New to the community? Start here

The site is under attack

We’ve been experiencing a sort of 404 or ddos attack on a single site for the past 48 hours.
We’ve been trying to control it with defender pro and CSF firewall at server level but it doesn’t seem to fully solve the problem.
We are getting 20 hits per second from IPs that seem to belong to microsoft and google. We need help trying to figure out what kind of attack we are experiencing and if defender pro could help us.

Wed, 8 Jan 2020 7:23:13
More Defender Pro discussions
Defender Pro
  • Predrag Dubajic
    • Support

    Hi Y2K Webs ,

    It seems that the bots are trying to access PHP files on your site and quite aggressively which is causing the resources of your server to be maxed out.
    Since Defender is a WP plugin it relies on PHP to start protecting your site but by that time the request is already sent to the server and its resources are being used.

    I would suggest that you start by enabling Security Tweaks from Defender > Security Tweaks panel in order to further strengthen your site, and also go to Defender > IP Lockouts > 404 Detection and configure the settings there to lock the 404 requests sooner and increase the ban times so that less bots will be allowed on your site.

    Best regards,
    Predrag

  • Y2K Webs
    • Webmaster

    Hello James

    We already did all that. Actually defender was well configured when the hack occurred. We now know the site was fully hacked while defender was running. One of the exploits is exactly the one described here:

    https://blog.sucuri.net/2019/06/why-is-your-website-a-target-the-seo-value-of-a-website.html

    But there are also mail sending scripts, etc. We have exploit scanners and firewalls to help us a bit but we are still far from the solution.

    Could you please take a deeper look and give me your input?

    thanks in advance.

  • Predrag Dubajic
    • Support

    Hi Y2K Webs ,

    I’ve checked your Defender settings and can still see that most of the Security Tweaks are not applied and that the 404 protection values are still set to default, and I would suggest reducing the block limit to block the bots sooner.

    We already did all that. Actually defender was well configured when the hack occurred. We now know the site was fully hacked while defender was running. One of the exploits is exactly the one described here:

    If I understand this correctly your site was compromised before these bot issues started, is that right?
    Can you tell me what has been done after that, was the site restored from a backup, did you perform a cleanup to make sure there are no leftover infected files?

    Best regards,
    Predrag

  • Y2K Webs
    • Webmaster

    Hello

    As far as I know the site was not compromised before defender was fully configured.

    I’m sorry that you don’t have access to the lengthy chats I had with other WPMUDEV support agents before, you could see that we set up 404 protection an many other tweaks. I set them to defaults after i moved all blocked IPs to the server CSF firewall and configured 404 protection there.

    WE have not restores the site, it is still vulnerable even after we cleaned it thoroughly . I would like you to help me figure out why sitemap.xml is still pointing to phony sites, even after smart crawl is configured.

    Thanks again!

    regarda

  • Predrag Dubajic
    • Support

    Hi Y2K Webs ,

    I can see that the 404 is enabled but as I mentioned it uses default values, which are usually good to leave at, but since your site is getting constant checks for 404 files from bots I would suggest reducing the number of attempts before a lockout occurs so that the bots are blocked sooner.

    I also checked Defender file scan as it finished now and your installation still seems infected I’m afraid.
    There are a lot of files and folder which are not part of the default WP installation, modified core files, your Yoast SEO Premium plugin is outdated and contains known vulnerability, etc.

    All of this is most likely affecting your sitemap.xml as well and leading the bots to 404 files.

    I would suggest that you create a full backup of your site and perform a cleanup by downloading a fresh copy of WP from wordpress.org
    Remove all of the files from your WP root folder except for wp-content folder as well as .htaccess and wp-confing.php files.
    Upload the fresh WP files now and that should take care of most of the reports in Defender about non-default core files and modified ones.
    After that, make sure to update all of your plugins and themes to latest version and remove any unused plugins from the site.

    Once that is done run a new Defender file scan to see if there are any other suspicious files left in your installation.

    Best regards,
    Predrag

  • Predrag Dubajic
    • Support

    Hi Y2K Webs ,

    Defender handles WP side of things and some additional rules that can be applied on server side in order to protect your site, using Cloudflare as protection from DDoS attacks is always a welcome addition to site security.
    We’re also actively working on further improving Defender and it’s security options.

    Can you please take a look at the hummingbird dashboard? it’s all broken, already tried reinstalling.

    Can you tell me which browser and OS you are using because I can’t see the problem using Chrome on Win10?

    Best regards,
    Predrag