Ongoing Hacking Attempts

Home Forums BulletProof Security Free Ongoing Hacking Attempts

This topic contains 7 replies, has 2 voices, and was last updated by  AITpro Admin 4 years, 4 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #13150

    David
    Participant

    Hi I run a popular wordpress blog and I’ve been hit consistently over the past few months with the same sort of LFI and RFI attacks. I keep seeing strange urls appearing in my site’s pagination. I’ve installed bulletproof security which has all the LFI and RFI code protection but I am still seeing these urls. I’ve checked the logs and the site is getting hit with 404 errors multiple times a minute from these attacks. So my question is what can I do to stop these attacks from happening.  I’m desperate and need help. For example

    /page/2/?mod=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00
    http://weknowmemes.com/page/2/?show=http%3A%2F%2Fwww.google.com%2Fhumans.txt%3F

    Thanks

    #13153

    AITpro Admin
    Keymaster

    When you say pagination what/where exactly are you talking about seeing that.  Literally injected into website code/pages/pagination URL’s or just logged in a log file? The Google humans.txt link and file are not something a hacker would use and it is a valid URL so not sure what/where that is coming from.  Maybe a plugin or theme coding issue/mistake?

    #13154

    AITpro Admin
    Keymaster

    Oh wait never mind you said these are 404 errors so they are hacker recons/probes and not actual URL’s on your site otherwise they would not be 404 errors since they would actually exist.  Nothing to worry about so just ignore them.  These types of hacker recons/probes do not affect or impact your website negatively.

    #13156

    AITpro Admin
    Keymaster

    You do have another serious problem though – your Home page is displaying a blank/white page.  You are using WP Super Cache and you need to delete your WP Super Cache cache.  This used to happen to us intermittently as well so we had to stop using WP Super Cache. We now only use this Speed Boost Cache in the link below and do not use any caching plugins.
    http://forum.ait-pro.com/forums/topic/htaccess-caching-code-speed-boost-cache-code/

    #13160

    David
    Participant

    To answer your question no I am not seeing any code directly injected into any php. I am just seeing these strange urls being outputted through the pagination. ie page 1, page 2, page 3 etc. And I apologize they are not 404 error codes I’m seeing in the logs they are:  501, 403, and 406. For example I’m seeing 501’s here

    page/20/?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
    page/50/?page=..%2F..%2F..%2Fetc%2Fpasswd
    #13165

    AITpro Admin
    Keymaster

    Bottom line.  We see 1,000’s of these generic hacker recons/probes per day.  They do not negatively impact anything so you can completely ignore them.  FYI – these are all Joomla hacker recons/probes.  Hacking scripts are automated so the hackerbots just try everything that is programmed into the hackerbot script.  Nothing to worry about and nothing is needed on your part.  Just ignore this junk.

    #13166

    David
    Participant

    But how is it being outputted so that I and my users can see these bad urls? Is there anyway from keeping these urls from being outputted in the first place? Another concern is that google is logging about 500 of these urls a day so I don’t want to get dinged from google for constantly having these errors appearing.

    #13170

    AITpro Admin
    Keymaster

    The only logical explanation is these bad urls are being cached by WP Super Cache.  We can confirm that this does happen.  That was another reason we had to stop using WP Super Cache.  Our sites are obviously a target so we get more attacks than the average website.   We were manually  (automated timer script that deleted cache files at 30 minute intervals) deleting WP Super Cache cache files every 30 minutes and spent a couple of months trying to figure out a solution.  We never did figure out a solution either by trying every single WP Super Cache setting option (and many different combinations of settings) or by creating our own plugin that hooked into WP Super Cache so we removed WP Super Cache from all of our sites.  The Speed Boost Cache we created works just as well without any problems whatsoever.

    What happened for us when we were using WP Super Cache is during hacker recons/probes WP Super Cache malfunctioned and created corrupt cache pages.  Normally a 404 would just bounce of course and not be cached, but something in WP Super Cache actually was page caching those hacker recons/probes and the result was either lots of blank / white pages or something very similar to what you are describing where the probe/recon was cached in those corrupted page cache files.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.