This just in via WordFence email: Wordfence <list@wordfence.com>
AJAX call creates a user named wpservices with the email wpservices@yandex.com and the password w0rdpr3ss. With this user in place, the attacker is free to install further backdoors or perform other malicious activity.
Block these IPs in cPanel / IP Blocker:
yourservice.live – Hosts the script responsible for rogue administrator creation. Also associated with other malvertising scripts in earlier incarnations of this campaign.
adsnet.work – Hosts ad network scripts for redirection and popups.
IP Addresses 104.130.139.134
Details please review their article at https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/