jasgot
asked on
Wordpress site getting attacked?
Beginning last Friday morning (5 days ago) the traffic on my wordpress site went from 500-6--k per day to 6GB per day. It actually brought the server down. Brought it down many times before we figured out what was happening.
So, to stop it from crashing the server, I used .htaccess to deny all, allow <my ip address>
now, I am able to work with it and view logs and such.
I notice there are hundreds of thousands of:
"POST / HTTP/1.1" 200 25424 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
errors in the log. I know they are there because I am denying them, but why are they POST entries? When *I* visit the site and browse around, they are all GET entries.
I disabled all the plugins, and it did not stop anything.
I run CSF LFD and I also see a lot of:
Executable: /home/virtfs/sp/usr/libexe
Command Line: /usr/libexec/openssh/sftp-
PID: 16847 (Parent PID:16845)
Killed: Yes
in the logs, I would be the only person uploading to this cpanel account, and as it happens, I'm not...... but it sure looks like someone is.
I'd sure like to get this site back online, as you can imagine. Any ideas? I'll provide additional info needed.
Jason
So, to stop it from crashing the server, I used .htaccess to deny all, allow <my ip address>
now, I am able to work with it and view logs and such.
I notice there are hundreds of thousands of:
"POST / HTTP/1.1" 200 25424 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
errors in the log. I know they are there because I am denying them, but why are they POST entries? When *I* visit the site and browse around, they are all GET entries.
I disabled all the plugins, and it did not stop anything.
I run CSF LFD and I also see a lot of:
Executable: /home/virtfs/sp/usr/libexe
Command Line: /usr/libexec/openssh/sftp-
PID: 16847 (Parent PID:16845)
Killed: Yes
in the logs, I would be the only person uploading to this cpanel account, and as it happens, I'm not...... but it sure looks like someone is.
I'd sure like to get this site back online, as you can imagine. Any ideas? I'll provide additional info needed.
Jason
ASKER
It's many IP addresses. I am watching the logs, I am the only one logging in.
ASKER
It's interesting, though. With the deny all in the .htaccess file, they are still chewing up bandwidth.
If they have already hacked the site, the htaccess may make no difference.
How many IPs are you talking about? Could you add the them to csf.deny list
Is the SSH secured?
You obviously know your way around Linux.
How many IPs are you talking about? Could you add the them to csf.deny list
Is the SSH secured?
You obviously know your way around Linux.
ASKER
It appears to just be an enormous number of post requests. I'm not certain anyone has gained access.
Hundreds of IPs.
SSH is on a non-standard port and requires a password. CSF and LFD alert me to any and all SSH logins. I only see myself and one other that I expect to see.
Could it be postbacks from other sites?
Hundreds of IPs.
SSH is on a non-standard port and requires a password. CSF and LFD alert me to any and all SSH logins. I only see myself and one other that I expect to see.
Could it be postbacks from other sites?
Could it be postbacks from other sites?
It might be some form of pingback spam or an attempt at pingback spam. If your pingbacks are turned off, it won't directly affect the site but you still want to be able to isolate the source and block it.
Where is they are doing the posts to? Some contact us form?
ASKER
The log file only shows: / as what they are posting too.
You can see a log entry in the first post.
You can see a log entry in the first post.
That example doesn't really tell us much, can you attach a sample of the server logs.
Is this an unmanaged server? Maybe your host could help.
Can you give us some samples of the IP addresses.
Is this an unmanaged server? Maybe your host could help.
Can you give us some samples of the IP addresses.
ASKER
That line in the first post is all there is in the logs, millions of them from many IPs. Dedicated server. The provider says to add more ram. Ha! That is clearly not the answer,
I have to go now til tomorrow
Really you need someone who has access to the server to go thru it and see if they can find out what it is going on.
If you have blocked all access then how are they getting access - obvious answer is they have direct access to the server or they have something running on the server.
Bandwidth is usually recording the up and down - so while the server may not be accessible it doesn't stop it throwing stuff out into the world which is eating your bandwidth
Check what is running with top
Try killing (stopping) all services bar ssh, you could be sending out millions of emails?
Some other stuff to check.
http://garryjbs.hubpages.com/hub/Few-signs-that-your-Linux-server-has-been-hacked
I'm sure you have already gone through all these things.
Really you need someone who has access to the server to go thru it and see if they can find out what it is going on.
If you have blocked all access then how are they getting access - obvious answer is they have direct access to the server or they have something running on the server.
Bandwidth is usually recording the up and down - so while the server may not be accessible it doesn't stop it throwing stuff out into the world which is eating your bandwidth
Check what is running with top
Try killing (stopping) all services bar ssh, you could be sending out millions of emails?
Some other stuff to check.
http://garryjbs.hubpages.com/hub/Few-signs-that-your-Linux-server-has-been-hacked
I'm sure you have already gone through all these things.
If they have added malicious code to your Wordpress files, you can overwrite all the files for the correct version of WP you are using. I just did that to get rid of code entered onto my template page of a site I manage.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ISP figured it out.
What pages are they accessing?
They may have already hacked the server and using it for nefarious things.
Check you logs, cron jobs
Block all ssh access except for your ip - best to use cert authorisation. Are you using password login for ssh?