Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-11-07, 23:42:42

Author Topic: HELP, sserver kena hack  (Read 988 times)

0 Members and 1 Guest are viewing this topic.

Offline mvp13585

  • Junior Member
  • *
  • Posts: 26
  • Karma: +0/-0
    • View Profile
    • http://starleters.com
HELP, sserver kena hack
« on: 2015-07-04, 13:49:17 »
Pagi ini situs saya down.
Ini sudah berapa kalinya dalam beberapa hari terakhir.
Saya restart mysql biasanya beres.

Saya coba lihat log dan ternyata access log dan error log httpd saya membengkak hingga ratusan MB :

isinya:

nt 127.0.0.1#48911 (freelance-ibiza.com): query (cache) 'freelance-ibiza.com/A/IN' denied 04-Jul-2015 12:26:52.872 client 127.0.0.1#48911 (freelance-ibiza.com): query (cache) 'freelance-ibiza.com/AAAA/IN' denied 04-Jul-2015 12:26:52.872 client 127.0.0.1#39621 (freeinfolink.com): query (cache) 'freeinfolink.com/AAAA/IN' denied 04-Jul-2015 12:26:52.872 client 127.0.0.1#39621 (freeinfolink.com): query (cache) 'freeinfolink.com/A/IN' denied 04-Jul-2015 12:26:52.872 client 127.0.0.1#56407 (freelance-ibiza.com): query (cache) 'freelance-ibiza.com/A/IN' denied 04-Jul-2015 12:26:52.872 client 127.0.0.1#56407 (freelance-ibiza.com): query (cache) 'freelance-ibiza.com/AAAA/IN' denied 04-Jul-2015 12:26:52.897 client 127.0.0.1#49462 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/A/IN' denied 04-Jul-2015 12:26:52.897 client 127.0.0.1#49462 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/AAAA/IN' denied 04-Jul-2015 12:26:52.924 client 127.0.0.1#58331 (freejoomlatemplate.org): query (cache) 'freejoomlatemplate.org/A/IN' denied 04-Jul-2015 12:26:52.924 client 127.0.0.1#58331 (freejoomlatemplate.org): query (cache) 'freejoomlatemplate.org/AAAA/IN' denied 04-Jul-2015 12:26:52.924 client 127.0.0.1#36375 (freeitemzone.webuda.com): query (cache) 'freeitemzone.webuda.com/A/IN' denied 04-Jul-2015 12:26:52.924 client 127.0.0.1#36375 (freeitemzone.webuda.com): query (cache) 'freeitemzone.webuda.com/AAAA/IN' denied 04-Jul-2015 12:26:52.925 client 127.0.0.1#55886 (freeipodtouch5.com): query (cache) 'freeipodtouch5.com/A/IN' denied 04-Jul-2015 12:26:52.925 client 127.0.0.1#55886 (freeipodtouch5.com): query (cache) 'freeipodtouch5.com/AAAA/IN' denied 04-Jul-2015 12:26:52.925 client 127.0.0.1#56892 (freeindianalivingwillkit.com): query (cache) 'freeindianalivingwillkit.com/A/IN' denied 04-Jul-2015 12:26:52.925 client 127.0.0.1#56892 (freeindianalivingwillkit.com): query (cache) 'freeindianalivingwillkit.com/AAAA/IN' denied 04-Jul-2015 12:26:52.926 client 127.0.0.1#53433 (freeipodtouch5.com.ovh.net): query (cache) 'freeipodtouch5.com.ovh.net/AAAA/IN' denied 04-Jul-2015 12:26:52.926 client 127.0.0.1#53433 (freeipodtouch5.com.ovh.net): query (cache) 'freeipodtouch5.com.ovh.net/A/IN' denied 04-Jul-2015 12:26:52.927 client 127.0.0.1#50958 (freeipodtouch5.com): query (cache) 'freeipodtouch5.com/AAAA/IN' denied 04-Jul-2015 12:26:52.927 client 127.0.0.1#50958 (freeipodtouch5.com): query (cache) 'freeipodtouch5.com/A/IN' denied 04-Jul-2015 12:26:52.941 client 127.0.0.1#51812 (freeinstagramfollowers.me): query (cache) 'freeinstagramfollowers.me/A/IN' denied 04-Jul-2015 12:26:52.941 client 127.0.0.1#51812 (freeinstagramfollowers.me): query (cache) 'freeinstagramfollowers.me/AAAA/IN' denied 04-Jul-2015 12:26:52.954 client 127.0.0.1#55982 (freejbayhostels.com): query (cache) 'freejbayhostels.com/A/IN' denied 04-Jul-2015 12:26:52.954 client 127.0.0.1#55982 (freejbayhostels.com): query (cache) 'freejbayhostels.com/AAAA/IN' denied 04-Jul-2015 12:26:52.961 client 127.0.0.1#42659 (freeinvestortraining.com): query (cache) 'freeinvestortraining.com/A/IN' denied 04-Jul-2015 12:26:52.961 client 127.0.0.1#42659 (freeinvestortraining.com): query (cache) 'freeinvestortraining.com/AAAA/IN' denied 04-Jul-2015 12:26:52.961 client 127.0.0.1#34117 (freelance.tri.be): query (cache) 'freelance.tri.be/A/IN' denied 04-Jul-2015 12:26:52.961 client 127.0.0.1#34117 (freelance.tri.be): query (cache) 'freelance.tri.be/AAAA/IN' denied 04-Jul-2015 12:26:52.968 client 127.0.0.1#34012 (freeitunesmusic.net): query (cache) 'freeitunesmusic.net/A/IN' denied 04-Jul-2015 12:26:52.968 client 127.0.0.1#34012 (freeitunesmusic.net): query (cache) 'freeitunesmusic.net/AAAA/IN' denied 04-Jul-2015 12:26:52.987 client 127.0.0.1#42595 (freekl.com): query (cache) 'freekl.com/A/IN' denied 04-Jul-2015 12:26:52.987 client 127.0.0.1#42595 (freekl.com): query (cache) 'freekl.com/AAAA/IN' denied 04-Jul-2015 12:26:52.994 client 127.0.0.1#33451 (freeinnyc.net): query (cache) 'freeinnyc.net/A/IN' denied 04-Jul-2015 12:26:52.994 client 127.0.0.1#33451 (freeinnyc.net): query (cache) 'freeinnyc.net/AAAA/IN' denied 04-Jul-2015 12:26:53.012 client 127.0.0.1#40786 (freelance5.com): query (cache) 'freelance5.com/A/IN' denied 04-Jul-2015 12:26:53.012 client 127.0.0.1#40786 (freelance5.com): query (cache) 'freelance5.com/AAAA/IN' denied 04-Jul-2015 12:26:53.019 client 127.0.0.1#59497 (freeinvitationmaker.org): query (cache) 'freeinvitationmaker.org/A/IN' denied 04-Jul-2015 12:26:53.019 client 127.0.0.1#59497 (freeinvitationmaker.org): query (cache) 'freeinvitationmaker.org/AAAA/IN' denied 04-Jul-2015 12:26:53.024 client 127.0.0.1#46214 (freeiphonewallpapershd.com): query (cache) 'freeiphonewallpapershd.com/A/IN' denied 04-Jul-2015 12:26:53.024 client 127.0.0.1#46214 (freeiphonewallpapershd.com): query (cache) 'freeiphonewallpapershd.com/AAAA/IN' denied 04-Jul-2015 12:26:53.038 client 127.0.0.1#59292 (freekaz.org): query (cache) 'freekaz.org/A/IN' denied 04-Jul-2015 12:26:53.038 client 127.0.0.1#59292 (freekaz.org): query (cache) 'freekaz.org/AAAA/IN' denied 04-Jul-2015 12:26:53.062 client 127.0.0.1#55528 (freelancedesignofmaryland.com): query (cache) 'freelancedesignofmaryland.com/AAAA/IN' denied 04-Jul-2015 12:26:53.062 client 127.0.0.1#34803 (freelance-konsulenten.dk): query (cache) 'freelance-konsulenten.dk/AAAA/IN' denied 04-Jul-2015 12:26:53.062 client 127.0.0.1#34803 (freelance-konsulenten.dk): query (cache) 'freelance-konsulenten.dk/A/IN' denied 04-Jul-2015 12:26:53.062 client 127.0.0.1#55528 (freelancedesignofmaryland.com): query (cache) 'freelancedesignofmaryland.com/A/IN' denied 04-Jul-2015 12:26:53.089 client 127.0.0.1#36521 (freeinvestingoffers.com): query (cache) 'freeinvestingoffers.com/A/IN' denied 04-Jul-2015 12:26:53.089 client 127.0.0.1#36521 (freeinvestingoffers.com): query (cache) 'freeinvestingoffers.com/AAAA/IN' denied 04-Jul-2015 12:26:53.094 client 127.0.0.1#48026 (freeinterracialteensex.pornblink.com): query (cache) 'freeinterracialteensex.pornblink.com/A/IN' denied 04-Jul-2015 12:26:53.094 client 127.0.0.1#48026 (freeinterracialteensex.pornblink.com): query (cache) 'freeinterracialteensex.pornblink.com/AAAA/IN' denied 04-Jul-2015 12:26:53.100 client 127.0.0.1#45220 (freelance-ecommerce.net): query (cache) 'freelance-ecommerce.net/A/IN' denied 04-Jul-2015 12:26:53.100 client 127.0.0.1#45220 (freelance-ecommerce.net): query (cache) 'freelance-ecommerce.net/AAAA/IN' denied 04-Jul-2015 12:26:53.101 client 127.0.0.1#59470 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/A/IN' denied 04-Jul-2015 12:26:53.101 client 127.0.0.1#59470 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/AAAA/IN' denied 04-Jul-2015 12:26:53.101 client 127.0.0.1#55604 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/A/IN' denied 04-Jul-2015 12:26:53.101 client 127.0.0.1#55604 (freeinjuryscreen.com): query (cache) 'freeinjuryscreen.com/AAAA/IN' denied 04-Jul-2015 12:26:53.102 client 127.0.0.1#35556 (freelance-graphic-designer.us): query (cache) 'freelance-graphic-designer.us/AAAA/IN' denied 04-Jul-2015 12:26:53.102 client 127.0.0.1#35556 (freelance-graphic-designer.us): query (cache) 'freelance-graphic-designer.us/A/IN' denied 04-Jul-2015 12:26:53.110 client 127.0.0.1#34778 (freelancehelpnow.com): query (cache) 'freelancehelpnow.com/A/IN' denied 04-Jul-2015 12:26:53.110 client 127.0.0.1#34778 (freelancehelpnow.com): query (cache) 'freelancehelpnow.com/AAAA/IN' denied 04-Jul-2015 12:26:53.123 client 127.0.0.1#57495 (freeitemzone.webuda.com): query (cache) 'freeitemzone.webuda.com/A/IN' denied 04-Jul-2015 12:26:53.123 client 127.0.0.1#57495 (freeitemzone.webuda.com): query (cache) 'freeitemzone.webuda.com/AAAA/IN' denied 04-Jul-2015 12:26:53.152 client 127.0.0.1#51770 (freekydj.com): query (cache) 'freekydj.com/AAAA/IN' denied 04-Jul-2015 12:26:53.152 client 127.0.0.1#51770 (freekydj.com): query (cache) 'freekydj.com/A/IN' denied 04-Jul-2015 12:26:53.160 client 127.0.0.1#59705 (freelanceflyer.com): query (cache) 'freelanceflyer.com/A/IN' denied 04-Jul-2015 12:26:53.160 client 127.0.0.1#59705 (freelanceflyer.com): query (cache) 'freelanceflyer.com/AAAA/IN' denied 04-Jul-2015 12:26:53.174 client 127.0.0.1#42658 (freelancekitchendesignllc.com): query (cache) 'freelancekitchendesignllc.com/AAAA/IN' denied 04-Jul-2015 12:26:53.174 client 127.0.0.1#42658 (freelancekitchendesignllc.com): query (cache) 'freelancekitchendesignllc.com/A/IN' denied 04-Jul-2015 12:26:53.181 client 127.0.0.1#43868 (freelance-webdesignerbook.com): query (cache) 'freelance-webdesignerbook.com/A/IN' denied 04-Jul-2015 12:26:53.181 client 127.0.0.1#43868 (freelance-webdesignerbook.com): query (cache) 'freelance-webdesignerbook.com/AAAA/IN' denied 04-Jul-2015 12:26:53.182 client 127.0.0.1#42533 (freelance-webdesignerbook.com): query (cache) 'freelance-webdesignerbook.com/A/IN' denied 04-Jul-2015 12:26:53.182 client 127.0.0.1#42533 (freelance-webdesignerbook.com): query (cache) 'freelance-webdesignerbook.com/AAAA/IN' denied 04-Jul-2015 12:26:53.206 client 127.0.0.1#44466 (freeinvitationmaker.org): query (cache) 'freeinvitationmaker.org/A/IN' denied 04-Jul-2015 12:26:53.206 client 127.0.0.1#44466 (freeinvitationmaker.org): query (cache) 'freeinvitationmaker.org/AAAA/IN' denied 04-Jul-2015 12:26:53.230 client 127.0.0.1#52513 (freeketchup.org): query (cache) 'freeketchup.org/A/IN' denied 04-Jul-2015 12:26:53.230 client 127.0.0.1#52513 (freeketchup.org): query (cache) 'freeketchup.org/AAAA/IN' denied 04-Jul-2015 12:26:53.232 client 127.0.0.1#58421 (freelance-work.info): query (cache) 'freelance-work.info/A/IN' denied 04-Jul-2015 12:26:53.232 client 127.0.0.1#58421 (freelance-work.info): query (cache) 'freelance-work.info/AAAA/IN' denied 04-Jul-2015 12:26:53.239 client 127.0.0.1#41111 (freejoomlatemplate.org): query (cache) 'freejoomlatemplate.org/AAAA/IN' denied  and many more of this type. and brute force from inside my server :  0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:02 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:02 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:02 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:03 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:05 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:05 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:05 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:05 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:05 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-" 127.0.0.1 - - [04/Jul/2015:12:29:06 +0200] "POST /wp-login.php HTTP/1.0" 404 2088 "-" "-"
isinya ribuan baris

error log :

 2015] [error] [client 127.0.0.1] script '/home/kloxo/httpd/default/wp-login.php' not found or unable to stat
[Sat Jul 04 13:52:57 2015] [error] [client 127.0.0.1] script '/home/kloxo/httpd/default/wp-login.php' not found or unable to stat
[Sat Jul 04 13:52:58 2015] [error] [client 127.0.0.1] script '/home/kloxo/httpd/default/wp-login.php' not found or unable to stat
[Sat Jul 04 13:52:58 2015] [error] [client 127.0.0.1] script '/home/kloxo/httpd/default/wp-login.php' not found or unable to stat
[Sat Jul 04 13:52:58 2015] [error] [client 127.0.0.1] script '/home/kloxo/httpd/default/wp-login.php' not found or unable to stat
[Sat Jul 04 13:52:58 2015] [error] [client 127.0.0.1] script
isinya ribuan baris

Pakah server saya kena hack?

bagaimana mencari script atau file PHP yang melakukan request POST ke wp-login yang tidak ada di folder itu. Ini membuat situs2 berjalan lambat.

Terima kasih sebelumnya.

NB: saya mematikan named service karena masih bisa pakai cloudflare.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: HELP, sserver kena hack
« Reply #1 on: 2015-07-04, 14:08:47 »
wordpress anda kena hack yang biasanya melalui plugins tertentu.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline mvp13585

  • Junior Member
  • *
  • Posts: 26
  • Karma: +0/-0
    • View Profile
    • http://starleters.com
Re: HELP, sserver kena hack
« Reply #2 on: 2015-07-04, 15:50:43 »
bisakah mencari file/script yang mengirimkan perintah POST di kloxo??

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: HELP, sserver kena hack
« Reply #3 on: 2015-07-04, 16:22:25 »
Coba disable/inactive semua plugins.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline mvp13585

  • Junior Member
  • *
  • Posts: 26
  • Karma: +0/-0
    • View Profile
    • http://starleters.com
Re: HELP, sserver kena hack
« Reply #4 on: 2015-07-04, 17:22:58 »
Solved, tidak ada log aktivitas terdeteksi lagi

Saya tidak tahu apa yang terjadi tapi begini caranya: (tidak tahu nanti kembali atau tidak)

Seperti yang dilihat dari log diatas, perintah POST ditujukan pada file wp-login.php (sepertinya percobaan brute force) tapi yang saya heran adalah di directory itu tidak ada file wp.login.php sehingga statusnya 404

Sbelumnya saya stop Named service tapi serangan masih jalan, log masih terus membengkak.
Lalu saya pikir kenapa tidak saya matikan httpd saja siapa tahu dari koneksi http.

Dan benar ternyata setelah melakukan perintah service httpd stop, serangan berhenti dan log juga berhenti. Saya langsung merubah semua folder situs untuk troubleshooting sehingga semua situs down.

Saya nayalakan httpd sambil satu2 merubah folder situs dan mengakses situs tersebut dari browser..
Anehnya sampai semua situs saya rubah kembali serangan tidak muncul..

Saya akan tunggu sampai besok apakah problemnya muncul lagi.

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix

Page created in 0.041 seconds with 18 queries.

web stats analysis
 
Mirror created by MasterkinG32.CoM