Wednesday, November 21, 2012

IPs attacking websites

So i have being undersiege for the last 2 days from thes ips that i have indentified using the server logs and thehoneypot project to be bad so here is a small deny list fr your htaccess to block them , im working on to find the rest :)


deny from 184.107.80.56
deny from 184.107.82.97
deny from 31.184.242.102
deny from 193.104.153.63
deny from 69.28.58.9
deny from 220.181.*.*
deny from 157.55.*.*
deny from 216.40.222.66
deny from 208.66.195.4
deny from 208.65.60.145
deny from 208.53.147.136
deny from 75.125.47.162
deny from 74.86.209.74
deny from 75.125.18.178
deny from 188.50.17.139


 Update

Also
deny from 157.56.*.*
:)


When its over i will post a big list of ips and networks that i had to block.

Posted by at 1 comment:

Saturday, September 1, 2012

LoL cat wars . There can be only one

LoL cat wars . There can be only one
Posted by at 1 comment:

What apocalypse survival kit should contain, The top 10 survival kit tools

What apocalypse survival kit should contain, The top 10 survival kit tools
Posted by at No comments:

Sexiest fictional characters

Sexiest fictional characters
Posted by at No comments:

Monday, August 13, 2012

How to pull out awesome internet ad campaign

How to pull out awesome internet ad campaign

Awesome repost from my other blog it came pretty handy
Posted by at No comments:

Wednesday, February 15, 2012

contains content from 31.184.242.102, a site known to distribute malware. Your computer might catch a virus if you visit this site. wordpress Malware entry: MW:JS:69693 [FIXED]

Recently all our wordpress sites have being injected with js code in wp-content and wp-includes , to fix the issue you have to download all js files in these directories and search for the code in the end of the js files its a variable with hex like code

var _0x80d0=["\x64\x67\x6C\x6C\x68\x67\x75\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6C\x6F\x63\x61\x74\x69\x6F...................


replace it and you are done , also change these old passwords just in case ;)






P.S This is temporary and doesn't clean the infection , after a while it gets infected again


working on it






P.S Update 
so far another infected file most probably to be part of the problem is wp-config edited with around 1500 empty lines with added REQUEST [3ioi23hri34ri34jrf34jibf] whatever and with 444 permissions , make sure you erase the code after wp-settings.php; that you haven't edited yourself and fix the permissions 




Also just downloaded and scaned localy one of my websites the infected js files are in these dirs.
  • wp-admin/js
  • plugins 
  • themes
  • wp-includes/js



Update

Couple of hours after fixing the wp-config file and all js files so far the websites remain clean although Google safe browsing still shows the red screen  http://sucuri.net/  check shows that finally all of our websites are clean and save.

Hopefully it will stay that way. Apparently this fix works :

first fixing wp-config -> permissions and additional code after wp-settings.
second removing the 
(variable name could  be different ) var _0x80d0=
"\x64\x67\x6C\x6C\x68\x67\x75\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6C\x6F\x63\x61\x74\x69\x6F................... 
in my case around 200 to 300 files per website have being modified. 
!for every website the code in the js files was with different variable name.
Posted by at 3 comments:
Subscribe to: Posts (Atom)

Търсене