Lunarpages Web Hosting Forum

Advanced Lunarpages Assistance => Lunarpages Security Center => Topic started by: Cassel on November 21, 2014, 07:23:05 PM

Title: Site apparently 'attacked', but no solution
Post by: Cassel on November 21, 2014, 07:23:05 PM
I am wondering if anyone can help me more than the support has done so far. Here is my "problem"

In August, i started having regular 500 error message, and having a hard time loading my site. Contacted support through a help ticket on August 21st.
My issue usually affected only one of my sites, but occasionally would affect all of them.
I was told i was experiencing a temporary IP block. and got a link for information on that.
Then i was told i was getting 500 error due to "excessive server resource usage".
Then, i was told that "It is possible that the 500 Internal Server Error is being caused by brute force attacked or unnecessary hits on the following." and i get numbers like 15K hits, and 4k hits, and so on, while my site, at peek traffic gets about 100 visits a day. So i am asked to install  a CAPTCHA (even though i already have one for login, lost passwords and comments)

Twice along the way, my site goes wonky and requires a restore from a backup (which probably does not help the resource usage)

I am asked to make sure all the software are updated, and i do.
I am asked to optimize my database, and i do.
I am asked to add a code to block xmlrpc.php attack, which i do, but then, i lose the functionality of "Windows Live Writer", which i use regularly.

Then, i started getting Mail Delivery Failure messages indicating that my email account had been highjacked. I changed the password and it got fixed (one good thing).
I was suggested to use SPF, which i was never able to set up, although the password change did the trick.

After that, my login.php was attacked, and a SECOND captcha was installed by the host (now my members have 2 captcha to go through to log in).
I asked that it be removed (since i already have one) and they did.

By Sept 15, i am told that the usage is still high (after all the precautions and changes i made). They conclude that my site is popular and growing and i might want to consider a Managed Shared Hosting , but i have rarely 100 visitors a day. FAR from enough for a dedicated server, so something else is going on. In fact, over 2014, i have seen a DECREASE in traffic, not an increase.

On Sept 19, theynotice a huge attack on the admin-ajax.php. And then, everything got inaccessible. I needed to make a phone call to be told that my IP had been blocked by the firewall. I got that fixed.

This has taken weeks and by Oct 22nd, i am told that the usage is within acceptable limits.

One week later, the problems restarted with 500 error messages.
They located  some attack on the admin-ajax.php page so they blocked the admin-ajax.php page from being accessed.
Noticing some cron-jobs mentions in the domlogs, they disabled the "/wp-cron.php" the cron AND added the captcha again on the login page (so i have 2). I still asked to remove theirs to keep the first one.
I am given several suggestions:
 - do not use "Admin" as username: i was not.
 - use a good password: i am using a strong one
 - installing a plugins can be used to limit the number of login attempts : already had one of the suggested plugins
Again, i am suggested to consider upgrading my hosting plan because my site must be popular (i just wished!)

However, blocking the admin-ajax.php has caused more issues: not being able to update plugins, not being able to load visual editor of my theme, etc. Basically having a non-functional site. I had to mark that code in the .htaccess file to get my functionalities back.

This week, the usage was still not down and they blocked some IP for me in the .htaccess and READDED the captcha to help AND suggest upgrading my hosting (WHICH I DONT NEED)

Yet, as of yesterday, i was STILL getting a 500 error, and high usage stats.
I tried to install CloudFlare (from a suggestion of a programmer friend) and somehow, i can't seem to get it working: i get an email saying everything is set up, but then i get an error message that it is not.

All this has been taking 3 months, and it seems that the problem is still not fixed, my members are emailing me that they get error messages, that they have to go through a weird captcha (while mine was cute). And tonight, i try to call and of course, the business hours are over for the week, so i can only hope for something else by Monday.

I don't know what to think. I am asked to go through loops, and i do, but it does not solve the problem. WHY NOT?
Anyone has possibly another explanation (and solution) for this that might have just escaped the support staff? Maybe something too simple or too obvious?
I am at lost and am losing patience too.

Title: Re: Site apparently 'attacked', but no solution
Post by: web-rat on February 17, 2015, 05:31:02 PM
Sorry you had to go through all that trouble! It's no fun I'm sure. I was hoping I could help you out even if it's been a while or you may have already found a solution. I am no expert but see if this can help you any.

1. If you are able to login please try to add the plugin "Anti-Malware and Brute-Force Security by Eli". It scans your site for files that have been altered and shows you the code so you can examine it to see if indeed it has malicious code still embedded in it. If there is anything then it can be cleaned up.

2. If you have not installed "Wordfence security" plugin that is a good one also!

3. If you can also scan your computer to make sure you don't have malicious code embedded in your internet. This happened to me. I went searching for a way to restore my site after it was hacked and in my search I opened a site that had injected the code into a layer of my internet. (The best way I can explain it) My antivirus blocked it but the code remained in the history cache until I deleted it. The antivirus said my computer was clean until I ran a scan. That's when I found it. It caused my server to peak real high too.

4. Maybe after you clean your site (if possible) you may thing of taking your site down for a day or two. Maybe that can slow down the high traffic and then monitor it again.

Like I said, I hope this can help!