admin管理员组文章数量:1122832
We've been seeing a user created out of nowhere named "wordpress" every so often, with most of our wordpress sites on a couple Ubuntu 20 servers. I run a quick audit across our server using WP-CLI to find all administrator users every once in a while, to be sure we aren't providing extra admin access to user accounts.
We then see most of our sites have a user: "wordpress" with ID "123456" no email address associated with it and registered on 9-28-2012 00:00:00
I have tried to search google/stack to see if anyone has reported the same thing happening to them, but its difficult to search for because of the keywords being used. And I don't see anything remotely mentioning this thing happening to anyone else.
Has anyone seen this, or know how its happening? I am worried its a security vulnerability that I am not aware of, or a plugin needing updating. We're not fully up to date on all wordpress and plugin updates on all sites, but many/most of them are, or at least fairly recently. We've seen this happen before on a couple sites back in 2020 so it can't be a wordpress or plugin issue for that long since we've definitely updated since then.
One thing to note is we do a lot of our updates from WP-CLI, but have also done it from admin panel using an Ubuntu user named "wordpress".... but I don't see how that would ever create a new user in our wordpress user table.
We've been seeing a user created out of nowhere named "wordpress" every so often, with most of our wordpress sites on a couple Ubuntu 20 servers. I run a quick audit across our server using WP-CLI to find all administrator users every once in a while, to be sure we aren't providing extra admin access to user accounts.
We then see most of our sites have a user: "wordpress" with ID "123456" no email address associated with it and registered on 9-28-2012 00:00:00
I have tried to search google/stack to see if anyone has reported the same thing happening to them, but its difficult to search for because of the keywords being used. And I don't see anything remotely mentioning this thing happening to anyone else.
Has anyone seen this, or know how its happening? I am worried its a security vulnerability that I am not aware of, or a plugin needing updating. We're not fully up to date on all wordpress and plugin updates on all sites, but many/most of them are, or at least fairly recently. We've seen this happen before on a couple sites back in 2020 so it can't be a wordpress or plugin issue for that long since we've definitely updated since then.
One thing to note is we do a lot of our updates from WP-CLI, but have also done it from admin panel using an Ubuntu user named "wordpress".... but I don't see how that would ever create a new user in our wordpress user table.
Share Improve this question asked Oct 13, 2023 at 18:50 blueionRichblueionRich 111 bronze badge 3- I haven’t heard of hacks creating users before. Do you have any record of this user logging in? I can’t remember if there’s a last login time in the user record or meta. Does anyone else have shell access to the server? Ditto I can’t remember if it’s possible to create a fixed user ID through WordPress APIs but I’d guess not, so sounds like they’re running SQL to do this. – Rup Commented Oct 14, 2023 at 8:29
- I don't see a way after the fact to get user login details. I thought it was in user meta data but I don't see anything for any user there. I know there's plugins you can install for that, but I've since deleted all worpress users. I've tested using WP CLI without an email but that's a required field. The user ID being 123456 and the date registered is too specific as that is not a default for mysql inserts. But at the same time, not sure how a user can be created in the DB without required fields if not direct to mysql. Both backend admin and WP CLI won't let you. It's very odd. – blueionRich Commented Oct 16, 2023 at 16:55
- Also my auto-increment value on all these user tables are "123457" now, as that was also set based on the last insert value. – blueionRich Commented Oct 16, 2023 at 16:58
1 Answer
Reset to default 1It could be that you have the Post SMTP plugin installed. There is an exploit in this plugin: https://patchstack.com/database/vulnerability/post-smtp
The issue has been fixed in version 2.8.8 and above.
本文标签: securityUnknown phantom user quotwordpressquot created with admin privileges
版权声明:本文标题:security - Unknown phantom user "wordpress" created with admin privileges 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736307674a1933396.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论