Thread Starter
linkup
(@linkup)
Sample Apache lines:
/calendar/action~oneday/exact_date~1569477600/tag_ids~1028,
2-0 22666 0/16/471 W 0.37 134 0 5985389 0.0 0.12 23.64 182.34.27.234 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~543,156/request_format~html
3-0 19150 0/53/610 W 0.32 740 0 4468532 0.0 2.61 28.88 117.31.184.165 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~1169,1400/request_format~ht
4-0 22674 0/4/562 W 0.02 606 0 4516388 0.0 0.09 29.32 183.166.229.133 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~668,155,574/requ
5-0 24612 0/6/606 W 0.02 570 0 4327162 0.0 0.10 30.43 222.220.153.241 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,1427,79/requ
6-0 21411 0/18/507 W 0.11 132 0 6051656 0.0 1.47 33.14 209.188.21.14 http/1.1 roadsidenewmexico.com:80 POST /wp-cron.php?doing_wp_cron=1573412443.45667409896850585937
7-0 21533 0/19/515 W 0.08 137 0 6033518 0.0 0.77 32.26 117.40.103.164 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,523,603/requ
8-0 18002 0/129/642 W 0.54 761 0 3886465 0.0 1.76 25.57 119.85.15.251 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~489,1265,1068/re
9-0 21412 0/76/620 W 0.49 131 0 4943816 0.0 2.94 35.29 116.21.12.22 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~oneday/exact_date~1569477600/tag_ids~917,3
10-0 22675 0/6/544 W 0.03 616 0 4028239 0.0 0.30 27.50 27.221.154.255 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~217,990,740/request_format~
I should mention that when trying to fix that I found a suggestion to add some text to the robots.txt file specifically to avoid Google’s bots doing this. I did that also to try and stop this.
Moderator
t-p
(@t-p)
Carefully follow this guide.
When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.
Thread Starter
linkup
(@linkup)
I have both Sucuri and Wordfence installed and neither batted an eye at this intrusion. Thanks for the guide, will see what I can do.
Moderator
t-p
(@t-p)
Though sucuri online scan shows your site blacklisted
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Moved to Fixing WordPress, this is not an Everything else WordPress topic.
Thread Starter
linkup
(@linkup)
I don’t know where you are seeing that Sucuri report and if Sucuri thinks I have a problem, why didn’t it give me a notification or warning? When I go into the Sucuri plugin, it says “Site clean” and “not blacklisted”. Why would it report to the “world” that there was an issue, but not say something to me, even in the app itself?
If someone chooses to run a bot that issues a command on one of your domains, that in and of itself doesn’t reflect on the server. The fact that I have now discovered a second WP install using Timely and it too is being attacked, just at a lower frequency.
How is it that happened to pick Timely? Presumed problem with the plug-in?
Moderator
t-p
(@t-p)
As I posted before, Carefully follow this guide.
When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Just a suggestion but that sort of sounds like a DDOS attack so you might want to put your site on Cloudflare which might help isolate your server from the world itself (even though that Botnet already knows your IP).
There’s also a button on Cloudflare for reporting to them if you are under attack. I’ve never needed it but I imagine they’ll give reported sites extra attention or something.
You might want to double Check with Timely also but my guess is they just chose to attack servers running Timely as they may have had success crashing those before to where they could then insert their bit of Bot Code. It’s probably not Timely itself being vulnerable.
Your host should be somewhat interested in this problem also as they don’t want a malicious bot running on their system.
Do also work through the malware and hardening articles TP suggested. I’m a little worried the ‘bot’ is already in there.
Pay a good bit of attention to WordFence also and if you need it you might ask your host to move you to a different IP address if they get through after Cloudflare!
Cloudflare will give you their better DNS service (one of the top DNS services out there) also and that proxy will hide your server and give you SSL.
Neither I nor Sucuri can see your Wordfence. Did you actually enable and set that up?
. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
