How To Locate Hosts That Infecting Or Sending Spam From Your Word Press Installation

· Read in about 2 min · (379 Words)

Steps To Discover Malicious Hosts Attempting To Access Your Website

When dealing with previously cleaned website that got re-infected over and over again, it is essential to monitor/check who and when tried to connect to website. Usually, POST request is used to access the malware files to launch malicious script/command. Thus, once you have the file names you can review the log files (e.g. access.log for Apache) to detect the servers that were sending these malicious requests.


Next steps would be to block those IPs to avoid further attacks and inform your provider. Further, you can use 'whois' who hosts those IPs and file the request to remove them.

Example steps for CPanel users to access logs and detect attackers

Similar steps would be applicable for the rest control panel providers:

  1. Login to CPanel and go to “Stats & Logs”

  2. Select “Raw Access Logs” from the menu to navigate to logs archive

    25_01_2015_1.png

  3. Download logs archive

    25_01_2015_1.png

  4. Extract archive content to an empty directory

  5. Run the following command on extracted file: # grep -irHn POST | grep -v admin


When you are done with all the steps above, you should see output containing the date/time, file and IP that tried to access this file along with other info.


Here is an example shared by Quttera-Labs researcher taken from one of recent malware removal process:

85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:41 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:44 +0100] "POST /wp-includes/SimplePie/Content/Type/info.php HTTP/1.1" 404 72387 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

85[.]214[.]94[.]159 - - [24/Jan/2015:21:32:45 +0100] "POST /wp-content/plugins/jetpack/modules/social-links.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:33 +0100] "POST /wp-content/plugins/wp-statistics/includes/functions/general.php HTTP/1.1" 404 72407 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:36 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

91[.]121[.]60[.]19 - - [25/Jan/2015:03:49:37 +0100] "POST /wp-content/plugins/woocommerce/i18n/db.php HTTP/1.1" 404 72386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

If you suspect that your website was infected with malware, Quttera experts are always happy to clean it for you and help to prevent it - Malware Monitoring & Cleanup Plans For Websites

For other questions, do not hesitate to contact Quttera help-desk.