Wordpress site getting attacked?

Beginning last Friday morning (5 days ago) the traffic on my wordpress site went from 500-6--k per day to 6GB per day. It actually brought the server down. Brought it down many times before we figured out what was happening.

So, to stop it from crashing the server, I used .htaccess to deny all, allow <my ip address>

now, I am able to work with it and view logs and such.

I notice there are hundreds of thousands of:

"POST / HTTP/1.1" 200 25424 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

errors in the log. I know they are there because I am denying them, but why are they POST entries? When *I* visit the site and browse around, they are all GET entries.

I disabled all the plugins, and it did not stop anything.

I run CSF LFD and I also see a lot of:
Executable:   /home/virtfs/sp/usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID:          16847 (Parent PID:16845)
Killed:       Yes

in the logs, I would be the only person uploading to this cpanel account, and as it happens, I'm not...... but it sure looks like someone is.
I'd sure like to get this site back online, as you can imagine. Any ideas? I'll provide additional info needed.

Jason
jasgotAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Have you got the IP address so you can block it?
What pages are they accessing?
They may have already hacked the server and using it for nefarious things.
Check you logs, cron jobs
Block all ssh access except for your ip - best to use cert authorisation. Are you using password login for ssh?
0
jasgotAuthor Commented:
It's many IP addresses. I am watching the logs, I am the only one logging in.
0
jasgotAuthor Commented:
It's interesting, though. With the deny all in the .htaccess file, they are still chewing up bandwidth.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

GaryCommented:
If they have already hacked the site, the htaccess may make no difference.
How many IPs are you talking about? Could you add the them to csf.deny list
Is the SSH secured?
You obviously know your way around Linux.
0
jasgotAuthor Commented:
It appears to just be an enormous number of post requests. I'm not certain anyone has gained access.

Hundreds of IPs.

SSH is on a non-standard port and requires a password. CSF and LFD alert me to any and all SSH logins. I only see myself and one other that I expect to see.

Could it be postbacks from other sites?
0
Jason C. LevineNo oneCommented:
Could it be postbacks from other sites?

It might be some form of pingback spam or an attempt at pingback spam.  If your pingbacks are turned off, it won't directly affect the site but you still want to be able to isolate the source and block it.
0
GaryCommented:
Where is they are doing the posts to? Some contact us form?
0
jasgotAuthor Commented:
The log file only shows: / as what they are posting too.
You can see a log entry  in the first post.
0
GaryCommented:
That example doesn't really tell us much, can you attach a sample of the server logs.
Is this an unmanaged server? Maybe your host could help.
Can you give us some samples of the IP addresses.
0
jasgotAuthor Commented:
That line in the first post is all there is in the logs, millions of them from many IPs. Dedicated server. The provider says to add more ram. Ha! That is clearly not the answer,
0
GaryCommented:
I have to go now til tomorrow
Really you need someone who has access to the server to go thru it and see if they can find out what it is going on.
If you have blocked all access then how are they getting access - obvious answer is they have direct access to the server or they have something running on the server.
Bandwidth is usually recording the up and down - so while the server may not be accessible it doesn't stop it throwing stuff out into the world which is eating your bandwidth
Check what is running with top
Try killing (stopping) all services bar ssh, you could be sending out millions of emails?
Some other stuff to check.
http://garryjbs.hubpages.com/hub/Few-signs-that-your-Linux-server-has-been-hacked
I'm sure you have already gone through all these things.
0
nanharbisonCommented:
If they have added malicious code to your Wordpress files, you can overwrite all the files for the correct version of WP you are using. I just did that to get rid of code entered onto my template page of a site I manage.
0
jasgotAuthor Commented:
ISP figured out what the real POST command was even though the Logs only showed "/" as the POST request.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasgotAuthor Commented:
ISP figured it out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.