Torrent files on my site?

It’s hard to tell, if your website deals with media content then these events might be harmless, if the website has nothing to do with movies, music, or anything media-related then best thing I can say (with the information provided) is that someone got access to one of the user accounts with privileges to create pages/posts.

The first alert says that someone from “Republic of Korea — 175.212.15.68” created this post [1] at 25 June in the morning.

The second alert was from the same location, and around the same time as the first event, but this was to create a new category [2].

Two days later the same person (maybe?) from the same country but different IP address “Republic of Korea — 1.214.22.222” created another post [3].

Aparently this person likes to work in the morning (or night if he/she is in fact in Korea), however tracking an IP address is difficult if we assume that the malicious person used a proxy. Whatever the case, it is obvious that this person has access to one or more of the user accounts registered in your website, probably with admin privileges.

The thing is, going to the user page list and deleting suspicious accounts as well as changing the passwords of legit users is not enought, the malicious person may have created a backdoor in the code to re-insert another account with admin privileges. Ask your hosting provider for assistance, they usually have a free plan to scan for malware in the code and will be able to catch common backdoors if they exist (not that I say common because there are sophisticated attacks that are not easily detected).

As for how to stop this, my first recommendation is to Geo block the requests coming from the “Republic of Korea” at least for now. Then restrict access to the admin dashboard to your own IP address and no more, so even if someone else has your credentials they will need to be connected to your own network in order to do something malicious there. Ultimately, if you can afford it, consider to put a firewall [4] in front of your website to protect you in the future from this and more sophisticated attacks.

[1] http://example.com/?p=416
[2] http://example.com/?cat=25
[3] http://example.com/?p=422
[4] https://www.google.com/search?q=web+application+firewall

You need to have “mod_geoip” installed in that server, once you verify that you have that module enabled you can simply add something like this in your main access control file to block any country from accessing your website (more info at [1]):

# These lines block China, Korea, and Russia.
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE KR BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Deny from env=BlockCountry

If you don’t have this module available, ask your hosting provider to see if they can install it or if they have an alternative. If they won’t install it nor offer an alternative you will have to block the IP ranges manually [2] but be aware that this method is not 100% reliable because the ranges will change at any moment leaving holes that malicious people can use to continue the attacks.

Most web application firewalls [3] offer Geo blocking tools.

[1] http://www.linux-faqs.info/apache/block-or-redirect-using-mod-geoip
[2] https://www.countryipblocks.net/country_selection.php
[3] https://sucuri.net/website-firewall/