25 Jan, 2015
How To Locate Hosts That Infecting Or Sending Spam From Your Word Press Installation
Steps To Discover Malicious Hosts Attempting To Access Your Website
When dealing with a previously cleaned website that got re-infected over and over again, it is essential to monitor/check who and when tried to connect to the website. Usually, POST request is used to access the malware files to launch a malicious script/command. Thus, once you have the file names you can review the log files (e.g. access.log for Apache) to detect the servers that were sending these malicious requests.
The next steps would be to block those IPs to avoid further attacks and inform your provider. Further, you can use 'whois' who hosts those IPs and file the request to remove them.
The next steps would be to block those IPs to avoid further attacks and inform your provider. Further, you can use 'whois' who hosts those IPs and file the request to remove them.
Example steps for CPanel users to access logs and detect attackers
Similar steps would be applicable for the rest control panel providers:
- Login to CPanel and go to “Stats & Logs”
- Select “Raw Access Logs” from the menu to navigate to logs archive
3. Download logs archive
4. Extract archive content to an empty directory
5. Run the following command on extracted file: # grep -irHn POST | grep -v admin
5. Run the following command on extracted file: # grep -irHn POST | grep -v admin
When you are done with all the steps above, you should see output containing the date/time, file and IP that tried to access this file along with other info.
Here is an example shared by Quttera-Labs researcher taken from one of the recent malware removal process:
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:41 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:44 +0100] "POST /wp-includes/SimplePie/Content/Type/info.php HTTP/1.1" 404 72387 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:45 +0100] "POST /wp-content/plugins/jetpack/modules/social-links.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:33 +0100] "POST /wp-content/plugins/wp-statistics/includes/functions/general.php HTTP/1.1" 404 72407 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:36 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:37 +0100] "POST /wp-content/plugins/woocommerce/i18n/db.php HTTP/1.1" 404 72386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
If you suspect that your website is infected with malware, Quttera experts are always happy to clean it for you and help to prevent it - Malware Monitoring & Cleanup Plans For Websites
For other questions, do not hesitate to contact Quttera help-desk.
Here is an example shared by Quttera-Labs researcher taken from one of the recent malware removal process:
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:41 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:44 +0100] "POST /wp-includes/SimplePie/Content/Type/info.php HTTP/1.1" 404 72387 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:45 +0100] "POST /wp-content/plugins/jetpack/modules/social-links.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:33 +0100] "POST /wp-content/plugins/wp-statistics/includes/functions/general.php HTTP/1.1" 404 72407 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:36 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:37 +0100] "POST /wp-content/plugins/woocommerce/i18n/db.php HTTP/1.1" 404 72386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
If you suspect that your website is infected with malware, Quttera experts are always happy to clean it for you and help to prevent it - Malware Monitoring & Cleanup Plans For Websites
For other questions, do not hesitate to contact Quttera help-desk.