afleetingglimpse

not that it helps after but I long ago had an issue and had to restore.

I got a bad login try notice from wordfence recently.

Top 10 Failed Logins = wordcamp

added to my .htaccess

<Files wp-login.php>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>
<Files wp-admin$>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>
<FilesMatch “^php5?\.(ini|cgi)$”>
Order Deny,Allow
Deny from All

allow from (ip ranges I use)
ending this with
Allow from env=REDIRECT_STATUS=200

finally I added in the file

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

added a specific IP

to complement this in I believe wordfence, I added username that does not exist being used, locks the IP for a set period.

If I messed up I can go into cpanel and fix the lockout or wait the period or deactivate wordfence and unlock and activate again.

automated attacks once they are IP banned tend to move on down the line.

I was also getting attacked at one point from a small country, so i blacklisted the entire country and monitored traffic.

The hardest thing, especially with posting/comment areas is sanitizing your database.

if something happens with a bad update I can roll back with backups.

I have wordfence and other security plugins on automatic update, as I want them instantly applied. As long as you have a backup or a host side backup to restore from, then it is better to apply with the ability to roll back then be exploited.

I am not at all an expert but you may start securing php and I removed comment form on my site.

I started by setting .htaccess to specific IP ranges. if I have to edit because I am away I can always cpanel and edit the file remotely.

code I used in my .htaccess

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

also added <Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from ##.##.##
Allow from ##.##.##
Allow from ##.##.##
Allow from ##.##.##
Deny from ##.##.##

used same IP list for

<Files wp-admin$>
Order Deny,Allow
Deny from All

again same IP list

</Files>
<FilesMatch “^php5?\.(ini|cgi)$”>
Order Deny,Allow
Deny from All

(ended above with)
Allow from env=REDIRECT_STATUS=200

last was

</FilesMatch>
Options -Indexes
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

with my new host the first section broke the site due to updates, it worked with my old host.

wordfence has helped a lot but it’s not the cure all.
if you have not added this to your .htaccess or restricted it.. it will most likely continue. I believe the code was tossed at the contact form and pulled via PHP commands.

if you have done this.. thats about it for me. if not do so and clean the site again.

I have no idea if the server application is running on has a web browser installed, but if it does.. and that is beyond my knowledge, all that would need to be done is a single install of the browser homepage as the virus site and it opening and closing the browser. on a built in trigger/time/cookie.

again block .tk and clear the code. see what happens.

I assume the codes target has changed.

did you check if the prior code is still the same code as before?
The delay tells me it was trying but was hitting the wall you put up by blocking the sites and IP’s.

If the code has not changed and it got replaced, something is still reaching out.
FTP or RDP maybe after a set time.

check the code and see if it changed.

I learn every time I Dig.
roi 777.com seems to kick to kuhjgtfreda(dot)tk

block ht tp:/ /front steps(dot)tk”
I would install ip2location or similar and block the .tk country.

you can try in htaccess adding this where you had the IP strings.

Order Deny,Allow
Deny from .tk

You may just have to buy wordfence premium, use the country blocking and then maybe hire them to clean the site.

I am learning as I go with this and a few other places have had the same issue as you.

• This reply was modified 7 years, 10 months ago by afleetingglimpse.

looking at a page that had the code on it prior. it is now a fake windows virus/windows defender scam page.

Since it’s calling w ww.evange lizabrasil.com (2 manual brakes added by me)

I would also specifically block that. Not that I am sure thats an issue but it seems that the $z8c7dd922ad47 is calling the index on that site. and being the front landing page is hacked.. blocking it is a good idea anyway.

I am not an expert, maybe someone else will pop in with more help.

may want to put a block on the server calling

ht tp: //roi777.com

• This reply was modified 7 years, 10 months ago by afleetingglimpse.

If you can, lock off the changes by IP ranges you use.

set public index .htaccess to allow only by IP ip range.
also block PHP as well by IP range.

<Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from ##.###.##.###
Allow from ##.##.##
Allow from ##.##.##
Allow from ##.##.##
Deny from ##.##.##

<Files wp-admin$>
Order Deny,Allow
Deny from All

Same IP list above

<FilesMatch “^php5?\.(ini|cgi)$”>
Order Deny,Allow
Deny from All

same again ending ip list with
Allow from env=REDIRECT_STATUS=200

toss this in too

</FilesMatch>
Options -Indexes
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>