![]() ![]() Grep POST access_log | grep -v xmlrpc.php | grep -v /contact/ | grep -v wp-login.php | grep -v wp-cron.php | grep -v /wp-admin/admin-ajax.php | grep -v /wp-admin/upgrade.php | grep -v /wp-admin/update-core.php | grep -v /wp-admin/nav-menus.php | wc -l To do that, we use an inverse match (-v) with grep and pipe that through a number of times: Some of these calls are going to be user logins (or even failed attempts), updates and post/page edits. The majority of the POST calls are probably going to be legitimate, so what we can do is eliminate these from our list. We’re then going to pipe the command through the word count command with a -l to make it count total lines instead of words:Īt 64,000 lines, we can’t easily run our eyes over the lines to determine anomalies. Many exploits use a POST call because this data isn't logged, and therefore harder to detect. We use grep to do this, which is a very fast, standard Unix tool for parsing plan text. Let’s quickly parse our access log files for how many POST calls there have been. This won’t be the root cause of the exploit, but the result. If you don’t know where the malicious files are on your site, the first step is to find what file they’ve been calling. All of the information such as the Apache / Nginx access logs, file timestamps and similar are critical to determining how they got in. Treat your hacked website as a digital crime scene. Make sure you don’t give them this opportunity again. Treat it as a learning experience, the reason you were hacked is because you were an easy target. All the hacker really cares about is the total number of sites he (or she) has exploited, not who. In fact, the chances are there isn’t even a human at the other end calling the exploits, they’re simply using a script to find sites to compromise. Hackers just want to find an easy site to compromise for their own malicious use, 99% of the time they’re not interested in what your site is about nor where you are. If you’ve been hacked and you’re wondering why you were targeted, it it’s not directed at you. You simply need to keep it up-to-date and limit the amount of third party pieces you install. ![]() #Hacked mailist softwareIt's also worth noting that WordPress itself isn't a big security risk as many will tout, it's no different to any other software platform. If you follow those two rules, then you won’t need to worry about anything else in here. #Hacked mailist how toOver the last few years, we’ve continually enhanced our own internal tools to detect these malicious files, despite the best attempts by hackers to obfuscate the code. What we’ll be going through in this article is how to find the root cause of the hack, then briefly touch on the elements on what to do afterwards and how to prevent it (hint: it’s really easy!). If not, it generally results in another compromise only weeks later and therefore more time and risk to other clients. While most hosting companies don't get involved with the cleanup, we prefer to find the root cause in order to ensure the issue is completely removed. As a follow-up to my recent presentation at WordCamp Sunshine Coast entitled “Post-Mortem of a Hacked Website“, the following Monday we of course had yet another hacked site. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |