Help! We're being attacked!

[tenntrips]

The majority of attacks are not the fault of the server. Having the most up to date scripts does help, but your webmaster needs a little knowledge too.

The first thing you need to do is lock down your site from BAD WEB BOTS that scrape for not only e-mail addresses, but scripts, or other possible holes in your site. The worst of those bots come from Russia and the Ukraine, and a few others. If you're not specifically doing business in those countries, BLOCK THEM.

Your .htaccess file should have SEVERAL notations for bad bots as well as bad ip blocks to deny access to your site. By checking your web logs you can see
who's been scraping your site when you get hits for things that you don't even have.

Check your 404 errors, many of them come from hackers that are looking for holes in your site. Generally you'll have 404 hits for thing like /forgotpassword.php or other strange (usually admin) types of pages. BLOCK THOSE SUCKERS FIRST.

There are several good sites that can give examples on how to block bad bots, and bad ip blocks.

I was hacked several years ago when I didn't know about blocking these idiots. It's time consuming keeping up with all the new ones, but it is well worth the time. Blocking them not only can save your site, but stop a LOT of wasted bandwidth from their bots.

You can block by country, a single ip, a block of ip's, host, or by bot. Since bad bots will completely ignore your robots.txt directives, your best bet is to block them in .htaccess. For example my .htaccess file is over 5000 lines, with many of those lines for multiple blocks.

Again, if you don't do business in a particular country, it won't hurt to block the WHOLE country from accessing your site. You'll save yourself a TON of time blocking specific ips from those countries. NOTE: you can do everything possible to lock down and secure your site, but it doesn't mean your 100% safe, but doing nothing is asking for trouble.

[ep2012]

Thank you for this.

My problem is I don't have a really good programmer who knows WTF they are doing when it comes to code & security & I can't redo the application I had done years ago. Just no budget.

Do you have suggestions on these sites that give simple instructions for what you mentioned?

I'm surprised the hosting companies don't tell you this as it cuts back on work for them too.

My issue is I sell worldwide, so while I don't have any Russian clients now, who knows what will happen down the road.

Thanks once again.


Michelle

[NetProwler]

It is rather difficult to come up with a precise solution to your problem unless we know more details. There are many ways someone can gain access to your server. You will need an experienced Sysadmin to probe for vulnerability of your server. He can advise you if the server is not hardened adequately or there is any vulnerability in the software/code you are running. Your host should have covered hardening the server to the maximum extent possible. Generally, most hosts will be proactive to check for vulnerable code so that they can avoid problems later. Good hosts charge you a bit more for reasons like this. Timely support and proactive monitoring costs money. Consider moving to a better host after sanitizing all your files.

You will be sharing your server space with hundreds of others and all it takes someone with malicious intent is to find a vulnerable script which will allow him to gain elevated privilege to control the rest of the server. There is one way to find out - by conducting an analysis of the server log files.

All software require regular patching or updation. If you run a CMS, make sure that it doesn't announce to the entire world what version it is running. Script kiddies look for CMS running older versions with known vulnerabilities. It may not stop a seasoned hacker - but why would he be interested in your site ?

Some attacks have come from disgruntled employees.

Blocking access to a country may not work at all as a hacker can launch his attack closer at home. This is the reason why a postmortem of the log files will help you narrow down where the attacker came from. It is not nice to see the Google warning above your search result - "This site may harm your computer !".

[llee]

A little more info about what's going on with our site -

Our website is not an e-commerce site. The site address is 3 double-u's dot murus dot com, and while the home page will come in fine, any sub-heading page or drop-down page link will take viewers to either a warning that the site is under attack, or to a screen that tells you that you need to click a link to get your computer checked for malware. Something to this effect, I don't have the exact verbiage. It locks up the site so you can't use the "Back" button to return to our website. The only way to get out of it is to close the tab altogether. The IP address of the hacker is 31.133.41.130, which is from the Ukraine. Seems I should be able to report this address to somebody as malicious, but I haven't been able to find a website for doing this yet. Again, I am not a programmer or webmaster, just a lowly Office Manager whose many tasks include overseeing the health and safety of the company's website, in conjunction with an off-site web designer/maintenance fellow. He used ExpressionEngine to design the site and yes, the program itself is behind an upgrade or two, he tells me. Our web host uses Linux. Hope this helps. From what you all have said so far, it looks like packing up our site and moving to a new host is the only way to rectify the problem once and for all.

Knock on wood, as of right now the site is working properly.

I do appreciate all your input, every one of you. This forum has helped me immensely since I've been a subscriber, both with problem-solving and with creative ideas. I thank you all, very much.

llee

[slimwoman]

I agree with all of the comments made. I was hacked once last year and I use Wordpress on all of my sites now. I just got a mysql attack on a few of my sites in January. It took quite a few days dealing with these hacks and I have been implementing security measures since.

My web host gave me this site to make Wordpress secure:
Stop Hackers on Your Blog

I am in the process of uploading a .htaccess file to my wp-admin area on all my sites. This is one of the recommendations in the WSD security Admin tools.

[jhilgeman]

I understand tenntrips advice is well-intended, but it is not good advice. Here is why:

1. Most malicious web bots are quick, dirty, and random. They are like teenagers firing shotguns into the night, hoping to hit ANYTHING. Most attacks are not sustained, continuous attacks - the bot tries 10-20 different popular attacks and then will move on to a different site, and these 10-20 attacks occur in a matter of seconds. Trying to block the bots will not help you in any way because you are blocking IP addresses that will most likely not try to attack you again.

2. The .htaccess file can cause small performance issues. When you use an .htaccess file, the web server has to read and process that file every single time a browser makes a request for your web page. So let's say you have a home page with 10 images on it, 3 Javascript files, and 1 CSS file. That is a total of 1 + 10 + 3 + 1 = 15 web requests. This means that the web server has to read that .htaccess file 15 times every time someone views that home page. It also has to process the contents to understand the rules inside the file. So if you have an .htaccess file with 5,000 lines, then your web server is reading and processing a whopping 75,000 lines every single time a single person views your home page (15 times * 5,000 lines) !!!!!

Combine this with the first point and you have an .htaccess file with thousands of unused rules that are doing absolutely nothing except slowing down your web pages. An .htaccess file should only contain a small set of rules (and preferably should not be used at all, but sometimes it's unavoidable). Otherwise, you are only causing your web site to run slower and sloower and slooower and sloooower. It may not be apparent at first, but it will get exponentially slower as you gain more traffic or as the server becomes busier.

3. Blocking entire countries is not a good security option. Not only can IP addresses be faked, but the better hackers often used proxies that are located inside the U.S., so the real threats are not being blocked at all. Plus, you are potentially blocking off legitimate international web traffic. You may not realize it, but you can have people overseas that want to visit your web site (even Americans who just happen to be traveling - assuming you are American). There are also plenty of script kiddies that are based in the Americas, so again, you are not doing yourself any big favors by blocking entire countries. It's false security.

I agree with tenntrips that doing nothing at all is a bad idea, though. You have to ensure that your site software is maintained properly. There's really no way around proper maintenance and updates. It's a pain, but it has to be done!

The majority of attacks are not the fault of the server. Having the most up to date scripts does help, but your webmaster needs a little knowledge too.

The first thing you need to do is lock down your site from BAD WEB BOTS that scrape for not only e-mail addresses, but scripts, or other possible holes in your site. The worst of those bots come from Russia and the Ukraine, and a few others. If you're not specifically doing business in those countries, BLOCK THEM.

Your .htaccess file should have SEVERAL notations for bad bots as well as bad ip blocks to deny access to your site. By checking your web logs you can see
who's been scraping your site when you get hits for things that you don't even have.

Check your 404 errors, many of them come from hackers that are looking for holes in your site. Generally you'll have 404 hits for thing like /forgotpassword.php or other strange (usually admin) types of pages. BLOCK THOSE SUCKERS FIRST.

There are several good sites that can give examples on how to block bad bots, and bad ip blocks.

I was hacked several years ago when I didn't know about blocking these idiots. It's time consuming keeping up with all the new ones, but it is well worth the time. Blocking them not only can save your site, but stop a LOT of wasted bandwidth from their bots.

You can block by country, a single ip, a block of ip's, host, or by bot. Since bad bots will completely ignore your robots.txt directives, your best bet is to block them in .htaccess. For example my .htaccess file is over 5000 lines, with many of those lines for multiple blocks.

Again, if you don't do business in a particular country, it won't hurt to block the WHOLE country from accessing your site. You'll save yourself a TON of time blocking specific ips from those countries. NOTE: you can do everything possible to lock down and secure your site, but it doesn't mean your 100% safe, but doing nothing is asking for trouble.

[ronchalice]

This sounds a little bit crazy, but a couple of times when I've had a problem I just download a zip of my server directory contents and scan it with my PCs antivirus. Both times it found a malevolent file within the zip that was easy to delete on the host. The problem went away. (Both files, BTW, were in a distro copy of OS software... I won't name it here, because it was some time ago and I'm not sure which package it may have been. I know that it was NOT Joomla or WP.)

[jhilgeman]

To add to my previous comment about .htaccess, please understand that I was not against any and all use of .htaccess files. Adding a .htaccess file to your wp-admin directory can be a good thing if you have static IP addresses (or at the very least, IP addresses that don't change often), especially since that .htaccess file will not be read & processed by any requests in the base directory (your standard blog readers). The .htaccess files only apply to the directory they are in and they usually cascade to any subdirectories, so adding one to wp-admin will protect all content inside wp-admin.

What I was specifically against was trying to use .htaccess to block out tons of IP addresses and ranges in the main web site directory.

I agree with all of the comments made. I was hacked once last year and I use Wordpress on all of my sites now. I just got a mysql attack on a few of my sites in January. It took quite a few days dealing with these hacks and I have been implementing security measures since.

My web host gave me this site to make Wordpress secure:
Stop Hackers on Your Blog

I am in the process of uploading a .htaccess file to my wp-admin area on all my sites. This is one of the recommendations in the WSD security Admin tools.

[ep2012]

I agree with all of the comments made. I was hacked once last year and I use Wordpress on all of my sites now. I just got a mysql attack on a few of my sites in January. It took quite a few days dealing with these hacks and I have been implementing security measures since.

My web host gave me this site to make Wordpress secure:
Stop Hackers on Your Blog

I am in the process of uploading a .htaccess file to my wp-admin area on all my sites. This is one of the recommendations in the WSD security Admin tools.

Do you mean the MLM hosting company in your signature?


Michelle