Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website Hacked by Bots?


  • Please log in to reply
8 replies to this topic

#1 King Creole

King Creole

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 29 July 2015 - 04:57 AM

I was checking my web traffic stats last night with StatCounter, and noticed some strange pageloads from various IP addresses in Beijing, China. These pageloads were not published by me, nor can I find them if I try to load them in a browser. Yet, they're being loaded by a bot. 

 

The info button states: "Bot/Crawler -- This visit was generated by the activity of a web crawler on your site."

 

... and the specific websites, dating back to July 1st, are below. My account doesn't provide earlier records, but I do remember having seen Beijing visits for a very long time (maybe a year or more). It was only yesterday that I noticed the strange pageloads. 

 

mattelmore.org/regions-secured-loan/

mattelmore.org/faxless-payday-loans-direct-lenders-no-teletrack/

mattelmore.org/tenant-credit-check-free/

mattelmore.org/cash-advance-wichita-kansas/

mattelmore.org/loans-home/

mattelmore.org/instant-cash-loans-no-credit-check-no-brokers/

mattelmore.org/short-term-personal-loans-perth/

 

As I said, I can't load the pages myself, nor does my webpage come up when I search for the strange names (i.e., "cash-advance-wichita-kansas" + [any keywords from my site]). However, thousands of websites with the exact phrase do appear in the results without any of my site's keywords.

 

So, does this mean that my site has somehow been hacked? How is it possible to load pages that, theoretically, don't exist on my website? Could this explain why some of my emails get relegated to spam folders?

Thanks in advance!  



BC AdBot (Login to Remove)

 


m

#2 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 July 2015 - 07:07 AM

First things first, without going into further analysis, the WordPress version on your site is terribly, terribly outdated. This needs to be addressed immediately, as WordPress is one of the most vulnerable and abused platforms on the Internet. When you perform this update, make sure you update your WordPress plug-ins as well, as they can be exploited just as easily. Also, make sure your WordPress admin password is secure and not reused anywhere else.

I crawled your site with WebSphinx, and I am not seeing those pages myself. However, when I performed a query on Google with site operators (the query I used was "site:mattelmore.org faxless-payday-loans-direct-lenders-no-teletrack"), I was able to locate and browse to http:[]//mattelmore[.]org/gurantee-online-instant-repsone-loans/". That is just one of many multiple results that I was able to find; you can see my search results here: https://www.google.com/?gws_rd=ssl#q=site:mattelmore.org+faxless-payday-loans-direct-lenders-no-teletrack) that I found. Use caution when visiting those links; no guarantees someone isn't doing something nefarious on your site aside from just spam and SEO garbage.

So, to answer your question, yes, it looks as though someone has compromised your site. I'd first change your password, then update your WordPress platform, then go about removing anything that was added to your site as a result of the compromise. You may need to look into professional services for this, or maybe another helpful member here could offer more insight. I will offer what more I can, of course.

Edited by PresComm, 29 July 2015 - 07:17 AM.


#3 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 July 2015 - 07:40 AM

Also, just to help you out a bit, I am currently running a Nikto scan against your website, and it is generating quite a decent list of vulnerabilities. If you'd like, I can send you the report so you can review it yourself and begin to close these holes.

#4 King Creole

King Creole
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 29 July 2015 - 08:02 AM

Wow! Thank you so much, PresComm. I really appreciate this. And, yes, please send me the report. Do you need my email address? 

 

I've been thinking for a year about hiring somebody to re-do my website, so now I guess it's really time. Problem is, I'm not sure how to find a trustworthy person who can handle both the tech side as well as the aesthetics (time-honored dilemma, I think). If you could recommend a good service, that would also be much appreciated. ... I've been doing it myself for 10 years, with a lot of helpful advice, but have to recognize my limitations and put it in qualified hands.  

 

I'll change my password right now. About updating the platform, if I can do that with a simple click, perfect. If it's very involved, I'll probably just get a pro to re-do my site asap. 

 

Thanks again! 



#5 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 July 2015 - 08:20 AM

The report is still being generated, but I will provide it via PM here on BleepingComputer once it is finished running.

#6 King Creole

King Creole
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 29 July 2015 - 08:29 AM

Followup:

 

I don't see any of those pages on my WP dashboard. And I can't find them in any of the directories through the control panel of my web host (Dot5Hosting). 

 

Updating WP will involve backing up everything and possibly having to set up the site again if it crashes. I think I'd rather keep the site functioning and just get expert help asap. Again, any recommendations would be appreciated for a qualified, trustworthy service --who can handle the tech, security and aesthetics equally. 



#7 King Creole

King Creole
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 29 July 2015 - 08:30 AM

The report is still being generated, but I will provide it via PM here on BleepingComputer once it is finished running.

Okay! 



#8 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 July 2015 - 08:52 AM

I have just sent you a PM with the direct output from Nikto. If it does not make sense to you directly, I would seek out a reputable firm that can address those security concerns, along with your current dilemma. You are definitely going to want a holistic approach to bringing your website up-to-speed and to a clean state. I, personally, do not have any firms to recommend, but I am sure there are some other members here that would be able to help in that area.

#9 King Creole

King Creole
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 29 July 2015 - 09:04 AM

You have helped me out plenty, and it's very much appreciated! 

 

Hoping to get some good recommendations from other members. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users