442GlenwoodAvenue Posted February 21, 2017 Share Posted February 21, 2017 (edited) Well, someone has been trying to hack two of my Wordpress sites for several weeks. I was getting several notices from iThemes Security. They could never get even close to the username and password. IP location showed multiple places around the world. Over the last couple of days, they started some sort of scanning for vulnerable files - again I was notified by iThemes Security. I had security set pretty high, even one 404 and they would get locked out permanently. Even two wrong guesses on username and password, and they were locked out permanently. None the less, they somehow got in this morning at www.doman1.com and www.domain2.com. Fortunately, I had everything backed up with iThemes Backup Buddy (including data base), and I was back up within an hour (for one site). Problem is - if i don't know exactly how they got in, I don't know that they can't hack my site again. Therefore, I don't know where to go from here - to avoid it again? The message left on my main page (both sites) Edited February 22, 2017 by TCH-Bala removed domain name from response to protect identity Quote Link to comment Share on other sites More sharing options...
TCH-Bala Posted February 22, 2017 Share Posted February 22, 2017 I have removed the domain names from your responses to avoid unwanted attention to them. Please open a ticket via our help desk so that we can discuss the issue. Quote Link to comment Share on other sites More sharing options...
442GlenwoodAvenue Posted February 22, 2017 Author Share Posted February 22, 2017 (edited) Thanks, I will turn in a ticket if they mange to hack it again. For now, I've re-installed my website using iThemes backup buddy (a great program), which didn't take long. Before doing that, I deleted every single file in the public_html folder to make sure a backdoor wasn't left behind. And of course, I changed by username and password again. Once my website was re-installed, I increased security even more. Below is the logs from this morning. They are scanning for xmlrpc.php holes. I've now disabled xmlrpc in iThemes Security. I've also increased the 404 error setting to one try (before their IP is banned permanently), forcing them to use a different IP everytime. You can also see they are also looking for plugin weaknesses. 404 Error 2017-02-22 15:14:54 105.101.253.141 /xmlrpc.php Details 404 Error 2017-02-22 14:20:36 151.54.110.228 /xmlrpc.php Details 404 Error 2017-02-22 13:54:34 73.156.99.48 /xmlrpc.php Details 404 Error 2017-02-22 13:14:08 70.123.197.115 /xmlrpc.php Details 404 Error 2017-02-22 13:12:14 49.149.40.237 /xmlrpc.php Details 404 Error 2017-02-22 13:09:49 84.122.157.63 /xmlrpc.php Details 404 Error 2017-02-22 12:47:26 180.191.138.122 /xmlrpc.php Details 404 Error 2017-02-22 12:25:01 89.203.249.166 /xmlrpc.php Details 404 Error 2017-02-22 12:09:31 187.154.193.188 /xmlrpc.php Details 404 Error 2017-02-22 11:54:19 49.148.93.0 /xmlrpc.php Details 404 Error 2017-02-22 11:34:00 46.177.16.147 /xmlrpc.php Details 404 Error 2017-02-22 10:46:03 93.149.251.212 /xmlrpc.php Details 404 Error 2017-02-22 10:28:39 166.62.90.110 /wp-content/plugins/cherry-plugin/admin/import-export/wp-xml.php Details 404 Error 2017-02-22 10:20:49 116.44.82.81 /xmlrpc.php Details 404 Error 2017-02-22 10:02:56 114.76.133.108 /xmlrpc.php Details 404 Error 2017-02-22 09:46:57 104.131.54.177 /index_old.php Details 404 Error 2017-02-22 09:44:36 203.215.33.62 /xmlrpc.php Details 404 Error 2017-02-22 09:44:14 104.131.54.177 /database.php Details 404 Error 2017-02-22 09:43:11 104.131.54.177 /include.class.php Details 404 Error 2017-02-22 09:25:32 202.46.3.26 /xmlrpc.php Edited February 22, 2017 by 442GlenwoodAvenue Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.