TechHui

Hawaiʻi's Technology Community

 

It's instructive to watch the various malicious bots troll through your server looking for vulnerabilities.  Woe betide you if they find one!  Even Wordpress.com has been hacked.  Prior to that, at the beginning of this year, a significant number of stand alone Wordpress installations were hacked when their owners did not update to the newest security release.

Here's how you can recognize a malicious bot.  If you are using Cpanel, go to "Error Log".  You'll see a whole list of page fetch errors (this is a good way to see any mistakes or broken links in your code too).  But if you see something like: 

[Tue Apr 05 20:24:48 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/websql
[Tue Apr 05 20:24:47 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/admin
[Tue Apr 05 20:24:46 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/dbadmin
[Tue Apr 05 20:24:44 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/lists

 

then you have a malicious bot trolling your domain.

 

How did I recognize this as a malicious bot?   Look at the files it is trying to access:  lists, dbadmin, admin, websql - they're nothing I uploaded to the server and they all look suspiciously like paths to either phplist or my database front end.

 

What to do if you find a malicious bot?

I block the ip (again, from your Cpanel "IP Block"). 

 

Since I control several servers, I find it interesting to see the same ip wandering across servers to different addon domains, looking for vulnerabilities.  Once I identify one bad ip, I block it on all the servers. 

 

The nice thing about Cpanel's IP Block is that it edits the .htaccess file of each of your addon domains to Deny from xxx.xxx.xxx.xx.  If you have a lot of addon domains, this is much easier than going into each domain one at a time and editing the .htaccess file.

 

Happy hunting!

Views: 246

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Brian on May 11, 2011 at 6:12pm
A moderately sophisticated attacker will be using enough IP ranges that this alone will not be effective.
Comment by Marcus Sortijas on May 3, 2011 at 7:55am
Thanks for that tip on "Password Protect Directories."  I think using cPanel for security is a good idea.  With plugins, you don't know how they're changing the code.  On a more mundane level, plugins often stop being actively developed.  Meanwhile, hackers never rest.
Comment by Karen Chun on May 3, 2011 at 7:39am

Thanks for the kind words, Marcus.  Another thing I do when I have a single individual using Wordpress (this does NOT work for Buddypress or any multiuser installation) is to use "Password Protect Directories" from Cpanel to make the entire wp-admin directory off-limits.

It means that the wp-admin user has to enter 2 sets of user-pw (usually I make them the same) but it insures that if another Wordpress vulnerability is found, that installation can't be hacked anyway.

That last vulnerability (at the beginning of the year) wasn't discovered and corrected until after many, many wordpress installations were hacked, so this has become routine for me when I install single-user Wordpress.

Comment by Marcus Sortijas on May 2, 2011 at 2:50pm
Karen, thanks for writing this!  I've been concerned about security, I build WordPress websites.  I'm cautious of using security plugins or editing code, because I don't want to mess anything up.  Your method of using cPanel to find and block suspicious IP addresses looks like a safer route to take.

Sponsors

web design, web development, localization

© 2019   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service