Jump to content


Photo

Two Of My Sites Hacked


  • Please log in to reply
2 replies to this topic

#1 442GlenwoodAvenue

442GlenwoodAvenue

    Family Friend

  • Members
  • PipPip
  • 69 posts

Posted 21 February 2017 - 06:15 PM

Well, someone has been trying to hack two of my Wordpress sites for several weeks.  I was getting several notices from iThemes Security.  They could never get even close to the username and password. IP location showed multiple places around the world.   Over the last couple of days, they started some sort of scanning for vulnerable files - again I was notified by iThemes Security.  I had security set pretty high, even one 404 and they would get locked out permanently.  Even two wrong guesses on username and password, and they were locked out permanently.

 

None the less, they somehow got in this morning at www.doman1.com and www.domain2.com. Fortunately, I had everything backed up with iThemes Backup Buddy (including data base), and I was back up within an hour (for one site).

 

Problem is - if i don't know exactly how they got in, I don't know that they can't hack my site again.

 

Therefore, I don't know where to go from here - to avoid it again?

 

The message left on my main page (both sites)

hacked.jpg


Edited by TCH-Bala, 21 February 2017 - 07:05 PM.
removed domain name from response to protect identity


#2 TCH-Bala

TCH-Bala

    Technical Support Manager

  • Staff
  • PipPipPipPip
  • 1,759 posts

Posted 21 February 2017 - 07:10 PM

I have removed the domain names from your responses to avoid unwanted attention to them. Please open a ticket via our help desk so that we can discuss the issue.


Balakrishnan
Manager - Technical Support
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#3 442GlenwoodAvenue

442GlenwoodAvenue

    Family Friend

  • Members
  • PipPip
  • 69 posts

Posted 22 February 2017 - 10:54 AM

Thanks, I will turn in a ticket if they mange to hack it again.

 

For now, I've re-installed my website using iThemes backup buddy (a great program), which didn't take long. Before doing that, I deleted every single file in the public_html folder to make sure a backdoor wasn't left behind. And of course, I changed by username and password again. Once my website was re-installed, I increased security even more. Below is the logs from this morning. They are scanning for xmlrpc.php holes. I've now disabled xmlrpc in iThemes Security. I've also increased the 404 error setting to one try (before their IP is banned permanently), forcing them to use a different IP everytime.  You can also see they are also looking for plugin weaknesses.

 

404 Error

2017-02-22 15:14:54

105.101.253.141

/xmlrpc.php

 

Details

404 Error

2017-02-22 14:20:36

151.54.110.228

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:54:34

73.156.99.48

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:14:08

70.123.197.115

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:12:14

49.149.40.237

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:09:49

84.122.157.63

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:47:26

180.191.138.122

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:25:01

89.203.249.166

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:09:31

187.154.193.188

/xmlrpc.php

 

Details

404 Error

2017-02-22 11:54:19

49.148.93.0

/xmlrpc.php

 

Details

404 Error

2017-02-22 11:34:00

46.177.16.147

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:46:03

93.149.251.212

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:28:39

166.62.90.110

/wp-content/plugins/cherry-plugin/admin/import-export/wp-xml.php

 

Details

404 Error

2017-02-22 10:20:49

116.44.82.81

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:02:56

114.76.133.108

/xmlrpc.php

 

Details

404 Error

2017-02-22 09:46:57

104.131.54.177

/index_old.php

 

Details

404 Error

2017-02-22 09:44:36

203.215.33.62

/xmlrpc.php

 

Details

404 Error

2017-02-22 09:44:14

104.131.54.177

/database.php

 

Details

404 Error

2017-02-22 09:43:11

104.131.54.177

/include.class.php

 

Details

404 Error

2017-02-22 09:25:32

202.46.3.26

/xmlrpc.php


Edited by 442GlenwoodAvenue, 22 February 2017 - 11:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users