Someone trying to hack my website ?

  • Resolved resomanager44

    (@resomanager44)


    7 years, 6 months ago

    Hello,

    I just noticed something strange on my website logs, but I don’t understand what I should do with it, and if this is even a danger for my website.

    Can you please help me ?

    Here is the full log of these errors :
    87.98.128.205 – – [10/Sep/2017:04:45:43 +0200] “POST /wp-cron.php?d45c21e52886e030f5de531114604943&action=wysija_cron&process=queue,bounce&silent=1 HTTP/1.1” 200 20
    87.98.128.205 – – [10/Sep/2017:04:45:43 +0200] “POST /wp-cron.php?d45c21e52886e030f5de531114604943&action=wysija_cron&process=queue,bounce&silent=1 HTTP/1.1” 200 20
    87.98.128.205 – – [10/Sep/2017:04:45:43 +0200] “POST /wp-cron.php?d45c21e52886e030f5de531114604943&action=wysija_cron&process=queue,bounce&silent=1 HTTP/1.1” 200 20
    87.98.128.205 – – [10/Sep/2017:04:45:43 +0200] “POST /wp-cron.php?d45c21e52886e030f5de531114604943&action=wysija_cron&process=queue,bounce&silent=1 HTTP/1.1” 200 20
    87.98.128.205 – – [10/Sep/2017:04:45:43 +0200] “POST /wp-cron.php?d45c21e52886e030f5de531114604943&action=wysija_cron&process=queue,bounce&silent=1 HTTP/1.1” 200 20
    185.75.141.32 – – [10/Sep/2017:04:45:43 +0200] “GET /?email_id=13&user_id=544&urlpassed=W3a3ivcJa1jtXpavd3wb1ijnmJ&controller=stats&hash=5c05486ce0f93bf75e805865ee16cf55&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:43 +0200] “GET /?email_id=13&user_id=344&urlpassed=W3xXyV1bdVGvdfaXVfy1mibcivX&controller=stats&hash=24225dd1f561950f5199c1ba4daab19b&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:43 +0200] “GET /?email_id=13&user_id=418&urlpassed=RGVR3LDJ5DbndNdF9a2NWW9XVQovpcyJaDR&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=281&urlpassed=fQruyHdlunNcpDr9QlvsurG23srfdfs0u&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:43 +0200] “GET /?email_id=13&user_id=352&urlpassed=2LclvuHaRHYGyLxunfcIpypra5bVcRbHursGofJlJ&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=344&urlpassed=W3xXyV1bdVGvdfaXVfy1mibcivX&controller=stats&hash=24225dd1f561950f5199c1ba4daab19b&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=544&urlpassed=W3a3ivcJa1jtXpavd3wb1ijnmJ&controller=stats&hash=5c05486ce0f93bf75e805865ee16cf55&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=418&urlpassed=RGVR3LDJ5DbndNdF9a2NWW9XVQovpcyJaDR&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=352&urlpassed=2LclvuHaRHYGyLxunfcIpypra5bVcRbHursGofJlJ&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=344&urlpassed=W3xXyV1bdVGvdfaXVfy1mibcivX&controller=stats&hash=24225dd1f561950f5199c1ba4daab19b&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=544&urlpassed=W3a3ivcJa1jtXpavd3wb1ijnmJ&controller=stats&hash=5c05486ce0f93bf75e805865ee16cf55&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=418&urlpassed=RGVR3LDJ5DbndNdF9a2NWW9XVQovpcyJaDR&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:44 +0200] “GET /?email_id=13&user_id=352&urlpassed=2LclvuHaRHYGyLxunfcIpypra5bVcRbHursGofJlJ&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:43 +0200] “GET /?email_id=13&user_id=882&urlpassed=W3nWYbWuwYWVNYpYjf12mlu3&controller=stats&hash=c07c6d2b6008639e584f39fd5fb24f71&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=882&urlpassed=W3nWYbWuwYWVNYpYjf12mlu3&controller=stats&hash=c07c6d2b6008639e584f39fd5fb24f71&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=882&urlpassed=W3nWYbWuwYWVNYpYjf12mlu3&controller=stats&hash=c07c6d2b6008639e584f39fd5fb24f71&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=885&urlpassed=NXaXQlVolIx5pYI3VQXv3GY9vbRFpDpHD4GJ&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=444&urlpassed=W3VbJbxXcn1apwnvuyWlXdWy&controller=stats&hash=337dbeb298319089417f6e57adaa7790&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=444&urlpassed=W3VbJbxXcn1apwnvuyWlXdWy&controller=stats&hash=337dbeb298319089417f6e57adaa7790&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:45 +0200] “GET /?email_id=13&user_id=444&urlpassed=W3VbJbxXcn1apwnvuyWlXdWy&controller=stats&hash=337dbeb298319089417f6e57adaa7790&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:46 +0200] “GET /?email_id=13&user_id=114&urlpassed=W3Xx3x130bbl0uWGmfcVbltyN2b&controller=stats&hash=dcc1614bfc4478f9b8e29d50a4dd26b0&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:46 +0200] “GET /?email_id=13&user_id=114&urlpassed=W3Xx3x130bbl0uWGmfcVbltyN2b&controller=stats&hash=dcc1614bfc4478f9b8e29d50a4dd26b0&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:46 +0200] “GET /?email_id=13&user_id=114&urlpassed=W3Xx3x130bbl0uWGmfcVbltyN2b&controller=stats&hash=dcc1614bfc4478f9b8e29d50a4dd26b0&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:48 +0200] “GET /?email_id=13&user_id=111&urlpassed=W3yWppdvX2Y0fdxJujcmXYuatbc&controller=stats&hash=e648e1e186257d5b351bdb5bf55032bb&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:48 +0200] “GET /?email_id=13&user_id=111&urlpassed=W3yWppdvX2Y0fdxJujcmXYuatbc&controller=stats&hash=e648e1e186257d5b351bdb5bf55032bb&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:48 +0200] “GET /?email_id=13&user_id=111&urlpassed=W3yWppdvX2Y0fdxJujcmXYuatbc&controller=stats&hash=e648e1e186257d5b351bdb5bf55032bb&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    87.98.128.205 – – [10/Sep/2017:04:45:44 +0200] “POST /wp-cron.php?doing_wp_cron=1505011544.0804090499877929687500 HTTP/1.1” 200 20
    185.75.141.32 – – [10/Sep/2017:04:45:50 +0200] “GET /?email_id=13&user_id=583&urlpassed=3F2HynrJF5JNfuxFIYVFlIfVonH3LdZJfd0FZ3L4fYyH&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    92.103.69.158 – – [10/Sep/2017:04:45:50 +0200] “GET /?email_id=13&user_id=583&urlpassed=3F2HynrJF5JNfuxFIYVFlIfVonH3LdZJfd0FZ3L4fYyH&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:50 +0200] “GET /?email_id=13&user_id=583&urlpassed=3F2HynrJF5JNfuxFIYVFlIfVonH3LdZJfd0FZ3L4fYyH&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243
    185.75.141.32 – – [10/Sep/2017:04:45:51 +0200] “GET /?email_id=13&user_id=312&urlpassed=IxrycdQcuc9bZrGnNy0DJRZ3lWRbrI5y5IXNFYQrrLoyHu&controller=stats&action=analyse&wysija-page=1&wysijap=subscriptions HTTP/1.1” 302 243

Viewing 8 replies - 1 through 8 (of 8 total)

  • Same here.
    Several of our websites running mail poet were hacked and reported hacked by Google crawl since the last update to v.3

    FIX: Run the very helpful plugin Anti-Malware from GOTMLS.NET to clean all

    Then, I located the culprit as rosoiew.zip
    (perhaps uploaded via mailpoet folders)
    and deleted it all its offsprings like /root/www/rosoiew/
    as well as various other number/letter named files

    GOTMLS.NET also found fake .htaccess and function.php (and other php) files,
    which need to be promptly deleted via FTP or shell access

    Finally, run GOTMLS.NET again to confirm your website is clean

    MailPoet please recheck your last distro for backdoors please

    • This reply was modified 7 years, 6 months ago by bibliata.
    • This reply was modified 7 years, 6 months ago by bibliata.

    Hello @resomanager44,

    Thank you for the question.
    The log you shared is just an access log, containing information which IP addresses requested certain addresses from your server.
    The entries tell you two things:
    1) That MailPoet cron system is running, which helps your server more reliably send out your newsletters;
    2) That click tracking is enabled, allowing MailPoet 2 to collect statistics for your emails.

    It is great that you care about your setup! In this case this is expected in normal operation.

    I hope that answers your question.

    Best regards,
    MailPoet Team.

    @bibliata

    If you are using MailPoet 3, could you please get in touch with us directly via the blue question mark button on MailPoet 3 pages?
    We would like to know more about your case. Thanks!

    Best regards,
    MailPoet Team.

    Thread Starter resomanager44

    (@resomanager44)

    Hello,

    My website provider is fine with the CRON task, but told me our server is getting 30 consecutive requests under 8 seconds, from various IP adresses (one being on the z-telecom network, from Switzerland).

    Is this normal ? If so, can’t I choose how many requests Wysija is sending ?

    Here are the SQL errors generated by these requests :

    Sep 7 10:08:48 web14 apache2: Erreur de la base de donn??es WordPress Illegal mix of collations (utf8_general_ci,IMPLICIT) and (utf8mb4_unicode_ci,COERCIBLE) for operation '=' pour la requ?ate SELECT * FROMwp_wysija_urlWHERE url="[v?μee#031W#011 ÷?kv#006U?a" ORDER BY url_id DESC LIMIT 0 , 1 faite par require('wp-blog-header.php'), require_once('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), do_action('init'), WP_Hook->do_action, WP_Hook->apply_filters, call_user_func_array, WYSIJA_control_front_stats->analyse, WJ_Stats->subscriber_clicked, WJ_Stats->_record_url, WYSIJA_model->getOne, WYSIJA_model->get, WYSIJA_model->getRows, WYSIJA_model->query

    Can you please help me ?

    If you are a Premium user of MailPoet, that might be our servers pinging your website to keep your newsletter queue alive (like a cron). These SQL errors are related to the mix collations of your database.

    This is way too many connections to ignore an db injection attempt even if the requests are legally coming from the plugin, right?

    RESO,
    This is how Google craw console classified the treat today:

    /wp/index.php !…
    /wp/wp-cron.php !…
    /wp/wp-settings.php !…
    /wp/rosoiew/index.php !…
    /wp/rosoiew/oyptke.php !…
    /wp/rosoiew/troeiw.php !…
    /wp/wp-admin/includes/import.php !…
    /wp/wp-content/db_connector.php !…
    /wp/wp-content/functions.php !…
    /wp/wp-content/plugins/fpw-category-thumbnails/js/vouwfzjd.php !,
    etc.

    Can you run a complete scan with the WP Anti-Malware from GOTMLS.NET and confirm your webs are clean from the above. I dont mean to doubt the MailPoet plugin which I love and have used a lot, but back in the they there was a similar incident which opened the door for db injections on several of our websites via the plugin

    Hi guys
    Virtually all our websites running the MailPoet plugin are infected again after thoroughly cleaned last week. We will be disabling (and fully removing) the plugin until the issue is fully resolved. Please take this notice under a very serious consideration:

    Known Threats Found:
    !…/burgas/wp-admin/edit-form-comment.php
    !/var/www/wp/wp-content/db_connector…php
    !/var/www/wp/wp-content/index…php
    !/var/www/wp/wp-content/uploads…php
    !/var/www/wp/wp-content/plugins/gc-message-bar/css/index…php
    !/var/www/wp/wp-content/plugins/gc-mailpoet-ex/vendor/gcx-mailpoet-extension/class-plugin.php

    • This reply was modified 7 years, 6 months ago by bibliata.

    @bibliata please contact us directly and provide as much information as possible so that we could thoroughly investigate this!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Someone trying to hack my website ?’ is closed to new replies.