Skip to:
Content
Pages
Categories
Search
Top
Bottom

Untraceable spam user

  • Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    I have a user by the username of “user.firstnameuser.lastname” and it keeps spamming the Groups section of my site.
    I’ve deleted it for about 30 times by now. But it just keeps coming back. And what’s really odd is that it has no Registration IP or any IP associated with it. The sign up is not showing up in the Activity log either.

    Is there a way I can track this spam user(bot?) down and get rid of it for good?

Viewing 23 replies - 1 through 23 (of 23 total)
  • Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    when you say “has no registration ip” i’m assuming you are using wangguard or some other plugin to get that info. fact is there must be an ip it may be spoofed but regardless why not just ban whatever email they are using to register?

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    @ubernaut Oh I forgot to mention, there isn’t an email associated with the account either.
    I think that something in the files may be creating it over and over again. Would that be possible?

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    i don’t see how that’s possible unless your site was hacked, maybe then, not sure.

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    @ubernaut I tried that Wangguard plugin (thanks for introducing it to me by the way, it’s awesome) and when I scanned the user, it’s status came back as “Error – 101″

    I don’t see how my site could be hacked though. Perhaps the problem is in one of my plugins. Unlikely though. All of my active plugins are legit and shouldn’t have spam bots in their files…

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    hmm i think i have also seen that before i forget exactly what it was but the address was invalidly constructed as i recall (meaning it was not the proper format you’d expect to see for an email). i have noticed that wangguard’s server(s) are not always available (probably get attacked with some frequency). whenever wangguard is not online the plugin just lets people pass but it is rather odd that someone should even be able to complete registration without a valid email.

    :/

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    I just deleted the user again, and it re-appeared 5 seconds later, but this time Wangguard logged an IP! This means progress!

    Any suggestions for how to ban the IP now?

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    well you are assuming they will continue to use the same ip which is i think not a safe assumption. what is the email listed?

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    I think I found out why it says Error – 101 too. When I click “Recheck”, it says “The selected user couldn’t be found on users table”.
    So does that mean that it’s beyond user database? o_o

    Edit: There’s still no email.

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    just blank space huh? never seen that before not sure how its even possible unless as i said before your site was hacked and even then I’m still not sure how it’s possible. as far as i know every wordpress user account must be associated with an email address.

    Avatar of José Conti
    José Conti
    Participant

    @jconti

    Hi @mareksgregs and @ubernaut,

    I’m the WangGuard developer.

    Search the user in the database (wp_users). You need to find there.

    You need to check wp-config.php, index.php, wp-content and if you use a cache, wp-content/cache

    I think you have been hacked. Is impossible that a user don’t have and email and if you delete the users and 5 seconds later, the user I’d there again, there are a script that create the user.

    And yes, every 2 days, we have a very big attack. Now, we are looking for bigger servers with a best protections agains this attacks :(

    Kind regards

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    @jconti What am I supposed to look for in those files?
    And I found the user in the users database. Should I delete it?

    Avatar of José Conti
    José Conti
    Participant

    @jconti

    @mareksgregs use this plugin:

    http://wordpress.org/plugins/wordfence/

    That plugin will check all core files.

    Do you use WordPress simple or WordPress Multisite?

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    @jconti keep up the good work!

    Avatar of José Conti
    José Conti
    Participant

    @jconti

    Thank’s @ubernaut

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    I deleted the user from the database yesterday(in which it didn’t have an email either) yesterday. And it hasn’t come back yet. I think it may be finally gone. :)

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    i think you should really check your site using that wordfence plugin as we both indicated having a user without an associated email is very suspicious.

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    The scan found only one problem, which is:

    This file may contain malicious executable code
    Filename: wp-content/plugins/user-meta/framework/init.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 45 secs ago.
    Severity: Critical
    Status New
    This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

    I wasn’t using that plugin though. It was deactivated.

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    its still a bad sign that base 64 stuff is usually a sign of a open door that has been used to hack your site.

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    fyi if your site has been hacked even on a low level you must clean it out and change all the associated admin and database passwords or you will be letting them right back in.

    Avatar of mareksgregs
    mareksgregs
    Participant

    @mareksgregs

    I’ve already removed the plugin. Since I didn’t even use it.
    Do I really need to change database password too? How could they even access my database?

    Avatar of @ubernaut
    @ubernaut
    Participant

    @ubernaut

    getting hacked is a little bit like getting pregnant, theres no such thing as just a little bit. if they got in they have all of your access information, more then likely.

    if i knew that a crook that had already proven interested in breaking into my house and had stolen my keys the very least i would do is to change the locks.

    just saying…

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Are you on dedicated server or VPS ? if you are then by all means take a laissez faire attitude to your possible predicament, it’s your lookout, although be warned many exploits execute drive by code infecting the poor sods who happen across your site. If you are on a shared hosting service then your compromised site can possibly have comprised many other peoples sites if the server is not well hardened against intrusion.

    The responsibility is overwhelming, if you are going to provide a route to passing on malicious code then you have to take all precaution to ensure you don’t, if you have your options are these you take your site off line ( protecting others ). You then change ALL access, usermanes, passwords, ftp, DB etc then you set about establishing whether you have actually been compromised (at this stage it’s not certain although likely) and it’s important to establish via logs and any other means what has happened not just to sweep under carpet and cross fingers it never happens again. Once you have identified issue cleaned up and reset all passwords then you may take site online again.

    As for asking how they could have done x,y or z your asking non experts, ask an excerpt that sort of question and you would get short thrift from them, just assume that anything is possible because generally it is!

    In regard that plugin where did you find it? Is it from the WP repo? As a rule of thumb be very very wary of plugins from unknown sources, the WP Repo is a pretty safe bet to avoid bad plugins other wise only accept plugins from third party sites that have some reputation amongst the WP community.

    When you have finished last task ought to be checking the WP repo for further security plugins just so you have an arsenal at your disposal to keep an eye on things (wordfence might however be more than enough, but personally not familiar with it.)

    Avatar of rdclark
    rdclark
    Participant

    @rdclark

    In case someone else sees this problem, you can get the same thing (a flood of user accounts with no email and often no role) if you’re using the WP e-Commerce Plugin.

    See the discussion here: http://wordpress.org/support/topic/spam-users-in-wp_users-after-wpsc-upgrade

Viewing 23 replies - 1 through 23 (of 23 total)

You must be logged in to reply to this topic.