Ongoing Hacking Attempts

[David]

Hi I run a popular wordpress blog and I’ve been hit consistently over the past few months with the same sort of LFI and RFI attacks. I keep seeing strange urls appearing in my site’s pagination. I’ve installed bulletproof security which has all the LFI and RFI code protection but I am still seeing these urls. I’ve checked the logs and the site is getting hit with 404 errors multiple times a minute from these attacks. So my question is what can I do to stop these attacks from happening.  I’m desperate and need help. For example

/page/2/?mod=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00
http://weknowmemes.com/page/2/?show=http%3A%2F%2Fwww.google.com%2Fhumans.txt%3F

Thanks

[AITpro Admin]

When you say pagination what/where exactly are you talking about seeing that.  Literally injected into website code/pages/pagination URL’s or just logged in a log file? The Google humans.txt link and file are not something a hacker would use and it is a valid URL so not sure what/where that is coming from.  Maybe a plugin or theme coding issue/mistake?

[AITpro Admin]

Oh wait never mind you said these are 404 errors so they are hacker recons/probes and not actual URL’s on your site otherwise they would not be 404 errors since they would actually exist.  Nothing to worry about so just ignore them.  These types of hacker recons/probes do not affect or impact your website negatively.

[AITpro Admin]

You do have another serious problem though – your Home page is displaying a blank/white page.  You are using WP Super Cache and you need to delete your WP Super Cache cache.  This used to happen to us intermittently as well so we had to stop using WP Super Cache. We now only use this Speed Boost Cache in the link below and do not use any caching plugins.
http://forum.ait-pro.com/forums/topic/htaccess-caching-code-speed-boost-cache-code/

[David]

To answer your question no I am not seeing any code directly injected into any php. I am just seeing these strange urls being outputted through the pagination. ie page 1, page 2, page 3 etc. And I apologize they are not 404 error codes I’m seeing in the logs they are:  501, 403, and 406. For example I’m seeing 501’s here

page/20/?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
page/50/?page=..%2F..%2F..%2Fetc%2Fpasswd

[AITpro Admin]

Bottom line.  We see 1,000’s of these generic hacker recons/probes per day.  They do not negatively impact anything so you can completely ignore them.  FYI – these are all Joomla hacker recons/probes.  Hacking scripts are automated so the hackerbots just try everything that is programmed into the hackerbot script.  Nothing to worry about and nothing is needed on your part.  Just ignore this junk.

[David]

But how is it being outputted so that I and my users can see these bad urls? Is there anyway from keeping these urls from being outputted in the first place? Another concern is that google is logging about 500 of these urls a day so I don’t want to get dinged from google for constantly having these errors appearing.

[AITpro Admin]

The only logical explanation is these bad urls are being cached by WP Super Cache.  We can confirm that this does happen.  That was another reason we had to stop using WP Super Cache.  Our sites are obviously a target so we get more attacks than the average website.   We were manually  (automated timer script that deleted cache files at 30 minute intervals) deleting WP Super Cache cache files every 30 minutes and spent a couple of months trying to figure out a solution.  We never did figure out a solution either by trying every single WP Super Cache setting option (and many different combinations of settings) or by creating our own plugin that hooked into WP Super Cache so we removed WP Super Cache from all of our sites.  The Speed Boost Cache we created works just as well without any problems whatsoever.

What happened for us when we were using WP Super Cache is during hacker recons/probes WP Super Cache malfunctioned and created corrupt cache pages.  Normally a 404 would just bounce of course and not be cached, but something in WP Super Cache actually was page caching those hacker recons/probes and the result was either lots of blank / white pages or something very similar to what you are describing where the probe/recon was cached in those corrupted page cache files.

[Author]

Posts