Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Sick of Chinese spammers
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Sick of Chinese spammers

DrukpaDrukpa Member
edited February 2013 in Help

I have like 50 wordpress sites setup on my VPS. I can't update all of them to the latest wordpress every week or so. Every other week, some files get uploaded to the websites, files which are used to send spam mails from my server. When I go try to find the apache access logs, all are overwritten because the file has been accessed thousands of times, and it only shows the IPs accessing the site, but the logs of how the file got uploaded gets overwritten. My FTP credentials are secure, no unusual activities in the FTP logs.

How do you tackle spams like these? Am running a cpanel VPS, and have limited every account's email per hour limit to 20.

With the popularity of wordpress, am regretting using it in the first place. Should have made a custom cms which no one knows about.

Comments

  • Use wordpress MU for this so you just have one codebase to maintain ?

    It sounds like you're talking about WP getting compromised vs. simple somment spam which is solved easily enough with recaptcha / requiring account login / using discuz or some 3rd party comment system.

    If you're using apache, adding mod_security and locking down apache with appropriate rules can greatly reduce WP exploits, but not eliminate the need to keep the codebase secure.

  • KuJoeKuJoe Member, Host Rep

    @Drukpa said: Every other week, some files get uploaded to the websites, files which are used to send spam mails from my server.

    Disable file uploads via PHP.

  • GunterGunter Member
    edited February 2013

    Not accusing you of anything, but are you using nulled scripts/themes or free themes? These themes occasionally have malicious iFrame code inserted within them.

    Also, please use these tools on your websites so I can better assist you to the extent of my ability.

    http://www.unmaskparasites.com
    http://sitecheck.sucuri.net/scanner/

    Also, if you have the chance to:
    http://wordpress.org/extend/plugins/exploit-scanner/

  • RobertClarkeRobertClarke Member, Host Rep

    If they're all Chinese IPs, then just set up your firewall to block any traffic coming from China.

  • ihatetonyyihatetonyy Member
    edited February 2013

    Try doing this:

    http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

    It'll block Chinese IPs full stop.

    @unused said: Use wordpress MU for this so you just have one codebase to maintain ?

    Do this, too. Merging your sites into a WordPress Network or whatevertheshitthey'recallingit isn't too hard, but it will take some work.

    And check all your sites to see if you're using an older, vulnerable version of timthumb. This could be the way they're getting in.

  • For keeping up to date, you could install softaculous on the cPanel server and then wp will get updated automatically.

  • KrisKris Member
    edited February 2013

    I'd scan your server to make sure that there are no malware files.

    Linux Malware Detect - RFX Networks

    Also, Linux Socket Monitor will help you detect if any shells are opened on a port.

    Don't expect to stop with Captcha or Recaptcha. If you have a popular site, they'll use 3rd party captcha typers at pennies per captcha.

    Only plugins or custom script with text questions that you change maybe twice a week (before software learns it) will help.

    Ask questions pursuant and obvious to your website visitors / the theme - but only your website visitors would know off the top of their heads. Also the text input being a random input would be good.

    i.e: at a forum on the question we had a problem with, instead of the captcha answer input as 'captcha' or 'question' - obvious... we would generate it on the fly, like monkeypanda542.

    Example text questions:

    Poor: What's 2+3

    Good: What's the team mascot for this website's team? (harder to teach, will be looked over by most out of country)

  • Your server has been compromised. So you need to first delete all files and start form scratch. Unless and until you do that your site will continue to get hacked.

  • Thanks everyone for helping.

    Spam abuse am talking about is not comment spam. Comments are disabled on all sites. Its the files that hackers upload to some obscure directory and then access it to send spam from my server.

    Most of the IPs come from China, but some are from Germany, UK, China, Italy, etc.

    And no, am not using any third party themes. All are custom coded with only 5 plugins at max(nextgen gallery, all-in-one-seo, wp-polls, nivo-slider-plugin).

    Mod_security is enabled, CSF firewall is installed, along with daily cron job of maldet and clamav scanning. Suphp with open_basedir (/tmp, /home/user). /tmp, /var/tmp is secured and mounted with noexec.

    Server had been compromised 5 months ago. All passwords and affected accounts had been reset and restored. I cannot erase all accounts and restore everything because I have around 200 accounts. Around 50 of them are wordpress. Others are static sites and joomla based. But its only the wordpress sites thats getting continuously hacked.

    When I scan with clamav, the spamming scripts are detected, but by then, the scripts would have already sent alot of mails. I delete the scripts and 3 days later they are back.

    I cannot disable php file uploads because I need wordpress to be able to upload files/images from its dashboard.

    Is there a way that can fire clamav whenever a script uploads a file? I know you can do this with FTP uploads but not sure for uploads done by php.

    Thanks.

  • @Drukpa said: around 200 accounts

    this

    @Drukpa said: 50 of them are wordpress.

    and this...

    @Drukpa said: upload files/images from its dashboard.

    and this...
    So I guess you are running around with those SEO hosting bull cr@p? If you start off with some dishonest activities (to try to cheat Google), then I guess you can blame other dishonest people to put spam on your website.

    Care to show us what sites you are running?

    @Drukpa said: All passwords and affected accounts had been reset and restored

    So you just changed the password? That is not enough because the files might have been compromised at the first place, export the contents and perform a clean reinstallation.

  • KuJoeKuJoe Member, Host Rep

    @Drukpa said: I cannot disable php file uploads because I need wordpress to be able to upload files/images from its dashboard.

    So your ability to upload files via a webpage instead of FTP is more critical than hackers accessing your server and sending spam?!?!?

    Step 1) Fix priorities.
    Step 2) Follow the suggestions in this thread.

    In the event you cannot perform Step 1, please close this thread.

  • @kujoe if OP is building a link-farm/using SEO hosting stuff then it is probably the only way for him to do automatic posting

  • KuJoeKuJoe Member, Host Rep

    I may be wrong, but I'm fairly certain images do not have any impact on SEO. He can still do automatic posting, he just can't upload images. And if doing automatic posting is more important than people having access to his server then his priorities are still wrong.

    There is no situation in the world where having hackers with total access to your server is ever an acceptable trade-off.

  • geekalotgeekalot Member
    edited February 2013

    It is a common problem for EVERYONE. There are even posts in various forums regarding human content spammers from China (i.e., instead of bots, there are actual humans being paid to write content SPAM).

    1) OS/Firewall: Do you need/service visitors to China? If not, block their subnets via your firewall. I recommend checking out Shorewall or FireHOL. Note that if you need IPv6 support, you need to choose wisely. As someone mentioned above, check out a post that shows how to automatically ban various countries. If possible, it is better still to block ALL IPs & ports and only whitelist IPs and the needed ports if you have users with static IPs or coming in via VPN or vLAN.

    2) OS/IDS: Install an IDS such as Fail2ban - will temporarily ban individual IPs. Make sure you block the IP, not just the port. Also, there are tricks to ban repeat offenders in Fail2ban for extended periods of time (i.e., months).

    3) Application: Install application specific SPAM blocking modules. For example, I use Drupal a lot and have no less than 3 separate modules installed to block content SPAM -- and they work ... very, very, well.

    4) Application: Use custom image captcha that has an image with controllable noise (but be careful, your users may also complain) -- Recaptcha can be circumvented. Do not auto-approve User Registration or comments (require Admin approval). Require email confirmation for new accounts. YES, I know that this will take a lot of time to manage, so do the steps above first to see if they mitigate the SPAM first.

    5) Application/Uploads: Use SFTP (note: more load on your server). Use the tightest file permission permitted by your application using chmod. Don't allow Anonymous users to do uploads. In some cases, it may be better to allow the application framework to control the permissions. (If only Registered users can upload, then you have a chance to stop idiots by using 1 - 4 above to stop them from registering in the first place.)

    I know that not all of the above will be practical to implement for everyone, but the these steps have effectively stopped all spam on all my Drupal based sites for me ... and actually REDUCED the amount of admin work I have to do on each site so I can focus on more important stuff. YMMV

    Hope this helps.

  • @Drukpa

    Are your upload directories chmod'd like 777 or something? Make sure you don't allow any executing there.

    Also check your /tmp directory and if it has malicious stuff then you should follow the CSF guide for mounting tmp with noexec.

    Good luck.

  • zhuanyizhuanyi Member
    edited February 2013

    @KuJoe said: I'm fairly certain images do not have any impact on SEO

    I agree, but if he is, say, running some kind of automatic scraper/posting from LEB for example, the site would certainly look less interesting without the images...again, it would be hard to tell until OP is willing to show at least a few of his sites and I honest have doubts that any individuals have time/effort to maintain 50 blogs and 200 accounts with some meaningful contents...

    @KuJoe said: There is no situation in the world where having hackers with total access to your server is ever an acceptable trade-off.

    That I completely agree :)

  • If you don't do outbound SMTP in that particular server, block outgoing port 25 with iptables.

  • @Drukpa And just a friendly suggestion, you might want to stop using FTP since all usernames and passwords are transmitted via clear text.

  • We had a client with the same issue, but they were running wp multisite. and exact same issue. He finally got it cleaned up supposedly.

  • tommytommy Member
    edited February 2013

    use mass update script
    http://blog.rimuhosting.com/2012/09/10/wordpress-mass-update-script-3-4-2/
    just edit few line and you're ready to go (depend on your configuration/setup)

    (edit already posted by Mitchell, sorry)
    securing your /tmp maybe they store malicious script there? and remember to check permission, make sure you don't have 777 permission for folder

  • there is a file most likley in your root or one of your other folders. it will be oddly named. Delete that and change all your passwords again.

  • Turn PHP execution off for directories writable by Wordpress.

  • I've had good luck with WordFence and I'm using the free version. YMMV

    Automatically scans once every 24 hours, and shows changes. Used it to clear up a couple WP issues.

    http://wordpress.org/extend/plugins/wordfence/

  • I think you should try to cleaned it up one by one, setup new clean server, move the user one by one, start with the worst one, make sure you have someone handle the new server properly.

    scan your wp database, sometimes of the nasty code inserted there.

    try to get wp security services, like vaultpress (its pricey) but saves few of my friend wp site after it got hacked.

  • Just going to put this out there, check your ftp server config and make sure anonymous_enable is set to no.

  • DrukpaDrukpa Member
    edited February 2013

    @zhuanyi said: So I guess you are running around with those SEO hosting bull cr@p? If you start off with some dishonest activities (to try to cheat Google), then I guess you can blame other dishonest people to put spam on your website.

    Please don't be too quick to come to a conclusion. I am a web designer and also provide hosting for my clients. Those wordpress sites are not the Mass SEO sites. Those are my client's sites and not my own. Unfortunately I had taken the decision to use Wordpress as the CMS behind those sites. Along with the hosting/design, I also provide an yearly maintenance service, whereby I take care of their site. So, any stuff that happens with their site is my responsibility.

    And I need wordpress to be able to upload new posts/pages/content/images since some of my clients take care of the content themselves. They only have access to wordpress. Not FTP/Cpanel.

    Anonymous FTP has always been disabled.

    What I haven't done is make the 777 wordpress upload directories non-executable. Maybe I should do that.

    On windows, whenever I save a malicious file, my antivirus detects it realtime. Is there no such thing in Linux? That way, as soon as a file gets uploaded even by a PHP script, the antivirus might detect it and I could set it to quarantine it for later review.

    P.S: I cannot show you guys any of the sites, since it won't look nice to my clients. Am sure that's a reasonable answer.

  • @Drukpa said: I am a web designer and also provide hosting for my clients. Those wordpress sites are not the Mass SEO sites. Those are my client's sites and not my own. Unfortunately I had taken the decision to use Wordpress as the CMS behind those sites. Along with the hosting/design, I also provide an yearly maintenance service, whereby I take care of their site. So, any stuff that happens with their site is my responsibility.

    I see, that make sense, apologies for jumping into conclusions too quickly....in that case you should get your client to use like a third party publishing tools and disable file uploading, I think that might work

  • Wordpress is generally very secure. However, you are still getting viruses, are they uploading images that contain the virus? Who is uploading them, etc? Also what is the extension of the files being uploaded?

    You might cloudflare, with that you might be able to stop the threats before hand. It will also block most postings of malicious code and you can block countries.

    Is there any sites that are yours that you can show us?

Sign In or Register to comment.