1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recent Hacker Trying to Access Backend Of One of My Sites

Discussion in 'BlackHat Lounge' started by BassTrackerBoats, Jun 5, 2015.

  1. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,761
    Likes Received:
    30,770
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    It pays to protect your sites and block offending IP addresses when you find them.

    Here is a little heads up about IP address - 188.165.61.65

    Wordfence stopped someone/sometool/some hacker from trying to access one of my sites.

    Automated Email from Wordfence:

    This email was sent from your website "Redacted" by the Wordfence plugin at Friday 5th of June 2015 at 11:48:52 AM
    The Wordfence administrative URL for this site is: http://[B]Redacted[/B]/wp-admin/admin.php?page=Wordfence

    A user with IP address 188.165.61.65 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 7. The last username they tried to sign in with was: 'Web Site Name'
    User IP: 188.165.61.65
    User hostname: 188.165.61.65
    User location: France
    Forewarned is Forearmed.
     
    • Thanks Thanks x 10
    Last edited: Jun 5, 2015
  2. ExpressFans

    ExpressFans Jr. VIP Jr. VIP

    Joined:
    Dec 11, 2011
    Messages:
    1,432
    Likes Received:
    558
    Occupation:
    Service Provider
    Location:
    Probably on GitHub
    Home Page:
    I'm sorry to say that I hadn't heard of this plugin before.
    I'm going to try it out now! Thanks for this!
     
  3. M4XW3LL

    M4XW3LL Jr. VIP Jr. VIP

    Joined:
    Feb 5, 2013
    Messages:
    1,094
    Likes Received:
    1,275
    You haven't redacted your website link BTB, it links to your site.
     
    • Thanks Thanks x 1
  4. Repulsor

    Repulsor Power Member

    Joined:
    Jun 11, 2013
    Messages:
    770
    Likes Received:
    279
    Location:
    PHP Scripting ;)
    Too many of these popping up recently. Whats up with these wannabe hackers?

    Best protection you can give to your site, on top of all others is to make your wp-admin/*, accessible from your IP only. Would be a little pain for dynamic IP users though.

    By the way, the hyperlink cheated you BTB. :D
     
    • Thanks Thanks x 1
  5. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,231
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Its mainly thanks to people that upload a WP blog and then forget about it making it easy access for hacking pieces of crap :)
    To find those blogs that are hackers havens, they will scan everything.

    I look after a few servers for people and the amount of these alerts that hit my inbox daily has grown massively over the last 2 or 3 weeks.

    Wordfence is a good start but please, please, please people, make sure your plugins and themes are all updated.

    For those of you with lots of WP blogs and think logging into many sites is a pain in the ass, take a look at InfiniteWP (the free one is fine). Link all your sites to that and you can update everything from one place.

    Do it, do it now!!!
    Love your sysadmins - recovering from WP hack attacks isn't fun and if you are paying for the hour it will cost you a good few bucks (that part makes people like me happy though ;))
     
    • Thanks Thanks x 4
  6. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Joined:
    Oct 23, 2014
    Messages:
    754
    Likes Received:
    1,734

    Its so retarded when they try stupid usernames like "site name". I used to get them alot a few months ago, but I eventually hardened my website and gave up with real time monitoring since it uses too much bandwidth.

    Display Name
    35 character username
    40 character password
    custom login page
     
  7. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,761
    Likes Received:
    30,770
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    With all you know, Fatboy, I may just warm some beer up and put it on my front porch to lure you over to the States and pick your brain.
     
    • Thanks Thanks x 2
  8. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,231
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Sorry, didn't hear what you said BTB, I was closing my suitcase zip :D
    Well - you did say beer! Warm or not, thats not the point :D
     
  9. koolkake

    koolkake Regular Member

    Joined:
    Jul 2, 2014
    Messages:
    224
    Likes Received:
    218
    "Web site name". lol. sounds like an automated bruteforce bot didn't plugin the appropriate variables.
     
  10. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,297
    Likes Received:
    2,591
    Occupation:
    Student
    Location:
    /tmp
    I am getting a lot of these messages as my site's popularity is growing. I did get hacked once but that was because of a nulled theme which I removed immediately. I changed my password to a large string of mixed characters with special characters, and I sometimes change the extension of my login page so no one can get to the login page when I am on a vacation or away from my PC. :)
     
  11. lizmoz

    lizmoz Power Member

    Joined:
    Oct 10, 2008
    Messages:
    561
    Likes Received:
    331
    Likes to you just because of spreading the word about wordfence. What an awesome plugin.

    Got 10 sites hacked recently, they were pumping up spammy posts thousands per day... wordfence helps spotting what the hell has been compromised pretty neatly! And near runtime.
     
  12. lizmoz

    lizmoz Power Member

    Joined:
    Oct 10, 2008
    Messages:
    561
    Likes Received:
    331
    By the way, who said spamming posts don't work -- one of the sites had 80K posts put up in a day or so --> the traffic from GOOGLE was insane :D

    Should have redirected all of it to some crappy offers or those services specialising in monetising that kind of shitty traffic... but it was a "legit" site so just wanted the problem to go away soon. 410 redirect to blank page to keep server load to minimum and sending the site to webmaster tools was the only way to go.
     
  13. charliebrooker

    charliebrooker Jr. VIP Jr. VIP

    Joined:
    Feb 16, 2014
    Messages:
    748
    Likes Received:
    289
    Home Page:
    The first plugin on my "every site" list is wordfence, it's excellent. It's also a caching engine, so you don't then have to mess around with a cache plugin as well.
     
  14. chris606

    chris606 Newbie

    Joined:
    Aug 15, 2008
    Messages:
    5
    Likes Received:
    3
    Its most likely just a bot trying to brute force its way in. When I first got a VPS this used to scare me seeing dozens of root login attempts a day. As long as you have a good password it's not really a problem.
     
  15. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Joined:
    Oct 23, 2014
    Messages:
    754
    Likes Received:
    1,734
    There isn't a limit to how much posts can be put onto a website in a day, reddit gets a fuck ton and BHW gets alot as well yet neither websites is deindexed.
     
  16. kacsa1337

    kacsa1337 Junior Member

    Joined:
    Jul 8, 2013
    Messages:
    123
    Likes Received:
    53
    Exactly. Here is the code:

    # kacsa will protect you <3
    <files wp-login.php>
    order deny,allow
    deny from all
    allow from YOUR-IP
    </files>

    Add this to your .htaccess file.
    Dont forget this way no one can register either.

    I believe most of you gets hacked 'cuz of the nulled,cracked plugins/themes you install without thinking. Also i think Wordfence is useless but whatever :)
     
    • Thanks Thanks x 1
  17. spider7

    spider7 Regular Member

    Joined:
    Feb 6, 2013
    Messages:
    333
    Likes Received:
    46
    Bass...is that the actual "location IP" or is that the "Modem IP" ? ? ?

    As you know, there are 2 different IP addresses (based on what i know).


    .
     
  18. Aluminium

    Aluminium Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 5, 2013
    Messages:
    1,758
    Likes Received:
    933
    Gender:
    Male
    Occupation:
    High-Quality Content Provider
    Location:
    Canada
    Home Page:
  19. Aatrox

    Aatrox Supreme Member

    Joined:
    Feb 27, 2014
    Messages:
    1,432
    Likes Received:
    1,064
    I use limit login plugin and I also turn on options to auto update all themes and plugins and wordpress of course. Never had a problem yet and hopefully I won't.
     
  20. Hawkster

    Hawkster Jr. VIP Jr. VIP

    Joined:
    Jun 22, 2013
    Messages:
    3,507
    Likes Received:
    3,721
    Gender:
    Male
    Occupation:
    Listen to everyone - Follow no-one
    Location:
    UK
    Home Page:
    I use wordfence on all my wordpress sites. Fair to say that this plug in has saved my ass on numerous occasions