What to do about a constant hacking script eating away at resources?

13 replies
Dear Warriors,

One of my websites for the last couple of months has been under a sustained hacking attack with fresh ip proxies used so its impossible to keep up with blocking IP's manually...

When checking cpanel log you can see that its just going around and around in circles with attempting to hack wp-admin (as well as checking for other platform files like .Net, aspx etc) ... Luckily they are unable to do anything as I have hardened up WP..

But its eating away at web resources... About 50% of the IPs are coming in from China, so I am tempted to block everything from China, but other than that it would be better if a more robust solution can be identified as if this is scaled up its going end up being a DOS attack... Looking at the logs its obvious you can tell the difference between a real person and a scripted call for e.g. calling a web page will also show image, css files etc.. But for the script you only see a one liner in the log file for the page and ip...So there must be something out there... The web host are unable to do anything either, the advice given is to wait it out....

Appreciate any ideas, advice on this....
#constant #eating #hacking #hacking attempts #resources #script #server resources
  • Profile picture of the author jamie3000
    http://systembash.com/content/how-to...h-mod_evasive/

    might be what you're after...or give you some ideas...
    Signature

    I make FREE SEO/IM Software at www.SupaGrowth.com
    PBN Hunter / Expired Tumblr Hunters / Backlink Finders and more all 100% FREE.

    {{ DiscussionBoard.errors[9646553].message }}
    • Profile picture of the author elcidofaguy
      Originally Posted by jamie3000 View Post

      http://systembash.com/content/how-to...h-mod_evasive/

      might be what you're after...or give you some ideas...
      Thanks for that... I had a quick read and for sure its heading in the right direction... As the article states its a basic defense measure... The problem is that the IPs are changing rapidly for each call as it loops through.... So attempting to block after the first call is not going to help as its moved onto another one...
      Signature
      Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
      {{ DiscussionBoard.errors[9646682].message }}
  • Profile picture of the author Lightlysalted
    jamie3000 that is really really useful, just used this resource myself massive thanks
    {{ DiscussionBoard.errors[9646676].message }}
  • Profile picture of the author elcidofaguy
    I think I might finally give cloudflare ago... According to their website the free a/c has broad security protection... Also note after setup the visitor IPs shown on your own server is that of clouldfare IP so I'll need to use their wp plugin to correct that... But perhaps when the name server points to cloudflare which then redirects to my site that this BS hack attack will stop ending up on my web server with using the free plan... Anybody used this a successful approach to filter this out? Any other ideas??
    Signature
    Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
    {{ DiscussionBoard.errors[9646875].message }}
    • Profile picture of the author rhinocl
      Perhaps something like this might help:

      https://www.funcaptcha.co/demo/
      {{ DiscussionBoard.errors[9646947].message }}
      • Profile picture of the author elcidofaguy
        Originally Posted by rhinocl View Post

        Perhaps something like this might help:

        https://www.funcaptcha.co/demo/
        Really appreciate that... Unfortunately my problem relates to attempted hacking and not spam commenting which for many is another problem... That said it looks interesting and kinda fun lol... I'm tempted to try it out with that in mind ;-) Really wish they also had an answer like that for hacking attacks....
        Signature
        Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
        {{ DiscussionBoard.errors[9646976].message }}
  • Profile picture of the author spearce000
    Get onto your hosting company. If you're on shared hosting, it might be that the hackers are attempting to get in via a hijacked script on another account.
    Signature
    WordPress Security Clampdown – was just for the War Room, now available to all Warriors. Protect your WordPress site from hackers. No opt-in required.
    {{ DiscussionBoard.errors[9647164].message }}
    • Profile picture of the author elcidofaguy
      I've had a long chat with the hosting provider and they cannot do nothing but endorse the use of a CDN like cloudflare... as well as the other steps I've taken on the server wrt htaccess...

      I set it up which was easy re cloudflares free plan.. and found that as the hosting company does not have a partnership with cloudflare so all ip's within control panel log is showing that it comes from cloudflare (they wont install the necessary script to fix that)... and the cloudflare wp plugin does not seem to work they way I expected?

      [Edit Note]: Ips for crawlers like G are passed through.

      Suffice to say the setup is not working at medium security settings within cloudflare so i've set it to max... so lets see... It also seems the website is slightly slower but according to their website it should be faster.... mmmm.... could still work... I'm going to speak to the cloudflare support folks to see what is up when i get time... I wont be surprised if they recommend the paid plan lol.... Any other ideas/suggestions will be most welcomed...
      Signature
      Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
      {{ DiscussionBoard.errors[9647558].message }}
      • Profile picture of the author rhinocl
        I don't think any of the cloud systems hit their promised speed up targets on a consistent basis. I would suggest though that you try the free plan at Inacpsula. I have had some satisfaction there.
        {{ DiscussionBoard.errors[9647638].message }}
      • Profile picture of the author damoncloudflare
        "I set it up which was easy re cloudflares free plan.. and found that as the hosting company does not have a partnership with cloudflare so all ip's within control panel log is showing that it comes from cloudflare (they wont install the necessary script to fix that)... and the cloudflare wp plugin does not seem to work they way I expected? "

        The server logs need something like mod_cloudflare to restore the visitor IP. The plugin is only going to work for the WordPress application level.


        "Suffice to say the setup is not working at medium security settings within cloudflare so i've set it to max... so lets see... It also seems the website is slightly slower but according to their website it should be faster.... mmmm.... could still work... I'm going to speak to the cloudflare support folks to see what is up when i get time... I wont be surprised if they recommend the paid plan lol.... Any other ideas/suggestions will be most welcomed."

        The basic security option in the free account is based on IP reputation from our data sources. If the IPs attacking you are not in those sources, then a challenge won't work (the paid plan does have a Web Application Firewall that can help).

        "Website does not work 100% with IE (drop down menus and full width slider)... Works as per normal on firefox, chrome and on my mobile... So I may need to revise website if I decide to continue with use of this CDN."

        This is probably an issue with Rocket Loader.

        "t seems when I switch between under attack and back to high - baiduspider makes an appearance... Reading up on baiduspider it seems it does not respect robots.txt when blocking it and there are a few complaints of it being a spam bot lol... Is it related?? - who knows....? So I think I'm going to block all IPs from that particular country ..... I may also give Inacpsula a try as I've got this far I guess I should compare the two...
        "

        Do you need or want traffic from China? You could consider blocking China in CloudFlare's Threat Control panel, which would present a challenge page to visitors from that region (highly effective at stopping most automated bots & it sounds like you're getting hit by automated bots).

        Also:
        Something like getclef.com or BruteProtect might help as well.
        Signature
        {{ DiscussionBoard.errors[9653614].message }}
  • Profile picture of the author elcidofaguy
    Okay here is a quick read out hoping that my experience with this might help others....

    I've set it to "I'm under attack mode" - and indeed this for sure stops it... Web page loads with a 5 second one time scan to verify that it is a human... looks like its the job when you are under a DDOS attack. So that's a very cool feature.

    When using the high security profile setting - I see a number of the hacking routines filtered out but not all.... so it almost passes...

    Website does not work 100% with IE (drop down menus and full width slider)... Works as per normal on firefox, chrome and on my mobile... So I may need to revise website if I decide to continue with use of this CDN.

    [Edit Note] - Works on all browsers! With IE, javascript was disabled from a non related test.. So no need to revise website design code etc. In addition for "under attack mode" web browser must have javascript enabled in order to view website....


    Finally this is the weird thing.... I also keep seeing baiduspider bot in my logs...

    It seems when I switch between under attack and back to high - baiduspider makes an appearance... Reading up on baiduspider it seems it does not respect robots.txt when blocking it and there are a few complaints of it being a spam bot lol... Is it related?? - who knows....? So I think I'm going to block all IPs from that particular country ..... I may also give Inacpsula a try as I've got this far I guess I should compare the two...

    Anyone have issues with baiduspider spam lol?
    Signature
    Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
    {{ DiscussionBoard.errors[9647717].message }}
  • Profile picture of the author jezter6
    I've since started blocking most countries where there's a 95+% chance they're not there to read my content or buy anything.

    I need to find a plugin or something that allows whitelisting some countries instead of having to manually block 30+ countries each time.
    {{ DiscussionBoard.errors[9647744].message }}
  • Profile picture of the author elcidofaguy
    Damoncloudflare - thanks for your inputs and recommendations...!!! Will for sure look into your other suggestions... So far its all good... I've blocked countries, website looks good and performs well under different browsers (on one I forget to enable javascript so its okay)...

    Only thing my web host will not allow installation of mod_cloudflare - but perhaps in a future version of cloudflare that option can be provided within the settings area... WP plugin works with testing geo redirects on IP... Checked my other webhosts and happy to see most have partnered up with cloudflare so that is cool.... For me I think its is awesome that there is a free account available.... So credit where it's due.....
    Signature
    Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
    {{ DiscussionBoard.errors[9654941].message }}

Trending Topics