Calling IT help

EvilDrPorkChop · 05-18-2019, 06:51 AM

I have a website. I'm pretty good with IT stuff, but websites are a bit out of my comfort zone.

Have a small business Wordpress based website. Last night got an email from the hosting company saying bandwidth was up massively. OK.

Logged in this morning and sure enough looks like we've been hacked by some Japanese spam thing. They've managed to create a few 'posts' and put a link in on a few pages. Deleted those, checked all the files, proceeded to update Wordpress to the latest version, updated all plugins. Hey presto! Thought I'd sorted it.

However i'm still getting attacks on 404. A certain IP is trying to access thousands of pages that don't exist on the site, creating 404 errors. I've tried blocking the IP but it just changes the IP and carries on. I thought the server/hosting company would just automatically block the IP on so many 404 errors from a certain IP but doesn't seem to be the cast.

I've suspended the website for now. I've gone through the site with a fine tooth comb but can't find anything out of the norm. But is there anything else I can do? or is it just a simple cast of an external attack that I cannot stop and needs to be blocked at the hosting end.

Great way to ruin a Saturday!

jimbobiggens · 05-18-2019, 07:20 AM

Is this just one ip at a time?

EvilDrPorkChop · 05-18-2019, 07:23 AM

Quote:

Originally Posted by jimbobiggens

Is this just one ip at a time?

It seems to be just a couple of IPs. I block them and then they change.

It's loads of requests a minute. I've used about 200mb bandwidth in an hour. We only usually use that in a month! On the logs they're all 404

jimbobiggens · 05-18-2019, 07:27 AM

pm'd you

SteveChester · 05-18-2019, 08:57 AM

Not sure who hosts if for you but would have thought any decent CDN/WAF would pick this up and block.

EvilDrPorkChop · 05-18-2019, 09:02 AM

So after a bit more head scratching and investigating it seems as that it's Google and Bing Bots trying to Crawl URLS that don't existing. This must have been down to the hack and them corrupting the Sitemap file.

The issue is I can't get them to stop. Robots file is on disallow, yet they still continue! You'd of thought the hosting would have just automatically blocked them when they are trying to access so many URLs that are returning a 404 error.

So i'm hoping they'll eventually stop! I've re uploaded a new sitemap to Google Analytics so i'm hoping that might ease the issue a bit.

SteveChester · 05-18-2019, 09:04 AM

Speak to your hosting company and see what they can activate WAF wise?

EvilDrPorkChop · 05-18-2019, 09:06 AM

Quote:

Originally Posted by SteveChester

Speak to your hosting company and see what they can activate WAF wise?

I've raised a ticket, but you know what they're like. Feel like a sitting duck

SteveChester · 05-18-2019, 09:08 AM

Who's it with?

EvilDrPorkChop · 05-18-2019, 09:10 AM

Some cheap indy that i've been with for years. I don't really expect much of a quick response, but they're usually pretty helpful when they do respond.

SteveChester · 05-18-2019, 09:14 AM

We use DreamHost for our Wordpress sites - dirt cheap and very good.

EvilDrPorkChop · 05-18-2019, 09:16 AM

Quote:

Originally Posted by SteveChester

We use DreamHost for our Wordpress sites - dirt cheap and very good.

I've just renewed for the year but might have to consider them next time. What panel are they using? I'm used to Cpanel.

Cero ceto · 05-19-2019, 03:39 AM

There is only one way to 100% deal with this and that’s to go back to a well known good state, this could possibly be a complete rebuild. You then need to check for vulnerabilities within the software version/code you are using before going live again. If you don’t you could find yourself back in the same state again.

EvilDrPorkChop · 05-19-2019, 03:46 AM

Quote:

Originally Posted by SSIIJAR

There is only one way to 100% deal with this and that’s to go back to a well known good state, this could possibly be a complete rebuild. You then need to check for vulnerabilities within the software version/code you are using before going live again. If you don’t you could find yourself back in the same state again.

I've done this. Restored from a backup for last year, updated and updated plug ins. This bit seems ok. I've manage to re submit a new site map to google and get it to recrawl the main index page so it isn't showing Japanese text everywhere now.

My issue is google is just crawling random urls on my site that are just return 404 errors. Pages that don't exist but it's loading the 404 page. So it's just using shed loads of bandwidth. 0.5gb over night. I've also put in the robots file to disallow crawling yet it still continues

05-18-2019, 06:51 AM	#1
EvilDrPorkChop Lieutenant Colonel 951 Rep 1,644 Posts Drives: Porsche Cayman Join Date: Jan 2011 Location: UK iTrader: (0)	Calling IT help - website! I have a website. I'm pretty good with IT stuff, but websites are a bit out of my comfort zone. Have a small business Wordpress based website. Last night got an email from the hosting company saying bandwidth was up massively. OK. Logged in this morning and sure enough looks like we've been hacked by some Japanese spam thing. They've managed to create a few 'posts' and put a link in on a few pages. Deleted those, checked all the files, proceeded to update Wordpress to the latest version, updated all plugins. Hey presto! Thought I'd sorted it. However i'm still getting attacks on 404. A certain IP is trying to access thousands of pages that don't exist on the site, creating 404 errors. I've tried blocking the IP but it just changes the IP and carries on. I thought the server/hosting company would just automatically block the IP on so many 404 errors from a certain IP but doesn't seem to be the cast. I've suspended the website for now. I've gone through the site with a fine tooth comb but can't find anything out of the norm. But is there anything else I can do? or is it just a simple cast of an external attack that I cannot stop and needs to be blocked at the hosting end. Great way to ruin a Saturday!
	Appreciate 0 Tweet Quote

05-18-2019, 07:20 AM	#2
jimbobiggens Lieutenant 839 Rep 440 Posts Drives: 2013 335i xDrive Join Date: Nov 2018 Location: jackson tn iTrader: (0) Garage List 2013 335i xDrive [0.00]	Is this just one ip at a time? __________________ I'm not completely useless, I can be used as a bad example.
	Appreciate 0 Quote

05-18-2019, 07:27 AM	#4
jimbobiggens Lieutenant 839 Rep 440 Posts Drives: 2013 335i xDrive Join Date: Nov 2018 Location: jackson tn iTrader: (0) Garage List 2013 335i xDrive [0.00]	pm'd you __________________ I'm not completely useless, I can be used as a bad example.
	Appreciate 0 Quote

05-18-2019, 08:57 AM	#5
SteveChester Brigadier General 2472 Rep 4,653 Posts Drives: F82 M4 Join Date: Oct 2009 Location: Chester iTrader: (0) Garage List 2014 BMW F82 M4 [0.00]	Not sure who hosts if for you but would have thought any decent CDN/WAF would pick this up and block. __________________ Steve Roberts UK F82 M4 I'm running the 2024 London Marathon for the British Forces Foundation - https://www.justgiving.com/fundraising/sr5/
	Appreciate 0 Quote

05-18-2019, 09:02 AM	#6
EvilDrPorkChop Lieutenant Colonel 951 Rep 1,644 Posts Drives: Porsche Cayman Join Date: Jan 2011 Location: UK iTrader: (0)	So after a bit more head scratching and investigating it seems as that it's Google and Bing Bots trying to Crawl URLS that don't existing. This must have been down to the hack and them corrupting the Sitemap file. The issue is I can't get them to stop. Robots file is on disallow, yet they still continue! You'd of thought the hosting would have just automatically blocked them when they are trying to access so many URLs that are returning a 404 error. So i'm hoping they'll eventually stop! I've re uploaded a new sitemap to Google Analytics so i'm hoping that might ease the issue a bit.
	Appreciate 0 Quote

05-18-2019, 09:04 AM	#7
SteveChester Brigadier General 2472 Rep 4,653 Posts Drives: F82 M4 Join Date: Oct 2009 Location: Chester iTrader: (0) Garage List 2014 BMW F82 M4 [0.00]	Speak to your hosting company and see what they can activate WAF wise? __________________ Steve Roberts UK F82 M4 I'm running the 2024 London Marathon for the British Forces Foundation - https://www.justgiving.com/fundraising/sr5/
	Appreciate 0 Quote

05-18-2019, 09:08 AM	#9
SteveChester Brigadier General 2472 Rep 4,653 Posts Drives: F82 M4 Join Date: Oct 2009 Location: Chester iTrader: (0) Garage List 2014 BMW F82 M4 [0.00]	Who's it with? __________________ Steve Roberts UK F82 M4 I'm running the 2024 London Marathon for the British Forces Foundation - https://www.justgiving.com/fundraising/sr5/
	Appreciate 0 Quote

05-18-2019, 09:10 AM	#10
EvilDrPorkChop Lieutenant Colonel 951 Rep 1,644 Posts Drives: Porsche Cayman Join Date: Jan 2011 Location: UK iTrader: (0)	Some cheap indy that i've been with for years. I don't really expect much of a quick response, but they're usually pretty helpful when they do respond.
	Appreciate 0 Quote

05-18-2019, 09:14 AM	#11
SteveChester Brigadier General 2472 Rep 4,653 Posts Drives: F82 M4 Join Date: Oct 2009 Location: Chester iTrader: (0) Garage List 2014 BMW F82 M4 [0.00]	We use DreamHost for our Wordpress sites - dirt cheap and very good. __________________ Steve Roberts UK F82 M4 I'm running the 2024 London Marathon for the British Forces Foundation - https://www.justgiving.com/fundraising/sr5/
	Appreciate 1 EvilDrPorkChop950.50 Quote

05-19-2019, 03:39 AM	#13
Cero ceto First Lieutenant 86 Rep 381 Posts Drives: 335d M Sport+ Join Date: Nov 2013 Location: Huntingdon iTrader: (0)	There is only one way to 100% deal with this and that’s to go back to a well known good state, this could possibly be a complete rebuild. You then need to check for vulnerabilities within the software version/code you are using before going live again. If you don’t you could find yourself back in the same state again.
	Appreciate 1 EvilDrPorkChop950.50 Quote