Admin email randomly changed. No malware found

  • nareshchandranatha

    (@nareshchandranatha)


    2 years, 11 months ago

    My buddy just noticed that the admin email was changed for many sites (but not all) within his network. The new email address was random characters at some strange domain.

    Our host ran a scan and found no malware.

    We ran a “maximum sensitivity” Word Fence scan and found no issues.

    What would you suggest doing at this point? Do I trust the clean scan?

    Have you heard of just the admin email being changed? What would the purpose of this be?

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Arslan Kalwar

    (@passoniate)

    2 years, 11 months ago

    Hi @nareshchandranatha is new account has added or the same account email has changed?

    For the new account maybe it comes from demo importer.

    Thread Starter nareshchandranatha

    (@nareshchandranatha)

    2 years, 11 months ago

    Hey Arslan, thanks for the reply.

    It was an existing account. We changed the email address back to the original and everything seemed okay.

    Three hours later, something updated the siteurl and home URL of most of the sites to a shady malware page covered in ads.

    WordFence still shows zero detections. Haven’t found anything manually in the logs or plugins. Very confused.

    Thread Starter nareshchandranatha

    (@nareshchandranatha)

    2 years, 11 months ago

    Ah, it was a vulnerability with wp-automatic that was reported August 20th and fixed later that week.

    Looks like they could set any WordPress option…

    I speculate that they changed admin email so they would receive a verification email informing them of vulnerable sites.

    Then they follow up changing the url, which lets them see what plugins and versions you use. All the css and js files for your extensions get remapped to their domain and the version number is in the url for cache. Wow

    Then they can use a more specific attack if their scanner sees that you’re using a vulnerable plugin.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Admin email randomly changed. No malware found’ is closed to new replies.