Hack suspicion

  • Hello guys

    I have a shared hosting server with many WP sites on it. One site has been hacked or at least my suspicion is that is an SEO hack. In Google Webmaster Tools I see thousands of search queries like porno, xnxx etc. and the top pages are all like [ deleted, please don’t post those links here ] (please do not follow this URL). When I take down the site on the server everything is normal and it’s up and running fine. When I activate it again the server crashes and in the access log I can see all these requests to these search words and URL’s.

    I have set up a clean installation of WP, I have removed all plugins, changed the db password, the db prefix has been changed and many other things have been done to try to prevent this attack. I have tried many Firewall plugins and malware scanning plugins but they never find anything.

    What can I do ?

Viewing 7 replies - 16 through 22 (of 22 total)

  • Do you use a URL instead of Localhost in your set up?

    I think you are on to something looking at network traffic. Do you think there is enough tcp traffic on port 80 to take the server down?

    If you think that may be the issue, Google was the referrer on the two pieces of inbound traffic you have posted (both are now deleted because of content). Why not block Google as a referrer using your firewall or iptables? If you can’t easily block the referrer, just blacklist everything and whitelist one IP for testing.

    Thread Starter GretarMagg

    (@gretarmagg)

    Do you mean I should block https://www.google.com as a referrer on the server ? So if someone clicks a link on google to one of the sites on this server the server blocks the request ?

    My suggestion was for a temporary test at the server level to determine if traffic was killing the site.

    Until you rule it in or out your latest results are pointing to heavy traffic as a possible reason for the site failure. If you have other network methods of determining the traffic to the site use them.

    Hi Magg,

    Did you try restricting bots (specific to the attacks) to access your webstie using htaccess.

    This would reduce server load and block unwanted referrers:

    Here is the link:
    https://www.inmotionhosting.com/support/website/security/block-unwanted-users-from-your-site-using-htaccess

    Thread Starter GretarMagg

    (@gretarmagg)

    Marvin Labs, the link you posted opens up strangely in my browser, the text is all messed up and I can’t read anything on the page.
    I don’t know what bots I should restrict to the website. In the folder on the server I have all WP files for the site and no wp-config file (the .htaccess file is also configured to open the site up on a specific html page). When I upload the wp-config.php file to the server everything crashes and no websites are available.
    Shutting down the httpd service and removing the wp-config file, starting httpd again makes the server all right again.

    Thread Starter GretarMagg

    (@gretarmagg)

    I have set up the site on another working URL and it runs fine there.

    This is really strange. Is the URL of the site the problem here ? some outside attacks just spamming it so much that the server goes down ? In my webmaster tools I can see tens of thousands of impressions of dubious search words (to say the least)…

    Thread Starter GretarMagg

    (@gretarmagg)

    Are there any suggestions on what I could try to do here ? The situation now is this:

    I have set up the site on the same server with a different URL.
    In the .htaccess file I only allow my ip address to view the site.
    I set up WordFence in the WP system and blocked *google* as a referrer*. Then I removed deny all from .htaccess and WordFence blocked 243 hits on my site in just a matter of seconds. The server did not go down while this was going on.
    My server status page shows countless GET requests with different URLS with some XXX words and all related stuff.

    *My server access log shows google.com.tr and all kinds of google URLS as a referrer with all these XXX URLS so I decided to test blocking google.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Hack suspicion’ is closed to new replies.