blog site locked down again

[bob noble]

Hi,
My site has been locked down by Sonic.net again for abuse. Http://bobseyes.net . I know not why. It happened a couple mouths ago. I'm thinking this time, instead of me trying to fix it by moving a bunch of stuff around, it might be better if I didn't as than the problem can't be found by someone that is better at finding the problem than I am.
I think it was Drew that helped me out before, so could you have a look when you get the chance?
it might have something to do with the spam emails I've been getting the last couple days which I sent a support request about last night asking if this was spam or someone was in my account?
This is a daily blog so when this happens my readers get an access denied which is confusing to most of them thinking I've blocked them.
Appreciate any help on this.
Bob

[Guest]

Here is a copy of the email I sent to support last night on the emails I've been getting in the last couple days.
I've included header info as well as what was in the body of one of them.
>>>>>>>>>>

Hi,
I’m getting this stuff over a hundred times a day starting today. Is this just spam or is someone messing with my email account?
They all come with a couple of attachments I have not opened.
Thanks,
Bob

Email message:

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Thu, 22 Dec 2016 19:31:05 -0800
from a.custweb.sonic.net [64.142.100.40]

----- Transcript of session follows -----
<ncoy@sni.net>... Deferred: Connection timed out with sni.net.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old


Header info:



Return-Path: <MAILER-DAEMON>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on c.spam.sonic.net
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=ALL_TRUSTED,SNF4SA,
SONIC_DEAR_ME1,T_TVD_MIME_NO_HEADERS autolearn=disabled version=3.4.0
X-Spam-SNF-Result: 55 (Malware & Scumware Greetings)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
55-7930404-5114-5177-m
55-7941738-2894-5785-m
55-7941540-3267-5785-m
55-7930404-8743-8806-m
55-7930404-0-9161-f
X-Spam-GBUdb-Analysis: 1, 69.12.221.232, Ugly c=0.642861 p=-0.578125 Source
Normal
Received: from m.mx.sonic.net (a.spam-proxy.sonic.net [69.12.221.245])
by b.spam.sonic.net (8.14.4/8.14.4) with ESMTP id uBN7Yd82027781
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <bnoble@lds.sonic.net>; Thu, 22 Dec 2016 23:34:39 -0800
Received: from a.hosting-out.sonic.net (a.hosting-out.sonic.net [69.12.221.232])
by m.mx.sonic.net (8.14.9/8.14.9) with ESMTP id uBN7Yb7l005231
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
for <bnoble@sonic.net>; Thu, 22 Dec 2016 23:34:39 -0800
Received: from localhost (localhost)
by a.hosting-out.sonic.net (8.13.8/8.13.8) id uBN7YbMq002726;
Thu, 22 Dec 2016 23:34:37 -0800
Date: Thu, 22 Dec 2016 23:34:37 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON@a.hosting-out.sonic.net>
Message-Id: <201612230734.uBN7YbMq002726@a.hosting-out.sonic.net>
To: <bnoble@sonic.net>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="uBN7YbMq002726.1482478477/a.hosting-out.sonic.net"
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)
X-Orthrus: tar= grey=no co=US os=Linux/2.6.x/185 spf=skip dkim=none

This is a MIME-encapsulated message

--uBN7YbMq002726.1482478477/a.hosting-out.sonic.net

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Thu, 22 Dec 2016 19:31:05 -0800
from a.custweb.sonic.net [64.142.100.40]

----- Transcript of session follows -----
<ncoy@sni.net>... Deferred: Connection timed out with sni.net.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

--uBN7YbMq002726.1482478477/a.hosting-out.sonic.net
Content-Type: message/delivery-status

Reporting-MTA: dns; a.hosting-out.sonic.net
Arrival-Date: Thu, 22 Dec 2016 19:31:05 -0800

Final-Recipient: RFC822; ncoy@sni.net
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; sni.net
Last-Attempt-Date: Thu, 22 Dec 2016 23:34:37 -0800
Will-Retry-Until: Tue, 27 Dec 2016 19:31:05 -0800

--uBN7YbMq002726.1482478477/a.hosting-out.sonic.net
Content-Type: message/rfc822

Return-Path: <bnoble@sonic.net>
Received: from a.custweb.sonic.net (a.custweb.sonic.net [64.142.100.40])
by a.hosting-out.sonic.net (8.13.8/8.13.8) with ESMTP id uBN3V5xF008358
for <ncoy@sni.net>; Thu, 22 Dec 2016 19:31:05 -0800
X-Sonic-Remote-Ip: 88.208.252.202
X-Sonic-Hash-Key: 06e6370796ba76153230713a92b5c29c
X-Sonic-Tracking: bobseyes.net
Received: (from bnoble@localhost)
by a.custweb.sonic.net (8.12.11.20060308/8.12.11/Submit) id uBN3UrEb020668;
Thu, 22 Dec 2016 19:30:53 -0800
To: ncoy@sni.net
Subject: Parcel #002679506 shipment problem, please review
Date: Thu, 22 Dec 2016 19:30:53 -0800
MIME-Version: 1.0
Message-ID: <714643a311456570e85eefab29d238bd@bobseyes.net>
Reply-To: "USPS Parcels Delivery" <roger.martin@bobseyes.net>
From: "USPS Parcels Delivery" <roger.martin@bobseyes.net>
Content-Type: multipart/mixed;
boundary="b1_6c386251aea3da73048c96ac6ac98599"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 69.12.221.232

--b1_6c386251aea3da73048c96ac6ac98599
Content-Type: text/plain; charset=us-ascii

Dear Customer,

Your parcel was successfully delivered December 20 to USPS Station, but our courier cound not contact you.

Review the document that is attached to this e-mail!

With appreciation,
Roger Martin,
USPS Parcels Operation Agent.


--b1_6c386251aea3da73048c96ac6ac98599
Content-Type: application/zip; name="Delivery-Details-002679506.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=Delivery-Details-002679506.zip

UEsDBBQAAAAIANqblknNSBlTDQUAAAgFAAARAAAAAHduY2diampiaWlwcnNsbWwBCAX3+tEgOdB+
e7mhYzuq0YyRyKNsBcpUmuh1fIoNNhuqmhXVQ559puG+xfpptCPaBuMxlOfTk90YGSADuzo7cTlp
eUWMT11mLsBuA0snVqWB2SZ0/lYYWEOYaO8dGpkgBGgBgABh5NBkzNfQb7QGc8OmqpeOTFSXLMKl
ApqXPXBOSs43hGRXzYgPISlO+T4p4lCQpFkJWfyYy+eYwq4pmvSSQLZWrQ61XSKC7qQ22JrllXiL
WxUtk0unFBBHRxuudrq7S4WnfNBTf2clR9FlqvRcPf9uTuYDJN7WAde+kwkgEh/luo/KQeOyOf1I
U5HpdPsxRJPGLBqEG5z3IK+PU5B/9LcwhOaudh55HgQRddIwpISWPKdwCepG6GJLtP3oc8ucpXpC
s+zb8EBigrfnCLL1yphe/eg90GqdttkKd06JOIsFY32JLhYNeLLA8I60f68eZSyJ3KYXk3GaiYjy
cRld/1mZBGNo8bBkTiKqFSMAXssr1bwtBSwT2CW+9PLaMgU1rZ4aLWBom/Gz8RG6oyZOokK/oiU3
5dI62T/C7iTKNGxmSNL823WDZ/m69uLAvZTl7evylXkGoighUW6V+ZGC+LAJ+cI3LbwvW2I8XQNn
5RgVwrHtFGkI1IwGdrksijQjuom2CizLJ+3zJyPTBDIION2F9+9uu5JlHbOrG0MrZxxJy+OqTW7b
MdV3vvjmhqL5t7XN5DkvsD6ta/fMJdjyotm/lIm6/lsBuOCcX+0kYk7om0S0/9T+qjPrdlYWI+kp
uTqwqw2xtqWprUk1LyLztydweYcxoOmz5FC7UdJkSVDsdf14ttWFdaDq7anRqX/lG9BUvwhqjlg7
SJ5Dsnwjx2ThB1G+nhSGQXIn48hhfy1VAr5XtxxcV1Hwoav0dP13XjRbwYblaE/P7aFvtRjev9fH
aLqjXq001Xi7JaEobtAS3Iu4fkfhbC/LYqFRJyX/+RIVzZKyPmfx3wcFV8EweRZ/xmVpPAb7CiAa
ecouVIHeXlcLCC3En9dc80qZfUBRjbnKm9hCaWS5A44L4F9cfu8FwMpFCfTNj66iCh9yHo4rdUdG
aJYwTdVtys+NrCtbiI0MnBaIi3ntEXfApkq2HWe82XXTzs79doOjpP1+6ohj+TDtbm3XCIDK+N2+
8GSvkKLwLNcTAw73i5OvmSTRcEMK6WahNWkWLFKq8EgR6LTuxF7EtsyzkQPNPhFXVbD9lynV3Ao/
FhiFZz9p9m9l9RJQr2kNJIpZ9SdI6WgMJeOwBao8pV4wYogAqYY83E74MPdZzu24VdNCqVxZ6qub
yuYeLaMEgxyPDaZsET8KRZrU8jji+I5j5f4u91n0S8EL2U6ntB9UH3nduNRVvac5xswv4csynYmb
kjEf8fNCOq5eWK17BvNT631sSC9tl8tbljWUWazBLtUAzkp3GpwWoniGmIVfra9n6edQx3dmaiB+
y+MFMByGgWArHsk7dPXLYgS0h2mdtlBvl/Oi2oPxEcNrT7OjsZ28F5tmK4mLl9mpZBEgeh+nLOlw
o7SCWXNudHVNiPq5W99FN18s8Kr1N9mGTd8ghhxRv4Q17AQat5PLzXHUxaAB9zquY2ZZvSVppCD8
3RKCi3KI0TBAcBzSRN5ENZF6jY+orRKZCZQlVXecDLNoF0vKFnFqQRWNJep8UCgD0NGRpcwRND7A
dYgM8tNh+t6QgfT6enEs4fiIxDXAGi87YsIb9mNQSwMEFAAAAAgA2puWScKr1ePPAQAAcwIAACIA
AABEZWxpdmVyeS1EZXRhaWxzLTAwMjY3OTUwNi5kb2Mud3NmNVJrb9owFP0rlj9UQSkJr8IYhAlp
rNUIg7VsYpomdDFOMCR26jgkZOp/3zV0X2zfc5/nXI+PajcZ50yLzJAEZFxAzIOvL1dgcgZNUhIQ
Ouz2B/3hkI6IhSqEJC/JVGu4OFTI3EACTCi55yA0z7NEGI+plN5TdgBhQF5ApBmvPKVjBGMNkkEU
cU9yg3ZZll7GY0iVNDl4WiGWcs1gr8DgVEYwZet5O00bIxIVkhnshsNcnLpB/pIaJ6q9oxLS0RjA
z5CgY0TebgPnlsPBmOyj7yOHSGniWFwErRER4wc8XNfWsaC2wfBONbaGz1QhDdf+JwgQN/qCoTFx
0dXurjpleBzMq73YV59P+WYVynb5Y/WlrtrnclCHd2lA3dSldyJ4r1n/lw9JnPlmuTtyZhy6yKs0
6XibRfi0Xq8sz9pTGZcOfZyt6T2ScEn1W/zBC3sTGj4/bUV6KZrz6XNvMZB9Ndxuj+rQizth0Utn
zWhTv0yr8rGe/ex0mw/l4/dl+EEsf52+iR1s5q99XAWJIMn5tVfO5d7Bl4iIg5YBU6BuAem0Wjdp
UGvPLlfJnK95Zbzrnp20gUk7zeF01fuNMDDs4HCbZO3R2L/9r8nYt7/tH1BLAQIAABQAAAAIANqb
lknNSBlTDQUAAAgFAAARAAAAAAAAAAAAIAAAAAAAAAAAd25jZ2JqamJpaXByc2xtbFBLAQIAABQA
AAAIANqblknCq9XjzwEAAHMCAAAiAAAAAAAAAAAAIAAAADwFAABEZWxpdmVyeS1EZXRhaWxzLTAw
MjY3OTUwNi5kb2Mud3NmUEsFBgAAAAACAAIAjwAAAEsHAAAAAA==


--b1_6c386251aea3da73048c96ac6ac98599--


--uBN7YbMq002726.1482478477/a.hosting-out.sonic.net--

[bob noble]

I've been doing some research about the .htaccess file so I can replace it and get into my site and I stumbled on a program called Wordfence that is a free plugin for Word Press. I did a scan and found a bunch of bad stuff in there and fixed things up and it's working now.
But so far, I'm having some difficulty installing their firewall as it says I need to give it write permissions to my .htaccess file and I'm not sure what number to put in their to make this happen and I was also wondering if this was a temporary change I need to do or what? It's time for bed, so I'll continue with that later.
Is there a better free scanning software than Wordfence? It seems to work very well.

I've also been wondering how to put a better page not found and forbidden page on my site and I see that's done with the .htaccess file and I will work on getting custom pages for that as I get time as the one that pops up is very confusing to my readers.
Thanks,
Bob

[tikvah]

I've had this happen to the nonprofit site I run on Sonic. Apparently there are hacks that happen through Wordpress. What Sonic told me is that it's very important to regularly update not just Wordpress itself but all your themes and plugins. I don't quite get how a site is "safe" if they're updated and not if they're just a few months old, as mine were, but I've been careful and it hasn't happened again.

Just login to Wordpress and click on "updates" on side menu. Update Wordpress first, then do plugins and themes. Check every month or so.

This may have nothing to do with your issues but it's worth mentioning. And yes it can be correlated with spam (falsely) sent from your address. I also had problems with Chinese servers downloading the entire site repeatedly, which put me over quota, but that's another story.

I hope this helps.

[drew.phillips]

Hi Bob,

I wasn't privy to the most recent compromise, but those bounces you are getting are from emails that were sent through our mail servers as a result of scripts running on your site.

I did a quick scan of my own and don't see any malicious files at this time. It's possible that something was left behind from last time and someone started using it again, or they managed to exploit the site again and re-upload the backdoors.

If you haven't, I'd suggest changing your WordPress admin user password. A previous attacker could have fetched the hash from the database and attempted to crack it.

Also, as Tikvah said, updating plugins, themes, and WordPress regularly is a good idea (WP will self-update in versions newer than 3.7). I'd also remove any unused themes or plugins you're no longer using. Outdated (or abandoned) themes and plugins often contain vulnerabilities that have never been fixed. Revolution Slider and TimThumb were two of the most widely abused plugins since older versions allowed a remote user to gain admin access to WP so it's constantly being checked for. A lot of themes included vulnerable versions of those plugins and have never been fixed.

It looks like your .htaccess file has the proper permissions, but if WordFence can't update, does it give you the option to do it manually? (You can use FTP to make the changes).

[bob noble]

Hi Drew,
Everything was updated, as I always do that and I removed the one not used plugin as you suggested.
I used Wordfence and FileZilla to fix the site. It seems like a good program.
I changed my password after fixing the site as I did before.
Wordfence says to put this in my php.ini file to do it manually.
auto_prepend_file = '/nfs/www/WWW_pages/bnoble/wordpress/wordfence-waf.php'
I'm not finding my php.ini file, so I made one with this line and it didn't work. I'm using FileZilla.
Do I already have one someplace?
Could be I just don't understand something? :O)
Thanks for the help,
Bob

[bob noble]

Hi,
They tell one to update all the stuff you mentioned as the newer ones have fixes that fix the holes that the older ones may have found that the bad guys use.
Bad guys take advantage of the older stuff. So the updated stuff is more secure.
I keep my stuff updated after the first attack and on Drew's suggestion I deleted the one plugin that I'm not using.

I have found Wordfence's plugin to be very useful. It removes most of the bad stuff, if infected, but one also has to know how to use ftp, which I use FileZilla for that to make changes to files that can't be removed as they are needed. Unfortunately, you need to know a little code to make it all happen, but most of the stuff is documented online someplace if one does a little searching and that part can be a little time consuming and maybe not for everyone.
If one installs Wordfence plugin for Word Press, it has quite a bit of protection, as is, so it might stop an intrusion before it happens. It also is a good way to see who and what is visiting your site in real time which is interesting. You have the ability to block the bad guys.
Thanks
Bob

[joemuller]

Bob,

You can put your own changes to the default php.ini file (with certain exceptions) in what's known as a user.ini file. (It goes in the topmost folder or 'web root' of your site.) If you already uploaded a php.ini, rename it to '.user.ini' - that's a leading '.', then 'user.ini'. Any version of PHP later than 5.3 will look for that and use it to override the default settings.

-- Joe

[bob noble]

Hi Joe,
I tried the .user.ini file, but still can't get the enhanced part of the firewall to go. I put the .user.ini file in my wordpress directory where my blog is located.
In that I put what they said to use.
auto_prepend_file = '/nfs/www/WWW_pages/bnoble/wordpress/wordfence-waf.php'
Not sure what's going on, but it would be good to get the enhanced part of the firewall to go as my blog seems to be getting hacked a lot lately.
Any ideas?
Thanks,
Bob

[joemuller]

Bob,

Give it a try now. I changed the auto_prepend_file to just point to 'wordfence-waf.php' (i.e. without the full path), since PHP includes are usually relative to the current directory.

-- Joe