Author: Alexander

  • Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

    What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

    What Has Been Done to Find Out the Source of the Hack

    The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

    The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).

    • saving nginx «access.log» on the date of the detected hack
    • saving nginx «error.log» on the date of the detected hack
    • saving nginx «syslog» on the date of the detected hack

    Input data:

    • logs «access.log» (200 MB) «error.log» (47 MB)
    • website files

    The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

    To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

    The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

    Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

    Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

    Furthermore,

    • the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called; 
    • a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files; 
    • the file «index.php» was modified, added obfuscated malicious code;
    • the file «plugins.php» was modified, added obfuscated malicious code;
    • the file «pluggable.php» was modified, added obfuscated malicious code; 
    • there were some eval constructions in the files, and parsing them was impossible.
    • It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.

    How to prevent future hacks:

    1. constant monitoring of the website files for any new unknown files in the system,
    2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
    3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
    define( 'FS_METHOD', 'ftpext' );
    
    define( 'FTP_BASE', '/yoursitepath' );
  • WordPress. How to hide email address from bots and spammers

    WordPress. How to hide email address from bots and spammers

    If your email address is posted on the site in the open form, then this is an easy way for bots and spammers to get it for further use and to send spam to you, and to send comments on other sites. Cleantalk Anti-Spam Plugin for WordPress allows you to obscure email addresses on public pages.

    How to obscure email address to hide from bots and spammers

    First of all, you need to install the Cleantalk Anti-Spam Plugin for WordPress. To install the plugin, you can use the instruction.

    After installing the plugin, go to WordPress DashboardSettings Anti-Spam by Cleantalk and mark the Encode Contact Data option and save the settings.

    To check how the obscure email address option works, open a new browser window in incognito mode and go to the page of your site on which your email address was posted. As well as you can try an example below.

    Click the hidden email to see the magic: st********@ex*****.com

    On the page, you will see that the email address is hidden. To decode the email address, click on it, and at that moment the anti-spam will check for bots, this will take a few seconds for decoding. After the check is performed, you will see the email in open form. The bots that could not perform the check will be blocked.

    Why do you need to hide email address on website

    Almost every web owner places his contact information on his website so customers can contact it. Sometimes an indication of your email address directly on your website can be the most convenient way for your customers to contact you. However, the simple publication of your email address in the form of simple text can lead to undesirable consequences.

    To hide the email address, you can try to obscure the address manually, for example, email at example dot com. But this method is little effective and the bots recognize it. To solve the problem of collecting email addresses by bots, we have developed a reliable verification method that allows you to block bots.

  • WordPress DDoS Protection. How to Mitigate DDoS Attacks

    WordPress DDoS Protection. How to Mitigate DDoS Attacks

    How to Mitigate DDoS Attacks on WordPress

    To mitigate DDoS attacks you can implement several methods.

    The first method is to forbid access to your website by IP address on the level of your webserver by adding a rule in the file «.htaccess» manually.

    The second method is to install the CleanTalk Security plugin for WordPress, our feature Traffic Control that protects from DoS is enabled by default.

    CleanTalk Traffic Control monitors each request from any IP address and if the number of requests exceeds the limit in a certain time period then this IP address will be temporarily blocked and it wouldn’t be able to access your website at all.

    For instance, if an IP address sends requests to your website with a frequency of 1000 requests per 1 hour, such activity will definitely be blocked for 1 hour.

    You can adjust the settings of Traffic Control as you want and as you find appropriate. To do that, go to your WP Dashboard → Settings → Security by CleanTalk → General Setting → Firewall.

    Time frame to measure page hits – here you can set a time period which will be taken to calculate the number of requests of your visitors.

    Block a visitor if the count of the opened pages in the time frame more than – here you can set your limit of requests after exceeding which any IP address will be blocked.

    Block a visitor if they exceed the limit of opened pages for X minutes – this option is meant for setting a time period a blocked IP address will be put in.

    Ignore logged-in users – tick this option to ignore all requests going from your logged-in users.

    Also, on the tab Firewall, you can see all IP addresses that are visiting your website right now.


    What are DDoS and DoS?

    These are types of attacks on a website when a lot of requests are being sent. If the number of requests is quite high then it will result in problems with the website functioning.

    The difference between DDoS and DoS consists of that DDoS has a distributed attack, meaning it is executed from many IP addresses, while DoS has just one or a few IP addresses.

    Why DDoS and DoS might be dangerous to a website

    Such types of attacks is based on the fact that a webserver has to process each request, thus running all website page scripts, loading all pictures, and so on spending its resources. As a result, the website will function slower or start giving an error on attempts of visiting any page.
    The second trouble is in a high volume of your website traffic, in some cases, it may lead to unexpected expenses or a warning from your hosting provider.

    It’s unwise to underestimate the dangers of such types of attacks and spend your time forbidding IP addresses manually, it’s more efficient to give this task to the automated tools.

    You can install the plugin Security & Malware scan by CleanTalk from the WordPress catalog.

  • Additional Services of CleanTalk Anti-Spam in Demand

    Additional Services of CleanTalk Anti-Spam in Demand

    This article is about our extra services that are in the most demand among the clients of CleanTalk Anti-Spam. The Personal Lists feature (by IP and email addresses) does not count in this review as it’s not an extra feature, it is included in the basic package of the service.

    Extra Package expands the service features and offers other options if you need them. The features included in the Extra Package are not necessary for all of our clients, therefore, the price of the Anti-Spam service stays unchanged for all of our clients and the features might be chosen to be used only by those clients who really need them.

    1. The most popular extra feature is Blocking by Country. Adding a country to the Anti-Spam blacklist allows to block comments, signups and other data from any website forms from the IP addresses that are being considered as a part of the blacklisted country. Keep in mind that only submitted data to the website forms will be blocked, not visiting the website, people still be able to visit your website from the blacklisted countries.
      Read more about Blocking by Country.

    2. The second most popular extra feature is Stop-Words. Stop-Words block messages that contain any word you added to your Personal Lists. It allows blocking messages containing profanity, obscene language and strengthening the Anti-Spam protection from manual spam by adding specific words to your Stop-Words list. Read more about Stop-Words.

    3. Blocking by Countries in SpamFireWall (SFW) takes the third place among popular extra features. The feature blocks access to the website for bots while a normal visitor is able to open any website pages as usual. Each IP address of the blacklisted country will be forbidden to visit your website by the SFW screens, each initial website page load will trigger the SFW check for bots. Normal visitors are able to pass the SFW screens and load the website pages and later on the SFW screens will not disturb them. Meanwhile, bots that fail the SFW check will always get the SFW screens and never visit your website. Read more about Blocking by Countries in SpamFireWall.

    4. The fourth place is taken by the feature of blacklisting domains. When mail domains are added to your Personal Lists all data submitted to your website forms containing the blacklisted domains will be blocked. Read more about blacklisting domains.

    5. Blocking by Language is on the fifth place. All messages in the chosen languages will be blocked when you add these languages to your Personal Lists. At the moment we offer the following languages:
      Chinese
      Korean
      Japanese
      Hindi
      Arabic
      Cyrillic
      Indonesian

      Read more about Blocking by Language.

    We hope that this article gives you a good hint about useful extra features for tuning your Anti-Spam license to be more convenient and functional for you.
    We will be happy to answer your questions and comments.

  • How Do Our Clients Use the CleanTalk Blacklists Database

    How Do Our Clients Use the CleanTalk Blacklists Database

    This article is about how the data of the CleanTalk Blacklists Database is being used by our clients in their businesses.

    Brief description of what the CleanTalk Blacklists Database is
    The CleanTalk Anti-Spam and Security services get data of malicious actions that are being performed on the websites of our clients. IP and email addresses of the suspicious visitors are being added to the CleanTalk Blacklists Database.
    The CleanTalk Blacklists Database is being updated in real time, outdated addresses (that weren’t used for attacks for a certain period of time) are being deleted from the Database while new addresses with malicious activity spotted on several websites at once are being added to the Database.

    What are Possible Ways of Using the CleanTalk Blacklists Database of Spam IP and Email Addresses

    Based on the examples of our clients we want to demonstrate the ways of how they use our data of spam active addresses.

    Online marketing
    Owners of online businesses send their marketing offers and deals by launching their mailing campaigns. They collect their leads from their website forms after receiving completed checkouts or after getting new signups. Spammers on the other hand use website forms to send spam and they can use either lists of fake email addresses or real email addresses of random people.

    In both cases when our clients launch their marketing campaigns using these unreliable email addresses nobody gets anything good. Quantity of emails sent to fake addresses or to unaware people will increase, random people most likely mark such emails as spam or report them. Thus, there are risks for the online email campaigns to get a lot of spam reports and as a result the webservers might be blacklisted, percentage of successfully delivered emails might be lower than expected, there might be problems in delivering emails to legitimate users.

    To avoid this the mailing lists have to be checked for spam and refined from fake and spam addresses. The outcome of the mailing campaign will be much better and more precise.

    Website builders
    Website builders such as WIX.com use our data of spam active addresses for strengthening their defense from spam and malicious activity on websites of their clients. If webservers get an online request from an address that is in the CleanTalk Database then this is a good reason for verification to be made stricter.

    Enterprise networks
    To protect enterprise networks from unauthorized access and hacking. Protection for such networks usually consists of several layers of authentication and other security tools. The CleanTalk Blacklists Database of Spam IP and Email Addresses is one of the tools that helps making protection more reliable.

    Protection for mobile applications
    The CleanTalk Blacklists Database of Spam IP and Email Addresses is also being used for protection from spam signups and spam registrations in mobile applications.

    Protection for API, web applications
    In this case anti-spam checks are being performed for the addresses that call the API and if the address is blacklisted in the Database then it’s a good cause to pay a closer attention to it and take necessary measures.
    The most common ways of using our CleanTalk Blacklists Database of Spam IP and Email Addresses were mentioned in this article to help reinforce the security level of any online business. It’s possible to get access to the CleanTalk Blacklists Database with our APIs or by downloading it in files.

  • 7 tips of communicating with your clients and how to not lose them

    7 tips of communicating with your clients and how to not lose them

    We want to share our experience on how we handle feedback from our clients. Here are some of our rules helping us to get great feedback about the quality of our tech support:

    1. Speed of response to a client request.

      The faster you respond to your client’s question the more satisfaction your client will get from working with you. Even if you use auto-replies when your client creates a ticket and inform that you will reply within 24 hours, it will be a depressing factor as the client is already potentially expected to wait for your reply in 24 hours. You have to reply within 1, maximum 2 hours. At CleanTalk we stick to the rule that 80% of all replies must be given within 1 hour since the creation of a question and since the previous client reply, moreover, we manage to get it done about 20-30 minutes faster. Such speed of replies is very motivating for clients and we get feedback that our support team is one of the fastest they have worked with.

    2. Accessible and clear information.

      Provide your client with a clear and accessible description of how the issue should be resolved. If the client is required to perform some actions from their side then do the following:
      – describe a detailed and step-by-step order of such actions;
      – provide a screenshot, mark the needed area of the interface and what actions are needed to be done;
      – provide your client with a link to the necessary interface or guide, this way your client will not have to search for the necessary pages themselves.
      These steps are needed so the client does not have to ask you again how to do a particular action that you were asking earlier, which ultimately reduce the time it takes to resolve the issue and the number of responses per request. On average, we get 3.33 responses per request.

    3. Deadlines of solving the issues must be met.

      If you can not solve the issue immediately and you require some help from your colleagues such as your programmer, then give a realistic date when you will respond to the client. Do not give unrealistic deadlines to avoid rescheduling. If for objective reasons you will not meet the deadline then inform the client about it and give them a new deadline. You should keep track of the deadlines and not let the issue be continually postponed because of the workload of other employees. Establish smooth cooperation between departments, there should not be any delays on any stage of the problem solving process. In our company in each department (Web Developers, Client-Side Developers, Server-Side Developers) there is an employee who is solving client issues that came from the technical support.

      If the question is complex and requires more time to find a solution/answer and you can not immediately give your answer in an hour, tell the client about it right away. Write how much time you’ll need for troubleshooting the question and prepare your answer. For example, “I’m sorry, it will take longer than usual to investigate your issue and I will be able to give you a detailed answer in 4 hours”.

    4. Provide your support staff with all details they need.

      Your employees should not spend their time searching for information about the client. Analyze how the workflow of your employees is made, note the most frequent and time-consuming activities and try to automate them so that these activities would be performed with a single button.

    5. Offer a bonus for your mistakes.

      If there was a mistake by your fault then offer your client a bonus to compensate their time. It’s a good practice for building loyalty to give some encouraging attention to your clients.

    6. Prepare your reply templates for the same type of questions.

      Analyze your client requests. There will always be similar questions and it takes a lot of time if you have to type your similar replies quite often. It is easier to prepare the standard reply templates that can already be edited depending on the situation. Try not to make such templates look like a machine answer, edit the template in your answer for more human-like communication.

    7. Make sure that the client’s question is resolved.

      If the client reached out to you and you gave them a solution, ask the client at the end of your reply if your instructions helped them and if their question has been resolved. It greatly reduces the time it takes to resolve the issue.

    We hope, our experience that we shared will help your support team and your clients to get the most useful communication with each other. If you have any thoughts to add, please write them down in the comments.

    If you want us to share more of our experience with you – let us know in the comments below and don’t forget to share if you like the post.

  • Account Confirmation for Outlook.com and Hotmail.com

    Hello,


    For the owners of email addresses on outlook.com or hotmail.com, there is a chance that incoming emails might be moved to the junk folder.We ask you to pay attention, if you have not received the email to confirm your CleanTalk account, then you need to check your junk folder. We are working to resolve this issue and we apologize for the inconvenience caused.
    In order to ensure that our emails go straight to your inbox and not to your junk folder, please add this address we*****@cl*******.org to your SAFE SENDERS LIST.


    Outlook and Hotmail Email Account.
    - Log in and click the “Settings” icon at the upper right corner of the page. Choose the “More Mail Settings” option.
    - Under the “Preventing junk email” section, click “Domain to mark as safe”.
    - Click "Safe senders".
    - In the “Sender or domain to mark as safe” field, enter @cleantalk.org and click “Add to list”.

    Thank you for your patience.

  • Changes in the spam_check() API method

    In the current version, the API spam_check provides additional parameters:

    frequency_time_10m - 10 minutes activity
    frequency_time_1h - 1 hour activity
    frequency_time_24h - 24 hours activity

    Learn more about all parameters:
    https://cleantalk.org/help/api-spam-check#response-explanation

    These parameters show the total activity for the scanned entry, both spam and non-spam activity. The practice has shown that these parameters are not effective and are not in demand.

    These parameters will be removed from the method API from October 7, 2021.

    If you have any questions about the API method, you can ask a question in the comments below.

  • Update CleanTalk Uptime Monitoring Service

    Update CleanTalk Uptime Monitoring Service

    We have updated our uptime monitoring service for websites.

    This update allows you to select the monitoring points from which to check the availability and loading time of the site.
    When adding a website URL, monitoring automatically checks the response time from all points and suggests setting the monitoring point that is closest to the website.

    Most sites do not need to receive data on the site’s loading speed from different locations of the world, since they are targeted at local users and when checking the loading time from all points at once, unnecessary requests to the site will be generated.

    For such users, it will be enough to select one or two points from the nearest location to the site.
    Learn more about CleanTalk Uptime Monitoring.
    https://cleantalk.org/help/uptime-monitoring-how-it-works

    If you have any questions, we will be happy to help you.
    You can leave a comment below or create a private ticket here.

  • CleanTalk updated the 2FA (two-factor authentication) option

    CleanTalk updated the 2FA (two-factor authentication) option

    Two-factor authentication is still one of the most effective methods of protecting your account. One of the most common ways to hack WordPress sites is to brute force passwords.
    CleanTalk Security plugin for WordPress already has two-factor authentication by sending an authorization code to the email account.
    We have now expanded the two-factor authentication options and added the Google Authenticator option.
    Now you can choose the most convenient 2FA option for you.
    You can learn more about how to set up two-factor authentication in WordPress here https://cleantalk.org/help/two-factor-auth
    You can further strengthen the protection of accounts and change the URL address of the authorization page. You can read more here https://blog.cleantalk.org/how-to-change-wp-login-url/.


    If you have any questions, we will be happy to help you.
    You can leave a comment below or create a private ticket here.