<div dir="ltr">Ja som mal podobny problem, moje wordpressy rozposielali spam, tiez prienik vdaka pluginom.<div><br></div><div>Vyriesil som to premigrovanim WP na heroku vdaka <a href="https://github.com/mhoofman/wordpress-heroku">https://github.com/mhoofman/wordpress-heroku</a> ... malu instanciu mas zadarmo a ta ti uplne postaci na normalnu navstevnost a tam sa ti viacmenej podobny problem nemoze stat, lebo aj filesystem je readonly a uploadovanie filov si nastavis cez AWS S3. Navyse po kazdom pushi je to akokeby nova instalacia, len databaza pretrvava.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-03-30 1:20 GMT+01:00 Tomáš Filčák <span dir="ltr"><<a href="mailto:filcak.t@gmail.com" target="_blank">filcak.t@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Tak sa mi nakoniec podarilo prist na koren utoku. Jedna sa o prienik do modulu Revslider na niekolkych Wordpress instalaciach… Tento hack je uz dlhsie znamy, skoda len ze som sa o tom dozvedel takto.<div><br></div><div>Problemom je vsak ako sa k danej situacii postavit voci klientom, ktory si samozrejme za udrzbu a updaty modulov neplatia. Narusenie ich stranok ma stalo nemalo usilia a zaroven to zhodilo v podstate vsetky stranky ktore pod mojim web serverom bezia. Napada ma vytvorit pre kazdy takyto hosting vlastny sandbox a tym padom napadnuta stranka by neovplyvnila chod inych. Zaroven by klient bol nuteny poziadat o pomoc a ja by som mohol pracu s hladanym chyby fakturovat. Takto je to narocna uloha a neviem ako to riesit ani ci vobec nieco od klienta mam ziadat kedze vypadok zapricinila jeho stranka.</div><div><br></div><div>Ako by ste sa k danemu problemu postavili vy? Dakujem za navrhy a odporucania <br><div><div><div class="h5"> <br><div><blockquote type="cite"><div>On 29. Mar 2015, at 17:39, Pavel Snajdr <<a href="mailto:snajpa@snajpa.net" target="_blank">snajpa@snajpa.net</a>> wrote:</div><br><div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">-----BEGIN PGP SIGNED MESSAGE-----</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Hash: SHA256</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">On 03/29/2015 05:22 PM, Petr Parolek wrote:</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><blockquote type="cite" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Ahoj,<br><br>taky by mě zajímalo, jak se efektivně dají povolit pouze české IP<br>adres.<br><br></blockquote><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Nijak, neexistuje aktualni seznam. GeoIP DB je zastarala. Z BGP se</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">vycist vsechno neda. Btw, doufam, ze to nikoho nenapadne cpat do</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">iptables pravidlo po pravidlo, zpomali to totiz pruchod kazdeho paketu.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">/snajpa</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><blockquote type="cite" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>Petr Parolek<br><br>Dne 29. března 2015 17:18 Ondřej Beránek <<a href="mailto:rainbof@gmail.com" target="_blank">rainbof@gmail.com</a><span> </span><br><<a href="mailto:rainbof@gmail.com" target="_blank">mailto:rainbof@gmail.com</a>>> napsal(a):<br><br>K tem českým ip, jak toho dosahnes? Geoip nebo máš nějaký seznam<br>range?<br><br>Ondřej Beránek Původní zpráva Od: Jiří V. Odesláno: neděle, 29.<br>března 2015 17:14 Komu: vpsFree.cz Community list Odpovědět:<br>vpsFree.cz Community list Předmět: Re: [vpsFree.cz: community-list]<br>brutoforce attack<br><br>Ahoj, jestli tam máš nejaký mobilní kód zjistíš nejlépe pomocí<span> </span><br>netstat -a. Potom pokud nemáš nastav iptables jak na input, tak<span> </span><br>output, povol jen to co opravdu potřebuješ. Také se podívej na<br>datum vytvoření souborů. Osobně se proti brute force chráním tak že<br>po dobu útoku povolim připojování pouze z českých ip.<br><br>s pozdravem Jiří V.<br><br>Vaclav Dusek <<a href="mailto:Vaclav.Dusek@cz-pro.cz" target="_blank">Vaclav.Dusek@cz-pro.cz</a><span> </span><br><<a href="mailto:Vaclav.Dusek@cz-pro.cz" target="_blank">mailto:Vaclav.Dusek@cz-pro.cz</a>>>napsal/a:<br><br><blockquote type="cite">apachetop -<span> </span><br><a href="http://www.buben.piranhacz.cz/monitorovani-systemu-pomoci-apachetop/" target="_blank">http://www.buben.piranhacz.cz/monitorovani-systemu-pomoci-apachetop/</a><br></blockquote><br><blockquote type="cite"><br></blockquote><br><blockquote type="cite">Dne 29.3.2015 v 14:42 Tomáš Filčák napsal(a):<br><blockquote type="cite">Jj logy postupne prechadzam vsetky. To FTP ma nenapadlo<br>prezriem<br></blockquote></blockquote>aj to ci tam nebol uploadnuty nejaky script.<br><blockquote type="cite"><blockquote type="cite"><br>Neviete mi pripadne poradit ako by som mohol zistit, ktora<br></blockquote></blockquote>stranka vytazuje server najviac? To by ma vedelo naviest k<br>problemu a kedze tych stranok mam viac ako dost je to prilis<br>pracne prechadzat jednu za druhou...<br><blockquote type="cite"><blockquote type="cite"><br><br><blockquote type="cite">On 29. Mar 2015, at 10:44, Peter Bubelíny <<a href="mailto:neri@neridev.com" target="_blank">neri@neridev.com</a><br></blockquote></blockquote></blockquote><<a href="mailto:neri@neridev.com" target="_blank">mailto:neri@neridev.com</a>>> wrote:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Ahoj,<br><br>pokiaľ to šablóna a pluginy umožňujú, a budú pracovať<br>korektne, tak vytvoriť .htaccess v wp-content, wp-includes s<br>obsahom:<br><br><FilesMatch "\.(php)$"> deny from all allow from localhost<span> </span><br></FilesMatch><br><br>Neviem či to pomôže priamo v tom prípade, ale zabráni to<br></blockquote></blockquote></blockquote>spusteniu .php<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">mimo localhost.<br><br>Tak ako písal kolega, pozrieť logy, procesy... nezabudnúť ak<br></blockquote></blockquote></blockquote>používaš<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">FTP, pozrieť, či nebol nejaký nepožadovaný upload, ešte je<br>dobré<br></blockquote></blockquote></blockquote>pozrieť<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">aké súbory boli naposledy modifikované či vytvorené, v<br>prípade<br></blockquote></blockquote></blockquote>napr. že<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">by web spamoval, či bežal nejaký iný proces, kt. preťažuje<br>vps.<br><br>pb.<br><br><br>On 03/29/2015 06:35 AM, Vaclav Dusek wrote:<br><blockquote type="cite">Aktualizace WP a sablon Vymazata nepouzivane doplnky a<br>templaty Nepouzivat doplnky a templaty z pochybnych zdroju<br><br>***<br><br>Aktualizace OS a PHP<br><br>***<br><br>pro deb - apt-get update; aptitude full-upgrade pro cent a<br>spol. - yum update<br><br>***<br><br>Z logu zjistit o ktera URL je podezrele vysoy zajem a<br>hledat<br></blockquote></blockquote></blockquote></blockquote>chybu tam<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">nebo uz tam bezi nejake nezadouci procesy?<br><br>***<br><br>proscanovat WWW data pomoci<span> </span><br><a href="https://www.rfxn.com/projects/linux-malware-detect/" target="_blank">https://www.rfxn.com/projects/linux-malware-detect/</a><br><br>***<br><br>Dne 28.3.2015 v 21:06 Tomáš Filčák napsal(a):<br><blockquote type="cite">Ahojte, posledne 2 dni riesim na mojej VPSke problem<br>pravdepodobne s brutoforce attackom a potreboval by som<br>poradit. Ako web<br></blockquote></blockquote></blockquote></blockquote></blockquote>server mam<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">nainstalovany nginx. Spozoroval som, ze moje stranky sa v<br>priebehu min. 2 dni zacali strane pomaly nacitavat a tak<br>som sa pustil do analyzy logov, z ktorej som zistil, ze<br>sa pravdepodobne jedna o bruteforce utok na wordpress<br>weby ktore hostujem. Kedze v oblasti spravy servera nie<br>som profesional stretol som sa s tym prvykrat a hned som<br>proti tomu podnikol kroky. Nainstaloval som preto<br></blockquote></blockquote></blockquote></blockquote></blockquote>fail2ban a<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">nakonfiguroval pre fungovanie s nginxom. Z logov vidim,<br>ze<br></blockquote></blockquote></blockquote></blockquote></blockquote>niekolko ip<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">adries bolo zabanovanych avsak problem pretrvava a moj<br>web server odpoveda na requesty strasne pomaly. Pamat<br>VPSky je vytazena<br></blockquote></blockquote></blockquote></blockquote></blockquote>niekedy<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">nad 3GB momentalne 1GB. Prosim o radu. Ake dalsie kroky<br>mam<br></blockquote></blockquote></blockquote></blockquote></blockquote>podniknut<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">na obrany pripadne analyzu skod? Dakujem<br></blockquote>_______________________________________________<span> </span><br>Community-list mailing list<span> </span><br><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br></blockquote></blockquote></blockquote></blockquote><<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">mailto:Community-list@lists.vpsfree.cz</a>><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br></blockquote><br><br></blockquote></blockquote>_______________________________________________ Community-list<br>mailing list<span> </span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br></blockquote><<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">mailto:Community-list@lists.vpsfree.cz</a>><br><blockquote type="cite"><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br></blockquote>_______________________________________________ Community-list<br>mailing list<span> </span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br><<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">mailto:Community-list@lists.vpsfree.cz</a>><span> </span><br><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><span> </span><br>_______________________________________________ Community-list<br>mailing list<span> </span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br><<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">mailto:Community-list@lists.vpsfree.cz</a>><span> </span><br><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br><br><br><br><br>_______________________________________________ Community-list<br>mailing list<span> </span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><span> </span><br><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br><br></blockquote><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">-----BEGIN PGP SIGNATURE-----</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Version: GnuPG v2</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">iF4EAREIAAYFAlUYHKcACgkQgRwOVqYrsFW64wEAk46AgWy7uuFULL+bcj+5PiX9</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">c5mIdsaUaO3JBTXs+WcBAKUwGStMaBQFSDQuhurJCea8wkWIQLGsl4aliU2mgbli</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">=H1Vq</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">-----END PGP SIGNATURE-----</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Community-list mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:Community-list@lists.vpsfree.cz" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Community-list@lists.vpsfree.cz</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://lists.vpsfree.cz/listinfo/community-list" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a></div></blockquote></div><br></div></div><span class=""><div>
<div>S pozdravom,</div><div>Ing. Tomáš Filčák</div><div><a href="tel:%2B421%20904%20076%20786" value="+421904076786" target="_blank">+421 904 076 786</a></div>
</div>
<br></span></div></div></div><br>_______________________________________________<br>
Community-list mailing list<br>
<a href="mailto:Community-list@lists.vpsfree.cz">Community-list@lists.vpsfree.cz</a><br>
<a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
<br></blockquote></div><br></div>