Help my website is hacked and redirecting to ya.ru

[Banenpak]

Hi Guys,

Fujiadam, thanks for the replay!

I agree what you are saying. But, I must do something to stop this... So, the IP blocking is for me the only option at this moment.
We've got a plugin: the Traffic Filter plugin. I ask for a photo, so that I can see how I can configure the plugin.
Please send me such a photo of a configure Traffic Filter Plugin.
I look at it, then I can configure the Traffic Filter Plugin. After that I trow the picture away!

If somebody will help with this, please send me a photo.
You can upload the photo to you're server with a link, so that I can see it.  Thanks!

I have contact with Adam about this issue. Adam is still working on it to figure out what is happening.
I help him to give him relevant information.

When I've got news, you hear from me guys!

Greetings,

John de Vries

[Adam]

After investigating one these reports, I find that the FTP details to the hosting account were compromised and that FTP was used to upload the malicious files.

Please keep your FTP details secure, here is how:

- Use SFTP instead of FTP. FTP passwords are sent by plaintext and are easy to capture by an adversary
- Make sure that your password is hard to guess.
- Change your password often!
- It may be better to memorize the password rather than writing it down or having it remembered by a program

[Adam]

more background information:
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
http://www.spamhaus.org/news.lasso?article=634
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201270
http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/

+ add this wikipedia article http://en.wikipedia.org/wiki/Gumblar

[Banenpak]

Usefull information.

Thanks Adam!

John de Vries

[dipolo]

I agree what you are saying. But, I must do something to stop this... So, the IP blocking is for me the only option at this moment.
We've got a plugin: the Traffic Filter plugin. I ask for a photo, so that I can see how I can configure the plugin.
Please send me such a photo of a configure Traffic Filter Plugin.
I look at it, then I can configure the Traffic Filter Plugin. After that I trow the picture away!

1.   traffic filter plugin will never protect you and nobody from hackers and actually you can not block entering to your site from any place of the World. If somebody like to enter your site, hi will do it without any problem in seconds. I’m from Ukraine and I can show you how to do it. So, do not complicate too much with traffic plugin…
2.   for works with your web sites use ONLY separate, other computer – computer not used for other purposes, internet surfing, forums, blogs, ICQ, Skype… etc. It’s VERY IMPORTANT! If you do not understand why- I can explain you (and others) in may be special separate topic…. The only thing - my English not so good…
3.   Kyiv capital of Ukraine – not Russian. Ya.ru (yandex.ru) – Russian search engine.
4.   Redirection to ya.ru – probably only joke and not special hacker’s target.
5.   Do not trust to much to Kaspersky! You should check your PC with other software, and important to check your system for Trojans! It’s many, and also free soft, like comodo, avast, avira…. You can install, test your PC and than uninstall this soft. Until your PC not really protected – your sites not in safe – as your passwords from sites, ftp… stored at your PC.
6.   And again – USE SPESIAL, SEPARATE PC, for works with your sites!
Hope, some of my suggestions will help you to avoid problems with hacking in future…
Dipolo from Ukraine (Russia, if you like
Best regards!

[Banenpak]

Hi Dipolo,

Thanks for this usefull information.
I appreciate that. Thank you! 

I know where Ukraine lies and that you're country is a different country then Russia.
I life in The Hague ( Holland ) and there are here a lot Expats also from the Ukraine. 

I agree, Dipolo, that you must check you're systems also for Trojan Horses etc.
For that I use Registry Mechanic , Spy Bots ( Search and Destroy ) and last but not least: Adware Spyware.

But, the real Hacker, you can't stop them. But I ask myself: What is so funny to hack somebody's WebSite?
I don't understand that. I think: Put you're energy in something else. I know from a guy here in Holland, that he hacked a important WebSite in the USA.
That guy he's at this moment in a prison in the USA for many years.

I don't know Dipolo ( think about the marketing aspect ) if it is usefull to use seperate computers.
Hackers, if they want, find you always.

But thanks for you're information!  It keeps my sharp.

Cheers,

John de Vries
 

[Peter]

....traffic filter plugin will never protect you and nobody from hackers and actually you can not block entering to your site from any place of the World....

This is not completely accurate. The TRAFFIC FILTER plugin does quite a bit of protection and most importantly it records malicious and suspicious visits. If the DENY RULES are properly and sufficiently configured, your site will appear non-existent (or broken) to all undesirable visitors (while fully functional to desirable visitors). The hackers may stop paying attention to your site.

The benefit of the logged events and the new INSTANT NOTIFICATION is that you can take immediate further action to protect your site, such as entering a blocking rule (rewrite rule) into your .htaccess file.

[Banenpak]

Hello Peter,

Thanks for this information.

So when you configure everything on a right way ( Traffic Cop, htaccess etc.) then the wrong stuff ( worms etc. ) will stay out.
Thats great. I  thought that they ( worms etc. ) could come into you're site trough a another way ( by using a other computer ), and that you can't stop them.

Each day my site becomes visited of that stupid worms. I hate them.

I will use the Traffic Cop soon.

Thanks Peter!

Greetings,

John de Vries

[Peter]

John,

Traffic Cop is only one of the several tools and ways to keep your site safe.

Starting with your PC, you need to keep it free of viruses. Use a good anti-virus, such as Kaspersky or F-secure. F-Secure is probably the best. You can use the FREE online scanner from this link:
http://www.f-secure.com/en_EMEA/security/tools/online-scanner/
Scan your PC for viruses regularly.

You also need to "behave safely", which means that you:

• shouln't share USB sticks with anybody
• be wary of anything you download from a torrent
• never open an email attachment that you have not asked for, even if it is from your friends

As Adam has suggested, use SFTP instead of FTP for uploading files to your server.

Use Adam's security scanner "SECURITY TOOLS" often. This is an excellent plugin which scans all of your files on the server for potential threats. The scanner will find some false positives, but that's OK.

And ultimately, you need to set permissions on all your files and directories (on server) as suggested by Adam and/or by his SECURITY TOOLS plugin.

Now we talk about TRAFFIC COP. Well, Traffic Cop has some limitations. It can only protect PHP files. However, it can block some attacks and record them into the log, even send you instant alert by email. Once you have this information, you can take further actions to protect your server, such as entering rewrite rules into your .htaccess file (if you have Apache server). Traffic Cop is "your eyes" on the server. It allows you to see what is going on. Sorry, but you cannot rely on Google Analytics when it comes to security.

I need to write some more explanation about how to use Traffic Cop. I will do that soon.

If you follow the above suggestions, you should be safe.

Best wishes,
Peter

P.S.
If your server is Apache, you should add this to your .htaccess file:

Code:

<Files config.php>
order allow,deny
deny from all
</Files>