Recently, we are battling with various types of attacks to our website. We will report and leave a log to those who might have similar experiences in the future or at present.
First, a symptom of the attack was overwhelming access flowing to our website. The keywords were various and no related to our business and page of access was unknown to us.
The page was created by someone unknown somehow by surprise. Then, the page was deleted instantly; however, a huge number of keywords kept on coming up at browsing results as well as tons of access to our website page. It looked like a number of keywords was increasing and website performance was slower.
It was a attack called DoS Attack. We needed to have protections to stop them somehow. In the beginning, we did followings:
- Stay calm and respond quickly
- Review conditions and Estimate the damages in the system
- Confirm our skills and power to fight back
It was urgent because of the potential damages, so here what we did:
- Delete unknown page, files and codes created for harmful purpose
- Check server to find out any unknown files and codes
- Check access log file in the system to see who has accessed to our system
- Create .htaccess file and write them to stop unwelcomed access to our page
- Create .ftpaccess file and write them to stop unwelcomed access to our system
- Create robots.txt file to request Search Engine to reduce access to page.
There were many threats and unwelcome accesses and files added and modified by unknown. You should browse about htaccess file and ftaccess file if you are interested and think you are capable of editing it. It is very helpful for defense system created by your own. Or, it is helpful in SEO purpose. Anyway, that is not our main focus here. All the defensive files worked well to stop overflowed unwelcomed access.
However, There was one remaining problem that was not resolved. After searching for bad files and codes in the system, a bad one was found and deleted but kept on created repeatedly somehow. A day after being deleted, it was there again. It was a directory (folder) contains a cashe folder, index.php file.
We tried to change password and shutdown access from outside. But it was not resolved. So, It was assumed there were codes or files remaining inside system with a trigger to recover it when folder not exit.
After investigation of the system, we found a line of code in index.php at home directory. Here is a site describing the attack: https://stackoverflow.com/questions/43211850/my-site-is-infected-with-obfuscated-php-malware-what-is-it-doing-how-do-i-ge
Hope you don’t get an attack that we received. But you may want to check your system and wordpress files.
Helpful websites and tips to protect your site:
- Scan to check security risk of your wordpress site: https://wpsec.com/
- Sure to update your wordpress as latest one
- Select theme wisely. Maybe we should create one by our own
- Select plugins and get updated. Delete no need plugins.
- Change passwords and logout system from everywhere
- Google robots.txt Tester