Support » Fixing WordPress » WordPress Timely App Getting Hammered

  • Yesterday I was unable to access my server. Had the hosting company restart Apache and was able to get in. Apache status reported 99% of the slots filled by IPs from around the world executing calendar commands. Before the hacker was able to fill the slots, I disabled the app. That took care of things. Later in the day I enabled the app and today the same thing just happened again….the host doubled the slots, but I knew that wasn’t the solution as it appears that this hacker has more IPs that Carter has Liver Pills.

    Since my site is event oriented, the Timely app is a critical component. I am running security apps, but that don’t seem able to detect the hacking. When I am able to get back in and once again, disable the plug-in, what else can I do.

    Help please

    • This topic was modified 3 weeks, 5 days ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Sample Apache lines:
    /calendar/action~oneday/exact_date~1569477600/tag_ids~1028,
    2-0 22666 0/16/471 W 0.37 134 0 5985389 0.0 0.12 23.64 182.34.27.234 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~543,156/request_format~html
    3-0 19150 0/53/610 W 0.32 740 0 4468532 0.0 2.61 28.88 117.31.184.165 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~1169,1400/request_format~ht
    4-0 22674 0/4/562 W 0.02 606 0 4516388 0.0 0.09 29.32 183.166.229.133 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~668,155,574/requ
    5-0 24612 0/6/606 W 0.02 570 0 4327162 0.0 0.10 30.43 222.220.153.241 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,1427,79/requ
    6-0 21411 0/18/507 W 0.11 132 0 6051656 0.0 1.47 33.14 209.188.21.14 http/1.1 roadsidenewmexico.com:80 POST /wp-cron.php?doing_wp_cron=1573412443.45667409896850585937
    7-0 21533 0/19/515 W 0.08 137 0 6033518 0.0 0.77 32.26 117.40.103.164 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~80/tag_ids~780,523,603/requ
    8-0 18002 0/129/642 W 0.54 761 0 3886465 0.0 1.76 25.57 119.85.15.251 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/cat_ids~35/tag_ids~489,1265,1068/re
    9-0 21412 0/76/620 W 0.49 131 0 4943816 0.0 2.94 35.29 116.21.12.22 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~oneday/exact_date~1569477600/tag_ids~917,3
    10-0 22675 0/6/544 W 0.03 616 0 4028239 0.0 0.30 27.50 27.221.154.255 http/1.1 roadsidenewmexico.com:80 GET /calendar/action~agenda/tag_ids~217,990,740/request_format~

    I should mention that when trying to fix that I found a suggestion to add some text to the robots.txt file specifically to avoid Google’s bots doing this. I did that also to try and stop this.

    Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    I have both Sucuri and Wordfence installed and neither batted an eye at this intrusion. Thanks for the guide, will see what I can do.

    Moderator t-p

    (@t-p)

    Though sucuri online scan shows your site blacklisted

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    I don’t know where you are seeing that Sucuri report and if Sucuri thinks I have a problem, why didn’t it give me a notification or warning? When I go into the Sucuri plugin, it says “Site clean” and “not blacklisted”. Why would it report to the “world” that there was an issue, but not say something to me, even in the app itself?

    If someone chooses to run a bot that issues a command on one of your domains, that in and of itself doesn’t reflect on the server. The fact that I have now discovered a second WP install using Timely and it too is being attacked, just at a lower frequency.

    How is it that happened to pick Timely? Presumed problem with the plug-in?

    Moderator t-p

    (@t-p)

    As I posted before, Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Just a suggestion but that sort of sounds like a DDOS attack so you might want to put your site on Cloudflare which might help isolate your server from the world itself (even though that Botnet already knows your IP).

    There’s also a button on Cloudflare for reporting to them if you are under attack. I’ve never needed it but I imagine they’ll give reported sites extra attention or something.

    You might want to double Check with Timely also but my guess is they just chose to attack servers running Timely as they may have had success crashing those before to where they could then insert their bit of Bot Code. It’s probably not Timely itself being vulnerable.

    Your host should be somewhat interested in this problem also as they don’t want a malicious bot running on their system.

    Do also work through the malware and hardening articles TP suggested. I’m a little worried the ‘bot’ is already in there.

    Pay a good bit of attention to WordFence also and if you need it you might ask your host to move you to a different IP address if they get through after Cloudflare!

    Cloudflare will give you their better DNS service (one of the top DNS services out there) also and that proxy will hide your server and give you SSL.

    Neither I nor Sucuri can see your Wordfence. Did you actually enable and set that up?

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.