good plugin but…

  • petralian

    (@petralian)


    8 years, 8 months ago

    I install this plugin and weeks later one of the sites I manage gets hacked and random text is entered on pages… Nothing else.

    1. The Sucuri plugin (and all others) stayed untouched, not been deactivated, not been deleted, what an ethical hacker…
    2. The IP of the login was not hidden, it came from Wenzhou China (yeah right…).
    3. The hack was logged and recorded… the hacker didn’t even bother to delete his traces, with the exact pages that were affected. For someone who brute force attacked the server for weeks in a row (and still trying as I type this review)… this hack is just insanely fake.
    4. Only admin got hacked, nobody else… and admin is not even called admin. How could the hacker know the exact username of admin?
    5. This site is part of a whole WordPress network with about 10 well visited sites in it, the hacker could and SHOULD have added his spam to the whole network if he really was in there to put spam.

    Here is the list of every IP address that is trying to attack… do you get a similar list? Please let me know if you do.

    174.139.72.116
    46.119.118.81
    209.59.162.151
    104.171.10.70
    95.110.252.149
    217.160.165.34
    185.93.187.49
    46.118.157.228
    107.20.84.103
    209.200.232.55
    85.114.132.64
    103.8.29.48
    207.167.196.33
    91.200.12.49
    91.200.12.86
    188.143.234.66
    104.243.129.210
    217.160.166.180
    195.154.236.232
    120.37.207.18
    27.153.209.190
    140.237.6.24
    222.77.227.157
    110.89.10.113
    121.205.239.23
    27.150.246.201
    117.26.193.70
    27.153.218.1
    125.78.199.226
    222.77.215.55
    120.37.207.133
    121.205.214.169
    120.43.11.119
    120.37.210.68
    110.85.115.138
    120.37.236.49
    120.43.5.254
    142.54.184.181
    222.77.207.209
    94.153.10.239
    178.136.197.158
    222.77.224.29
    109.104.115.125
    195.154.251.120
    195.154.241.166
    220.173.112.190
    195.154.237.149
    54.246.111.190
    104.197.50.205
    134.249.55.157
    46.164.233.111
    195.154.250.216
    195.154.241.35
    183.89.17.219
    83.139.191.225
    83.147.116.133
    116.102.1.50
    113.190.227.213
    188.161.108.173
    182.52.115.245
    46.98.165.124
    209.67.159.209
    52.8.66.242
    46.119.122.15
    46.164.241.15
    210.124.118.212
    113.109.87.72
    67.227.189.97
    198.57.180.55
    83.139.151.126
    173.208.177.59
    79.118.152.34
    185.87.121.69
    82.220.34.47
    195.210.46.114

Viewing 12 replies - 1 through 12 (of 12 total)
  • barnez

    (@pidengmor)

    8 years, 8 months ago

    I install this plugin and weeks later my site gets hacked… just very coincidently some random text is entered on pages… exactly what the premium version of Sucuri would fix for me. Nothing else happened

    Pretty strong accusation, but I think you are making a flawed leap here between your attack and the security plugin as:

    a) all plugin code is audited before inclusion here in the WordPress repository
    b) the plugin code is open-source and so anyone, including you, can examine it
    c) Sucuri is a well established and respected security company which is hardly likely to risk its reputation to try and collect a few more paying customers
    d) hackers have a range of motivations, and not all choose to hide their tracks/deactivate plugins/deface/spam/attack all sites on the network
    e) there are multiple routes for a hacker to locate your admin name and password (username enumeration, compromised server, insecure credentials’ storage on a local machine, weak username/password combinations, insecure use of FTP, use of third party plugins, etc.etc.)

    I would advise you to consider the points raised in (e) and look into the hardening of your installation.

    Thread Starter petralian

    (@petralian)

    8 years, 8 months ago

    Not an accusation… more a finding instead because it really is just that. Thanks for your advice! I will look into it.

    barnez

    (@pidengmor)

    8 years, 8 months ago

    Accusation of an accusation retracted πŸ™‚

    The hardening WordPress guidance is excellent, and if you’re into .htaccess you can also consider the 5G blacklist, which plays well with most wordpress security plugins.

    Good luck!

    Thread Starter petralian

    (@petralian)

    8 years, 8 months ago

    Thanks Barnez! I will check that one out too. πŸ™‚

    iNetPlanet

    (@inetplanet)

    8 years, 8 months ago

    I am not using the aforementioned plug-in but have had hackers hit my sites from some of the same IP addresses you listed. I have recently started keeping a blacklist of my own (http://www.removepcvirus.com/blacklist.html) to help spread the word.

    One pattern I have noticed is that hackers will try to gain access to WordPress sites using whatever usernames appear on posts on the target website. Using a screen name (nickname) for posts, which is different from the user login name, is advisable.

    ianatkins

    (@ianatkins)

    8 years, 7 months ago

    The plugin is one piece of a security system, consider adding Sucuri’s firewall or Cloudflare / equivalent.

    Install Jetpack and enable the Login protection. The username could of been accessed from the RSS / meta tags, and then the password brute forced (where script guess hundreds of passwords). Enable ‘Brute force’ notifications in Sucuri’s alert settings to get email when this happens, be warned the frequency can be alarming if your site is under attack.

    Delete any plugins / themes you aren’t using, the less code the better.

    Hope that helps!

    stbedesantafe

    (@stbedesantafe)

    7 years, 12 months ago

    Today, I discovered Google finds my site malicious, Firefox calls it an “attack site”, and there is malware somewhere. I have Sucuri Security plugin – did a scan from the dashboard – no malware found.

    However, if I go to Sucuri’s SiteCheck (https://sitecheck.sucuri.net//) and put in my site I get:

    Status: Infected With Malware. Immediate Action is Required.
    Web Trust: Blacklisted (10 Blacklists Checked): Indicates that a major security company (such as Google, McAfee, Norton, etc) is blocking access to your website for security reasons. Please see our recommendation below to fix this issue and restore your traffic.

    What is up with that?

    Needless to say, I’ve open a ticket with the Sucuri support desk.

    Foliovision: Making the web work for you

    (@foliovision)

    7 years, 12 months ago

    Do you have the paid version of Sucuri? You pay about (old pricing about $200 year for four or five sites – ah the first one was $99 and others are $20/year after that). In that case Sucuri does a deep scan and usually finds the problem pretty quickly.

    Afterwards, you’ll want to get a plugin which blocks logins. Shield Firewall does that for free. Sucuri logs hacking attempts but doesn’t block it as they’d like to sell you an expensive firewall service instead.

    Once malware is anywhere in your site, everything is suspect. If you don’t want to pay for professional cleaning, if you’re prepared to delete your full site, your theme and your plugins to reinstall from scratch as well as change the passwords for all admins and run the your database through an import export procedure, you can do the clean up yourself. Don’t forget to change the hosting account and even server level passwords to which you have access.

    The worst part is that you have to do this all at the same time as the malicious code could be anywhere, with several backup access points if you cut one entrance out.

    Have fun!

    iNetPlanet

    (@inetplanet)

    7 years, 12 months ago

    It’s possible for any anti-malware software to miss something. Review all the plugin options and settings to be sure that your system is appropriately configured.

    See these resources:
    google.com/webmasters/hacked
    codex.wordpress.org/FAQ_My_site_was_hacked
    [Moderated]
    http://www.stopbadware.org

    If you don’t feel comfortable with the technical level of the articles above, you might consider getting some outside technical assistance.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    7 years, 12 months ago

    @inetplanet, Thanks for all of your support on the forums. I just have to ask you not to link to your site for resources. The Codex documentation is very thorough and if it’s missing some important information then feel free to add it – it’s a community resource that you can log in to.

    Elza

    (@elza)

    7 years, 11 months ago

    I had the same idea. I traced some ip’s I saw and they were just coming from websites.

    Foliovision: Making the web work for you

    (@foliovision)

    7 years, 11 months ago

    We’ve removed Sucuri from all our sites as lately it’s just become salesware and installed Shield (Simple Firewall) as Shield has protection built into the free version.

    We still have a legacy Sucuri account for malware cleanup. The service (not sure if they still sell it) is useful.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘good plugin but…’ is closed to new replies.