1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My Sites Getting Hit All Day By Bots - What Can I Do?

Discussion in 'BlackHat Lounge' started by islandman1010, Dec 27, 2012.

  1. islandman1010

    islandman1010 Elite Member

    Joined:
    May 10, 2008
    Messages:
    1,589
    Likes Received:
    138
    My wordpress installs got compromised with a virus called wp-apps and started getting a lot of hits to newly generated PHP files so I guess I had become part of some botnet. Now all the files have been removed but I am getting thousands of hits a day to the files that have now been deleted. They just produce a 404 page now as the files are gone, but I cant stop the hits coming, generally its one hit from one IP so banning isnt possible. I have spoken to my hosting but they dont think they can do much either. Its completely messing up all the statistics and although it isnt actually doing any damage its a pain in the butt.

    Any suggestions if this can be fixed?

    Here is the screenshot of the hits. View attachment 22102
     
  2. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    a quick solution - create htaccess redirects for the files that you deleted. when someone tries to view one of those missing pages, he will get sent elsewhere.
     
    Last edited: Dec 28, 2012
  3. helpnub

    helpnub Registered Member

    Joined:
    Jan 2, 2008
    Messages:
    72
    Likes Received:
    43
    Do a reverse whois on the IP addresses and find out the ISP they are coming from. Write to the abuse department and quote the IP address. It will take a while however it will stop once you start doing this ...
     
  4. MatthewWoodward

    MatthewWoodward Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 31, 2012
    Messages:
    992
    Likes Received:
    1,680
    Occupation:
    SEO
    Location:
    UK
    Home Page:
  5. islandman1010

    islandman1010 Elite Member

    Joined:
    May 10, 2008
    Messages:
    1,589
    Likes Received:
    138
    They all have the same. It is "User Agent: Mozilla/5.0"

    Nothing else but that. Is that safe to block do you think or would too much get blocked? Every request is to a file thats been deleted and security is now better. Its just so annoying getting all these bad hits. Two of the sites I want to sell but I cant with these stats.
     
  6. Untouchable

    Untouchable Supreme Member

    Joined:
    Mar 22, 2012
    Messages:
    1,345
    Likes Received:
    1,173
    Location:
    Canada
    Use cloudflare see if it helps.
    Put protection on high!
     
  7. sidnettwo

    sidnettwo Junior Member

    Joined:
    Jun 5, 2009
    Messages:
    135
    Likes Received:
    60
    Maybe use htaccess to redirect those specific page urls away from the site?
     
  8. BuildMoreLinks

    BuildMoreLinks Jr. VIP Jr. VIP Premium Member

    Joined:
    Jun 7, 2012
    Messages:
    1,910
    Likes Received:
    655
    Location:
    17.3660° N, 78.4760° E
    where are the sites hosted? Do you have daily backups configured? Is the Cpanel login IP restricted? Can the hosting team provide you with raw logs?
     
  9. jeromespitfire

    jeromespitfire Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 8, 2008
    Messages:
    600
    Likes Received:
    452
    Location:
    403 Access Forbidden
    Your attack is pretty small considering they are only sending around 1 request per minute(from the screenshot of your logs). I would just wait it out, they will soon stop when they realize you have deleted the files and fixed the bug. Blocking IP classes or contacting the ISP is out of the question, as all of those IP are coming from completely different regions.

    It's when you start getting 1000s of requests a second that you are really in trouble. I wouldn't worry about it in your case :)
     
  10. Daniel0cean

    Daniel0cean Regular Member

    Joined:
    Aug 18, 2010
    Messages:
    477
    Likes Received:
    119
    Occupation:
    Freelance WebMaster
    Location:
    OnLine
    Home Page:
    use crawl protect. it's the best I have seen and protects both against hacking and against malicious crawlers, harvesting etc.
     
  11. islandman1010

    islandman1010 Elite Member

    Joined:
    May 10, 2008
    Messages:
    1,589
    Likes Received:
    138
    Think I will just have to wait for them to stop. Its very time consuming looking for a fix and as every hit is from a different IP its impossible to stop them. I used a plugin called Wordfence and it found that some core files had been modified. The problem seems to be a file called wp-apps.php and wp-counter.php. They are all gone now so hopefully they will soon redirect the bot hits somewhere else when they see its not working now. Thanks for all the suggestions
     
  12. tejsin

    tejsin Power Member

    Joined:
    Nov 15, 2010
    Messages:
    752
    Likes Received:
    118
    Occupation:
    CEO
    Location:
    Europe
    Home Page:
    send them to your youtube channel or ac to make some money out of it :p
     
  13. gianni

    gianni Junior Member

    Joined:
    Jul 8, 2010
    Messages:
    172
    Likes Received:
    80
    This is simple.
    Since all of them have the same user agent this is the footprint you should be using to detect them.

    Use htaccess tool to block visitors by user agent to display them 404 or 403 error.
    What this means is when bots come to your site having user agent Mozilla Project they'll get 403/404 error.

    Ask your hoster to do this for you. They need to create (or edit existing) file .htaccess in the root of your folder and put in few lines of text.
    Some examples of how this looks like are here:

    http://stackoverflow.com/questions/...oad-of-files-if-user-agent-is-a-specific-type

    Best of success!
     
    • Thanks Thanks x 1
  14. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace