Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
14813 posts

Uber Geek
+1 received by user: 2757

Trusted
Subscriber

  # 1735855 13-Mar-2017 16:32
Send private message

I still recommend CloudFlare. It can block by country as well, blocks some exploits as soon as they become known, and accelerates your website.


Webhead
2238 posts

Uber Geek
+1 received by user: 773

Moderator
Trusted
Lifetime subscriber

  # 1735857 13-Mar-2017 16:33
2 people support this post
Send private message

You will be fighting an uphill battle if the host itself is being hacked. If they do not keep Plesk and other systems updated, and that part of the server is hacked - its free reign for the hackers to do what they want.

 

That said, if everything is good on the host, this is what I always do:

 

1) Lock down the site so only your own ip-address have access.

 

2) Find files that have been infected, check when they were updated, and look through the logs to find out how the site was hacked. This also includes things like making sure there are no php files in the uploads directories, checking through theme files etc.

 

3) Remove all WordPress files and reinstall from the WordPress.org repository.

 

4) Remove all plugins and reinstall from the WordPress.org repository.

 

5) Go through the themes being used. If you have unused themes, get rid of them. If you do not know the theme you are using well, remove it and install an updated version of the theme from a trusted source.





 
 
 
 


1838 posts

Uber Geek
+1 received by user: 534


  # 1735898 13-Mar-2017 17:38
Send private message

^ +1 for 1)


359 posts

Ultimate Geek
+1 received by user: 57


  # 1735967 13-Mar-2017 19:50
Send private message

if the host server is getting hacked the move hosting asap

 

i would go with a VPS cloud the prices are so cheap from $5 a month


952 posts

Ultimate Geek
+1 received by user: 311

Trusted

  # 1736011 13-Mar-2017 21:11
One person supports this post
Send private message

michaelmurfy:

 

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.

 

 

.htaccess files should never exist. All this should be in the nginx or apache vhost settings, it shouldn't be set by the application. The server should be tweaked for the app.

 

Unfortunately this happens all too often. Why? because people get a website made. Then just leave it. Then they pay some minimum hosting fee of a couple of bucks a month, and never update it. Or install extremely poorly written plugins, which have security holes.

 

If you are going to put a high traffic application on the web you need to constantly update things like openssl, php, the webserver and the database. Also its worthwhile constantly apply security updates to the host.








1259 posts

Uber Geek
+1 received by user: 147

Subscriber

  # 1736167 14-Mar-2017 09:16
Send private message

It's happened again !

 

Spam started at 9pm last night. I'm just going to build something somewhere else.


14813 posts

Uber Geek
+1 received by user: 2757

Trusted
Subscriber

  # 1736168 14-Mar-2017 09:18
Send private message

Maybe try wpengine.


 
 
 
 




1259 posts

Uber Geek
+1 received by user: 147

Subscriber

  # 1736250 14-Mar-2017 11:33
Send private message

jarledb:

 

That said, if everything is good on the host, this is what I always do:

 

1) Lock down the site so only your own ip-address have access.

 

 

Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

 

jarledb:

 

2) Find files that have been infected, check when they were updated, and look through the logs to find out how the site was hacked. This also includes things like making sure there are no php files in the uploads directories, checking through theme files etc.

 

 

I can see a POST request last night to a genuine file in the themes directory and the status code returned is 200. Immediately after that (from a different IP) there is a POST request to the wp-content dir (for what I assume is a plugin dir but its not a plugin we have installed) with a php file. About an hour later it all kicks off with multiple IP's all trying to post the same php file to the same directory and all receiving 200 status codes.

 

Is that enough to think the theme/plugin directory is the problem ?

 

jarledb:

 

3) Remove all WordPress files and reinstall from the WordPress.org repository.

 

4) Remove all plugins and reinstall from the WordPress.org repository.

 

5) Go through the themes being used. If you have unused themes, get rid of them. If you do not know the theme you are using well, remove it and install an updated version of the theme from a trusted source.

 

 

This will all be done next. Thanks.


952 posts

Ultimate Geek
+1 received by user: 311

Trusted

  # 1736252 14-Mar-2017 11:36
Send private message

You need to find out HOW they got in if you want to prevent them from getting in again.

 

First, I would set the correct permissions on all the directorys. And change the database password. 

 

I would also look at the web server access log, see what they went in for. Obviously there is a hole in a plugin or something.

 

Find out what it is, and update or remove it. 

 

 EDIT:

 

Post the access log for the time period. 






608 posts

Ultimate Geek
+1 received by user: 40

Subscriber

  # 1736253 14-Mar-2017 11:40
Send private message

Ive had this happen to a couple of peoples websites.  In the end I scrapped the sites, moved the hosting and just remade the websites. Never had a problem again.  Once was from nobody ever updating anything ever, the other times were crappy servers constantly being hacked.  The cleanup is a pain and just not worth the hassle, Ive found it quicker to just re-do everything elsewhere in almost every case.  


Amanzi
921 posts

Ultimate Geek
+1 received by user: 110

Trusted
Subscriber

  # 1736305 14-Mar-2017 12:44
Send private message

I've sent you a PM @martyyn.


1838 posts

Uber Geek
+1 received by user: 534


  # 1736329 14-Mar-2017 13:44
Send private message

martyyn:

jarledb:


That said, if everything is good on the host, this is what I always do:


1) Lock down the site so only your own ip-address have access.



Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

VPN to your work connection and only allow connections from work.

14908 posts

Uber Geek
+1 received by user: 2028


  # 1736339 14-Mar-2017 14:11
Send private message

Move to a new host for a start. Guessing you are just using the cheapest shared hosting, but not all hosting is the same. I have never encountered this problem before, but I don't use cheap hosting.


Webhead
2238 posts

Uber Geek
+1 received by user: 773

Moderator
Trusted
Lifetime subscriber

  # 1736381 14-Mar-2017 15:49
Send private message

martyyn:

 

jarledb:

 

1) Lock down the site so only your own ip-address have access.

 

 

Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

 

 

Well, either update .htaccess or the place you can restrict access every time your ip-address changes. Or go the route of a VPN if you are able to.

 

 

I can see a POST request last night to a genuine file in the themes directory and the status code returned is 200. Immediately after that (from a different IP) there is a POST request to the wp-content dir (for what I assume is a plugin dir but its not a plugin we have installed) with a php file. About an hour later it all kicks off with multiple IP's all trying to post the same php file to the same directory and all receiving 200 status codes.

 

Is that enough to think the theme/plugin directory is the problem ?

 

 

That makes me think there is either a known vulnerability in the theme you are using, or there is a backdoor injected there.

 

You should go through that file with a fine comb. You could download the original theme and do a diff to check the differences with your theme file vs the original, or just replace it.

 

There should be no need for executing php directly in a theme folder, so you could try to stop that happening with server rules. Mind you, if there is a backdoor that is a bandaid on a big wound if that is whats happened. 

 

You can see if there is known vulnerabilities by searching for your theme at WPScan Vulnerability Database





Amanzi
921 posts

Ultimate Geek
+1 received by user: 110

Trusted
Subscriber

  # 1736403 14-Mar-2017 16:28
Send private message

With martyyn's help, I had a look at this site. As I suspected there was malware hidden in a temp directory. For those interested, here's the idenitification of one of the malware files: https://www.virustotal.com/en/file/6704ee4feec361c4cf382b637313b74e5ea20e800536d4d59497ec8df004ec66/analysis/1489454473/

 

Though there are other valid reasons for moving away from this hosting provider, this particular malware was almost certainly installed due to an out of date Wordpress version, and so it's not directly the hosting provider's fault.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18


E-scooter share scheme launches in Wellington
Posted 17-Jun-2019 12:34


Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.