Hacked site, how to block IPs by URL accessed

  • Resolved rubjm9

    (@rubjm9)


    10 years, 6 months ago

    [Moved to How To & Troubleshooting. This has nothing to do with code hacks.]

    Hello.

    What happened
    I have been hacked, I’m not really sure of how.
    I got code with URLs injected into my header, footer and other places, as well as a few files with HTML and scripts, one of them called ctioVp.php. The site was extremely slowed down at times, and wouldn’t even work some other times.

    My host alerted me that my site was abusing of use of the server (it was the hack obviously) and blocked my site. After locating the codes and files and deleting everything, my site was back up.

    What is happening now
    With the site published again, I have installed the plugin Wordfence, which allows me to monitor live traffic.

    I have currently tens of incoming calls from different IPs from random countries in the world (India, Sri Lanka, USA, Australia, Italy, Spain, UK, China and so on) trying to access the URLs of the files that do not exist anymore. I have been manually blocking these IPs, and in an afternoon I blocked over 150.

    Then I set a Wordfence filter to block (during 24h) any IP that gets over two 404 errors per minute. I did that overnight and in the morning I had alerts of 300 IPs blocked, and they keep comming. Some of these blocked IPs have tried accessing 60-80 times again.

    What I’m looking for
    I’m looking for a way of directly denying the attempt or blocking any IP that attempts to access any of the URLs of these deleted files. I don’t know if once the files are deleted, these attempts of attack affect in any way the site’s stability, but if I could avoid it, given that I know how they target, it would be perfect.

    Any thoughts?

Viewing 5 replies - 1 through 5 (of 5 total)

  • One possible way is to setup Cloudflare, and if you have cpanel hosting most likely the option is already there. Their free option is amazing, and is great to secure and speed up your site.

    Thread Starter rubjm9

    (@rubjm9)

    I’ve just installed Cloudflare to check your suggestion, but it doesn’t seem to let me block IPs by URL attempted, only if I directly write an IP. My problem is that there are hundreds of different IPs pointing to those infected files…

    My host told me that they cannot do that because I am not in a dedicated server, but shared. In the other hand they say that as long as the files don’t exist, nothing would happen… but I don’t like the idea of hundreds of attempts of connection per hour done by hackers…

    Give Cloudflare a chance first. It will probably start knocking back many of those IPs automatically.

    Thread Starter rubjm9

    (@rubjm9)

    Thanks Esmi and Viktor for suggesting Cloudflare. I have been trying to use it for these days, but I am still getting hundreds of IPs connecting to these URLs where the malitious files were. Each of them load the page with the 404 Error, so that is some bandwith that is being taken.

    CloudFlare support suggested me to set a “cache everything” filter to those URLs, but still I see these IPs through the “live traffic” tool of WordFence.

    Thread Starter rubjm9

    (@rubjm9)

    It seems to work fine now, I did the “cache everything” option in CloudFlare. Thanks for the advice! (:

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacked site, how to block IPs by URL accessed’ is closed to new replies.

Tags