Jump to content
Sign in to follow this  
442GlenwoodAvenue

Two Of My Sites Hacked

Recommended Posts

Well, someone has been trying to hack two of my Wordpress sites for several weeks. I was getting several notices from iThemes Security. They could never get even close to the username and password. IP location showed multiple places around the world. Over the last couple of days, they started some sort of scanning for vulnerable files - again I was notified by iThemes Security. I had security set pretty high, even one 404 and they would get locked out permanently. Even two wrong guesses on username and password, and they were locked out permanently.

 

None the less, they somehow got in this morning at www.doman1.com and www.domain2.com. Fortunately, I had everything backed up with iThemes Backup Buddy (including data base), and I was back up within an hour (for one site).

 

Problem is - if i don't know exactly how they got in, I don't know that they can't hack my site again.

 

Therefore, I don't know where to go from here - to avoid it again?

 

The message left on my main page (both sites)

hacked.jpg

Edited by TCH-Bala
removed domain name from response to protect identity

Share this post


Link to post
Share on other sites

I have removed the domain names from your responses to avoid unwanted attention to them. Please open a ticket via our help desk so that we can discuss the issue.

Share this post


Link to post
Share on other sites

Thanks, I will turn in a ticket if they mange to hack it again.

 

For now, I've re-installed my website using iThemes backup buddy (a great program), which didn't take long. Before doing that, I deleted every single file in the public_html folder to make sure a backdoor wasn't left behind. And of course, I changed by username and password again. Once my website was re-installed, I increased security even more. Below is the logs from this morning. They are scanning for xmlrpc.php holes. I've now disabled xmlrpc in iThemes Security. I've also increased the 404 error setting to one try (before their IP is banned permanently), forcing them to use a different IP everytime. You can also see they are also looking for plugin weaknesses.

 

404 Error

2017-02-22 15:14:54

105.101.253.141

/xmlrpc.php

 

Details

404 Error

2017-02-22 14:20:36

151.54.110.228

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:54:34

73.156.99.48

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:14:08

70.123.197.115

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:12:14

49.149.40.237

/xmlrpc.php

 

Details

404 Error

2017-02-22 13:09:49

84.122.157.63

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:47:26

180.191.138.122

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:25:01

89.203.249.166

/xmlrpc.php

 

Details

404 Error

2017-02-22 12:09:31

187.154.193.188

/xmlrpc.php

 

Details

404 Error

2017-02-22 11:54:19

49.148.93.0

/xmlrpc.php

 

Details

404 Error

2017-02-22 11:34:00

46.177.16.147

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:46:03

93.149.251.212

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:28:39

166.62.90.110

/wp-content/plugins/cherry-plugin/admin/import-export/wp-xml.php

 

Details

404 Error

2017-02-22 10:20:49

116.44.82.81

/xmlrpc.php

 

Details

404 Error

2017-02-22 10:02:56

114.76.133.108

/xmlrpc.php

 

Details

404 Error

2017-02-22 09:46:57

104.131.54.177

/index_old.php

 

Details

404 Error

2017-02-22 09:44:36

203.215.33.62

/xmlrpc.php

 

Details

404 Error

2017-02-22 09:44:14

104.131.54.177

/database.php

 

Details

404 Error

2017-02-22 09:43:11

104.131.54.177

/include.class.php

 

Details

404 Error

2017-02-22 09:25:32

202.46.3.26

/xmlrpc.php

Edited by 442GlenwoodAvenue

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×