Sunday, January 25, 2015

How To Locate Hosts That Infecting Or Sending Spam From Your Word Press Installation

Steps To Discover Malicious Hosts Attempting To Access Your Website 

When dealing with previously cleaned website that got re-infected over and over again, it is essential to monitor/check who and when tried to connect to website. Usually, POST request is used to access the malware files to launch malicious script/command. Thus, once you have the file names you can review the log files (e.g. access.log for Apache) to detect the servers that were sending these malicious requests.

Next steps would be to block those IPs to avoid further attacks and inform your provider. Further, you can use 'whois' who hosts those IPs and file the request to remove them.

Example steps for CPanel users to access logs and detect attackers

Similar steps would be applicable for the rest control panel providers.

  1. Login to CPanel and go to "Stats & Logs" 
  2. Select "Raw Access Logs" from the menu to navigate to logs archive

    CPanel - Raw Access Log
  3. Download logs archive

    CPanel - download raw access log archive
  4. Extract archive content to an empty directory
  5. Run the following command on extracted file: # grep -irHn POST <file> | grep -v admin

When you are done with all the steps above, you should see output containing the date/time, file and IP that tried to access this file along with other info.

Here is an example shared by Quttera-Labs researcher taken from one of recent malware removal process:

85.214.94.159 - - [24/Jan/2015:21:32:41 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85.214.94.159 - - [24/Jan/2015:21:32:44 +0100] "POST /wp-includes/SimplePie/Content/Type/info.php HTTP/1.1" 404 72387 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
; rv:33.0) Gecko/20100101 Firefox/33.0"
85.214.94.159 - - [24/Jan/2015:21:32:45 +0100] "POST /wp-content/plugins/jetpack/modules/social-links.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64; rv:33.0) Gecko/20100101 Firefox/33.0"


91.121.60.19 - - [25/Jan/2015:03:49:33 +0100] "POST /wp-content/plugins/wp-statistics/includes/functions/general.php HTTP/1.1" 404 72407 "-" "Mozilla/5.0 (Wi
ndows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.60.19 - - [25/Jan/2015:03:49:36 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WO
W64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.60.19 - - [25/Jan/2015:03:49:37 +0100] "POST /wp-content/plugins/woocommerce/i18n/db.php HTTP/1.1" 404 72386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; 
rv:33.0) Gecko/20100101 Firefox/33.0"

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera help-desk.