Здравствуйте!
С того момента как поменял хостинг, постоянно взламывают сайт. Сначала грешили на безопасность доступа к админки и т.д. После первого случая поменяли пароли (сделали такого вида <:pLg*0*GsHD), но через неделю история опять повторилась.
Антивирус на хостинге находит след. запись о вирусе:
Залез в логи *.access.log увидел много чего странного, но и...:
Лог *.error.log:
С того момента как поменял хостинг, постоянно взламывают сайт. Сначала грешили на безопасность доступа к админки и т.д. После первого случая поменяли пароли (сделали такого вида <:pLg*0*GsHD), но через неделю история опять повторилась.
Антивирус на хостинге находит след. запись о вирусе:
Код |
---|
romashka.com/wp-includes/js/tinymce/plugins/wordpress/functions.php: PHP.Trojan.Spambot FOUND |
Залез в логи *.access.log увидел много чего странного, но и...:
access.log |
---|
86.212.160.147 - - [20/Feb/2013:15:13:39 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 89.78.198.75 - - [20/Feb/2013:15:13:41 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 77.179.107.208 - - [20/Feb/2013:15:13:59 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 121.54.54.50 - - [20/Feb/2013:15:14:11 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 79.33.71.234 - - [20/Feb/2013:15:14:43 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 201.235.209.135 - - [20/Feb/2013:15:14:45 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 37.140.141.5 - - [20/Feb/2013:15:15:00 +0200] "GET /?page_id=2 HTTP/1.1" 200 6059 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)" 95.56.20.139 - - [20/Feb/2013:15:15:24 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 79.43.109.235 - - [20/Feb/2013:15:15:32 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 178.131.103.195 - - [20/Feb/2013:15:15:58 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 213.41.147.133 - - [20/Feb/2013:15:16:09 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 79.52.218.4 - - [20/Feb/2013:15:17:07 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 86.160.72.227 - - [20/Feb/2013:15:17:33 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 2.124.29.171 - - [20/Feb/2013:15:17:34 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 116.49.239.24 - - [20/Feb/2013:15:17:56 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 14.140.40.14 - - [20/Feb/2013:15:18:16 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 109.218.57.26 - - [20/Feb/2013:15:18:16 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 109.65.175.39 - - [20/Feb/2013:15:18:38 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 46.100.129.14 - - [20/Feb/2013:15:18:39 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 189.156.219.126 - - [20/Feb/2013:15:18:48 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 82.107.80.67 - - [20/Feb/2013:15:19:34 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 113.203.203.231 - - [20/Feb/2013:15:19:39 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 89.143.244.30 - - [20/Feb/2013:15:19:41 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 178.154.224.114 - - [20/Feb/2013:15:19:50 +0200] "GET / HTTP/1.1" 200 4770 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 (compatible; YandexMetrika/2.1; +http://yandex.com/bots) 42" 92.47.45.248 - - [20/Feb/2013:15:21:59 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 91.82.137.135 - - [20/Feb/2013:15:22:04 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 99.123.8.229 - - [20/Feb/2013:15:22:19 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 189.57.47.22 - - [20/Feb/2013:15:23:01 +0200] "POST /wp-admin/seo2T1.php HTTP/1.0" 404 540 "-" "Mozilla/5.0" 93.41.51.55 - - [20/Feb/2013:15:23:10 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 41.107.77.169 - - [20/Feb/2013:15:23:29 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 112.198.77.64 - - [20/Feb/2013:15:24:53 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 82.49.133.209 - - [20/Feb/2013:15:25:19 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 24.135.209.222 - - [20/Feb/2013:15:25:23 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 113.203.203.231 - - [20/Feb/2013:15:25:53 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 95.23.186.184 - - [20/Feb/2013:15:26:10 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 82.168.171.112 - - [20/Feb/2013:15:26:20 +0200] "GET / HTTP/1.1" 200 16596 "-" "Java/1.4.1_04" 213.180.206.197 - - [20/Feb/2013:15:26:21 +0200] "GET / HTTP/1.1" 200 16558 "-" "Mozilla/5.0 (compatible; YandexMetrika/2.0; +http://yandex.com/bots)" 82.168.171.112 - - [20/Feb/2013:15:26:24 +0200] "GET /captcha.php?PHPSESSID= HTTP/1.1" 200 5581 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:24 +0200] "GET /xmlrpc.php HTTP/1.1" 200 338 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:26 +0200] "GET /?feed=comments-rss2 HTTP/1.1" 200 5756 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:26 +0200] "GET /wp-includes/wlwmanifest.xml HTTP/1.1" 200 1353 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:27 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/jquery.lightbox.min.js?ver=1.4 HTTP/1.1" 200 10285 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:27 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/jquery.touchwipe.min.js?ver=1.4 HTTP/1.1" 200 1883 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:28 +0200] "GET /wp-includes/js/jquery/jquery.js?ver=1.8.3 HTTP/1.1" 200 93992 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:29 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/).html( HTTP/1.1" 404 566 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:29 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/).html()){G=F.next( HTTP/1.1" 404 578 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:29 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/).html()){var K=F.parent().next( HTTP/1.1" 404 572 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:29 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/).html();L=F.next( HTTP/1.1" 404 577 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:29 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/).html(F).show()}if(u.slidehowSpeed){a( HTTP/1.1" 404 598 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:30 +0200] "GET /wp-content/plugins/wp-jquery-lightbox/);G=K.html();L=K.text()}else{if(F.next( HTTP/1.1" 404 598 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:30 +0200] "GET /wp-includes/js/jquery/&&!yt.test(e)&&(v.support.htmlSerialize||!wt.test(e))&&(v.support.leadingWhitespace||!pt.test(e))&&!Nt[(vt.exec(e)||[ HTTP/1.1" 404 692 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:30 +0200] "GET /wp-includes/js/jquery/));Nt.optgroup=Nt.option,Nt.tbody=Nt.tfoot=Nt.colgroup=Nt.caption=Nt.thead,Nt.th=Nt.td,v.support.htmlSerialize||(Nt._default=[1, HTTP/1.1" 404 671 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:30 +0200] "GET /wp-includes/js/jquery/,data:n,complete:function(e,t){r&&u.each(r,o||[e.responseText,t,e] ;) }}).done(function(e){o=arguments,u.html(i?v( HTTP/1.1" 404 659 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET /wp-includes/js/jquery/,e):this:v.isFunction(e)?this.each(function(t){var n=v(this),r=n.html();n.replaceWith(e.call(this,t,r))}) :( typeof e!= HTTP/1.1" 404 567 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET //mc.yandex.ru/watch/17487118 HTTP/1.1" 404 548 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET /wp-content/themes/dokument4you/js/html5.js HTTP/1.1" 200 2331 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET /wp-includes/js/jquery/?(t.parentNode&&(t.outerHTML=e.outerHTML),v.support.html5Clone&&e.innerHTML&&!v.trim(t.innerHTML)&&(t.innerHTML=e.innerHTML)):n=== HTTP/1.1" 200 4456 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET /wp-includes/js HTTP/1.1" 301 629 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:31 +0200] "GET /wp-includes/js/ HTTP/1.1" 200 12599 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:32 +0200] "GET /wp-includes HTTP/1.1" 301 623 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:32 +0200] "GET /wp-includes/ HTTP/1.1" 200 25513 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/admin-bar.php HTTP/1.1" 200 467 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/atomlib.php HTTP/1.1" 200 249 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/author-template.php HTTP/1.1" 200 474 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/bookmark-template.php HTTP/1.1" 200 249 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/bookmark.php HTTP/1.1" 200 249 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/cache.php HTTP/1.1" 200 249 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/canonical.php HTTP/1.1" 200 468 "-" "Java/1.4.1_04" 82.168.171.112 - - [20/Feb/2013:15:26:33 +0200] "GET /wp-includes/capabilities.php HTTP/1.1" 200 249 "-" "Java/1.4.1_04" 190.83.171.175 - - [20/Feb/2013:15:26:34 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 118.243.176.126 - - [20/Feb/2013:15:27:31 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 180.191.195.195 - - [20/Feb/2013:15:27:56 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 77.126.181.212 - - [20/Feb/2013:15:28:06 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 122.168.201.29 - - [20/Feb/2013:15:28:57 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 213.144.203.26 - - [20/Feb/2013:15:29:24 +0200] "POST /wp-admin/seo2T1.php HTTP/1.0" 404 540 "-" "Mozilla/5.0" 41.108.23.11 - - [20/Feb/2013:15:29:33 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 213.180.206.205 - - [20/Feb/2013:15:30:04 +0200] "GET / HTTP/1.1" 200 4770 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 (compatible; YandexMetrika/2.1; +http://yandex.com/bots) 42" 83.103.108.252 - - [20/Feb/2013:15:31:17 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 41.215.178.11 - - [20/Feb/2013:15:31:32 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 156.17.123.132 - - [20/Feb/2013:15:31:51 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 92.74.34.66 - - [20/Feb/2013:15:32:20 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 79.12.84.73 - - [20/Feb/2013:15:32:32 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 82.123.74.27 - - [20/Feb/2013:15:32:35 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 89.77.205.239 - - [20/Feb/2013:15:34:01 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 46.28.70.169 - - [20/Feb/2013:15:34:19 +0200] "GET /wp-content/uploads/2012/10/spravka-vizov.jpg HTTP/1.0" 200 357778 "-" "-" 84.97.250.188 - - [20/Feb/2013:15:34:33 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 41.141.140.194 - - [20/Feb/2013:15:34:36 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 178.154.224.114 - - [20/Feb/2013:15:34:51 +0200] "GET / HTTP/1.1" 200 4770 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 (compatible; YandexMetrika/2.1; +http://yandex.com/bots) 42" 92.135.212.71 - - [20/Feb/2013:15:35:05 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 61.46.248.77 - - [20/Feb/2013:15:35:06 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 190.223.217.102 - - [20/Feb/2013:15:35:57 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 109.162.209.0 - - [20/Feb/2013:15:36:12 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 91.207.4.130 - - [20/Feb/2013:15:38:01 +0200] "GET /wp-content/uploads/2012/10/vyshka_2.jpg HTTP/1.0" 200 417167 "-" "-" 92.135.212.71 - - [20/Feb/2013:15:38:15 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" 87.165.194.118 - - [20/Feb/2013:15:39:02 +0200] "POST /wp-admin/seo2T1.php HTTP/1.1" 404 540 "-" "Mozilla/5.0" |
error.log |
---|
[Wed Feb 20 15:26:29 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/).html( [Wed Feb 20 15:26:29 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/).html()){G=F.next( [Wed Feb 20 15:26:29 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/).html()){var [Wed Feb 20 15:26:29 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/).html();L=F.next( [Wed Feb 20 15:26:29 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/).html(F).show()}if(u.slidehowSpeed){a( [Wed Feb 20 15:26:30 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-content/plugins/wp-jquery-lightbox/);G=K.html();L=K.text()}else{if(F.next( [Wed Feb 20 15:26:30 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-includes/js/jquery/&&!yt.test(e)&&(v.support.htmlSerialize||!wt.test(e))&&(v.support.leadingWhitespace||!pt.test(e))&&!Nt[(vt.exec(e)||[ [Wed Feb 20 15:26:30 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-includes/js/jquery/));Nt.optgroup=Nt.option,Nt.tbody=Nt.tfoot=Nt.colgroup=Nt.caption=Nt.thead,Nt.th=Nt.td,v.support.htmlSerialize||(Nt._default=[1, [Wed Feb 20 15:26:30 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-includes/js/jquery/,data:n,complete:function(e,t){r&&u.each(r,o||[e.responseText,t,e] ;) }}).done(function(e){o=arguments,u.html(i [Wed Feb 20 15:26:31 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/wp-includes/js/jquery/,e):this:v.isFunction(e) [Wed Feb 20 15:26:31 2013] [error] [client 82.168.171.112] File does not exist: /var/www/site/data/www/romashka/mc.yandex.ru |
Изменено: Thr0TT1e - 21.02.2013 17:43:09