linkup

Darn, I came back here in hopes a solution had been discovered. Wasn’t someone in actual discussion with Timely? I have two sites that depended on this product so in effect are down due to a lack of updates.

Though I wrote a reply here but it is gone? Thanks to Elliott for the solution but my free sites can’t afford $200/yr/site.

I can implement the .htaccess commands and I can block CN and SG through CSF. I looked at Wordfence which is half the price to see if I was able to do something with their free version, but didn’t find what I think I need there.

Thanks again!

Thanks so much Elliot. I will consider this as the last post on this message string and will use your message string instead. Unfortunately due to cost I can’t use your solution. Ultimately I hope Timely acknowledges their update caused the leak making their app a hacker target.

I don’t know where you are seeing that Sucuri report and if Sucuri thinks I have a problem, why didn’t it give me a notification or warning? When I go into the Sucuri plugin, it says “Site clean” and “not blacklisted”. Why would it report to the “world” that there was an issue, but not say something to me, even in the app itself?

If someone chooses to run a bot that issues a command on one of your domains, that in and of itself doesn’t reflect on the server. The fact that I have now discovered a second WP install using Timely and it too is being attacked, just at a lower frequency.

How is it that happened to pick Timely? Presumed problem with the plug-in?

I have both Sucuri and Wordfence installed and neither batted an eye at this intrusion. Thanks for the guide, will see what I can do.

Sample Apache lines:
/calendar/action~oneday/exact_date~1569477600/tag_ids~1028,
2-0 22666 0/16/471 W 0.37 134 0 5985389 0.0 0.12 23.64 182.34.27.234 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~543,156/request_format~html
3-0 19150 0/53/610 W 0.32 740 0 4468532 0.0 2.61 28.88 117.31.184.165 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~1169,1400/request_format~ht
4-0 22674 0/4/562 W 0.02 606 0 4516388 0.0 0.09 29.32 183.166.229.133 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~668,155,574/requ
5-0 24612 0/6/606 W 0.02 570 0 4327162 0.0 0.10 30.43 222.220.153.241 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,1427,79/requ
6-0 21411 0/18/507 W 0.11 132 0 6051656 0.0 1.47 33.14 209.188.21.14 http/1.1 roadsidenewmexico.com:80 POST /wp-cron.php?doing_wp_cron=1573412443.45667409896850585937
7-0 21533 0/19/515 W 0.08 137 0 6033518 0.0 0.77 32.26 117.40.103.164 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,523,603/requ
8-0 18002 0/129/642 W 0.54 761 0 3886465 0.0 1.76 25.57 119.85.15.251 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~489,1265,1068/re
9-0 21412 0/76/620 W 0.49 131 0 4943816 0.0 2.94 35.29 116.21.12.22 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~oneday/exact_date~1569477600/tag_ids~917,3
10-0 22675 0/6/544 W 0.03 616 0 4028239 0.0 0.30 27.50 27.221.154.255 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~217,990,740/request_format~

I should mention that when trying to fix that I found a suggestion to add some text to the robots.txt file specifically to avoid Google’s bots doing this. I did that also to try and stop this.

Sorry Steven, I didn’t ready what you read thoroughly. I had written Sucuri directly and I showed you what they had to say. If JNash is correct, then Sucuri is doing what it should be doing and the key seems to nip the problem in the bud so to speak.

Perhaps I could get some help on interpreting what the alert is saying as that could perhaps stem the tide so to speak. Maybe it is the wording being chosen that seems confusing:

“Event: Post Update”

The post isn’t being updated so telling me the post has been updated seems to be incorrect in the first place. In a former life I was a programmer in six languages and I always tried to make system responses as specific and as accurate as possible. For instance, in this case, maybe it should be saying “Attempted post update”, but even that puzzles me.

Being rather stupid, I did have a contact form on the post. Is a contact form input the same as a comment from WP’s perspective. If I still want a person to be able to contact me, can that be done independently on a comment?

I am asking this as I don’t see where they could even attempt to write a comment?

Second, is this part of the Sucuri response: “Message: Feedback status has been changed”

Where would they be changing feedback status? I don’t remember seeing a place for feedback to be changed? What feedback is being talked about?

Thanks for the link to the page where it has all the comment options. The first step showed how to get down to the field to uncheck comment allowed although I thought I had it disabled, it did show it was allowing it, but I didn’t see where they could attempt to leave a comment or feedback? That is unless it was the contact form, but the contact form to me should be independent of any commenting or feedback?

Thanks so much to both of you!

Steven, I don’t allow new user signup and I have no comments, just a single post. I wasn’t aware that a non-signed in person could even attempt to leave a comment?

I have this enabled: Comment author must fill out name and email

That would imply to me they couldn’t even attempt to leave a comment without leaving a name and email.

Don’t know if it matters, but I just disabled:
Allow people to post comments on new articles

JNash, yes, running Akismet.

Since I wrote that message, another Sucuri message from the same IP/Server as the previous two but a different name:

Event: Post Update
Website: https://rv360s.com
IP Address: 207.189.0.94
Reverse IP: 207.189.0.94
Date/Time: January 24, 2019 8:47 pm
Message: Feedback status has been changed; details: ID: 289,Old status: new,New status: spam,Title: WilliamamUrb – 2019-01-24 13:47:46

As mentioned, Sucuri didn’t provide any help. Their first reply said something about how to change settings, like a general “macro” reply, irrelevant to my question, and then when I basically re-wrote the question and asked again, they said:

“If you’re not the one making the changes listed by the notifications, I suggest you take action and secure your website immediately. Review it for any additional users and remove them.

Have a happy day, ”

I had already told them there were no other users. I though Sucuri and Wordfence were two of the better security products. I don’t know if they were suggesting someone else’s product or ??

Thanks!

• This reply was modified 5 years, 10 months ago by linkup.

How can you add a plug in when you have been locked out….seems you need to offer a solution that allows the person to get back to the dashboard before suggesting the next step. I am locked out of my WP install and I know I didn’t log in incorrectly. I was logged in just a few days ago just fine, and today, I got that error.

Most if not all of my domains were set up with the dbase user being admin, however all of the passwords were not ones you would guess and none were the same.

I have yet to find how they are getting in and I routinely get hacks reported by CSF. At least the infected files are being quarantined, at least those recognized as containing malicious code. I also manually block all IPs that the hacker is connecting from which at least slows him/them down.

I still don’t understand how with multiple layers of security, that they are able to write to and execute the PHP files.

It seems every day a new site on the server reports this problem. I think the total is close to 20 sites now, all sharing this same problem. It is still mind boggling that there isn’t more known about this issue or anyone who can fix it. I have hired two “experts” and they were clueless.

I can’t devote this much time dealing daily with site after site falling to this problem. I will quit hosting if this can’t be resolved.

I found through the CSF dashboard that you can modify the csf.pignore file to have it ignore what Wordfence is doing, but that topic, marked as resolved, never provided suggested lines to add to CSF.pignore? My hosts added a similar line for spamd, but that was a process, a cmd, not whatever it is that is causing the constant LFD errors.

Anyone had to deal with this, anyone know what exclusions to add to the file?

Thanks

No ideas?

Is there a way to get the data out of the site and replace the WP files, hopefully resolving the issue? Is it possible a config file got messed with?

Help please!

No backup….typical huh…

which htaccess, main one or admin one?

index.php is 644

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# Wordfence WAF
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>

# END Wordfence WAF

Thanks!!

I was hoping the particular thing that has happened to my site would have happened to others. In this case, the cure seems far worse than the problem.

A harmless pop-up I can dismiss is a nuisance, but easier to to close and forget vs. the many hours of work involved in the solution which may or may not work.

Maybe someone will have had my particular issue that I didn’t see addressed at those links.

Was speaking to a web designer the other day and he mentioned avoiding WP designs due to all these vulnerabilities. So far I still like my WP sites but wish they weren’t so easy to hack. I have taken standard precautions such as blocking admin other than via my IP.

Thanks.