamp, gmail addresses, First Name Last Initial. ?Every name was different, but the password was the same.
>> 
>> INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES
>> (2, 'SofiaT', '$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/', 'Sofia Turner', 'SofiaT at gmail.com', '', '0000-00-00 00:00:00', '', 0, 'Sofia Turner'),
>> (3, 'AlexandraR', '$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/', 'Alexandra Russell', 'AlexandraR at gmail.com', '', '0000-00-00 00:00:00', '', 0, 'Alexandra Russell'),
>> (4, 'JosephB', '$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/', 'Joseph Butler', 'JosephB at gmail.com', '', '0000-00-00 00:00:00', '', 0, 'Joseph Butler'),
>

More information about the wp-hackers mailing list