Bruteforce with CF IP's

Site redirect to belonnanotservice.ga
Somone posted todays his website has been hacked and redirected to belonnanotservice.ga
An admin just closed the topic without reason: user777 you can handle it from now.
HOW? attacker use CF . I post a scren and please SANDRO answer to this: HOW? How user777 can handle tons of websites hacked with CF ip’s???

To be short, concrete and direct, kindly just make a Firewall rule to block any request (path) which contains xmlrpc.php using link and an example from below:

Expression example:

(http.request.uri.path contains "xmlrpc.php")

Nevertheless, a warm suggestion, disable XMLRPC either via the plugin (tons of them available at the WordPress repo) or manually by adding the needed code in functions.php.

That’s not exactly, see why in the below paragraph.

Furthermore, you see Cloudfalre IPs as far as you obviously haven’t configured your origin host / server to reutrn the true visitor IP as follows on the below article due to the CF-Connecting-IP and real_ip:

I recommend to check some useful articles about security measurements and Firewall Rules at Cloudflare for WordPress which can be found on the below links:

In case your Website is using Cloudflare services, may I suggest you looking into the below articles to find out and enable protective measures due to recent “attacks”:

Here is a great collection as an example to look too:

If you think your WordPress website is being hacked, kindly see below articles as far as I am afraid Cloudflare currently cannot clean your WordPress hacked website even do something about it:

I believe the following from above could help you at least a bit to handle them better in future :wink:

3 Likes

Same boat here. My Wordpress webs redirect to belonnanotservice.ga looks like malware in all pages (except static pages cached), and cant’l login to Dashboard. All pages come with malware java script and so many links like: http:// get.belonnanotservice.ga/away?/wp-content/plugins/…I try all things: from add Page Rules, Restore (SQL & Data) from some previous backups, and try to find some suspicious Php, Html files or code, check Domain Registrar, Hosting, DNS, but I can’t find anything. (The strange thing is that on my Wordops Server there are 3 websites with the same codes & plugins, but only 2 websites have errors, I can’t explain this). How I can fix it?

( user7776, hasn’t been fixed redirect yet, it’s back again on his webpage!)

As usual.

Hopefully this is not due to an HTTPS connection (SSL certificate) error?

A good way to check this articles too:

What error do you get? And is it the same both Websites (of total 3 of them), again, on the same server?

If not configured at Page Rules at Cloudflare dashboard, then it comes from malicious code from your Website.

And possibly will always be …

This is a very known behaviour of a malware on WordPress (incl. databases, old backups, nulled things like themes or plugins, or outdated software).

I am afraid Cloudflare cannot help you much here if the website is doing some redirection at the origin caused by the malware / malicious code, and you stated you have no Page Rules configured either at Cloudflare dashboard, therefore if it’s already not being mentioned in above links for help and how to fix malicious/malware WordPress website.

Further discussion could be out of a scope of this forums as far as there out are enough examples and solutions like How to Remove Malware & Clean a Hacked WordPress Site | Sucuri.

You could try out with Imunify AntiVirus (Free version) and scan your files (some cPanel hosting providers have it installed too).

Otherwise, you could possibly zip all the www/public_html and export the database, therefore send it either to some specialist (expert and experienced person) who could do it for you (or to me), but this I am afraid cannot be done voluntarily for free at least.

Thank you [fritexvz] for reply my question, you’re good man. I will try, I think I can learn a lot from that.

I’m fighting with the same situation. If you find any solution just post it, i will do the same

What about a google search?
This is a malware coming from the Wordpress Automatic plugin.

Omg, I found it. The problem may be is “Redis Object Cache” Plugin (v 2.0.21). Redirect gone when I delete file /wp-content/object-cache.php. When “Enable Cache” in this plugin again, the redirect reappeared.

Is there something wrong with the Redis Object Cache code, js libraries, because this is such a popular plugin. Either the malware exists on my server, it just uses the object-cache to attack.

(I don’t know, but my object-cache.php is unchanged for several months now from my first install, of course, I got Redis Object Cache from wordpress.org. My 3 websites on the same Server, only 2 sites got redirect errors, 1 site unaffected because I don’t enable Redis Object Cache - as well as there are no object-cache.php in wp-content.).

1 Like

I don’t use that plugin on my websites and still got my url amd home changed almost everyday.
Do you use wp-automatic?

I don’t use Wordpress Automatic, you should try to rename some cache files in wp-content/ like: object-cache.php, advanced-cache.php, db.php.

I use Wordpress automatic and this happened on my site too. Managed to get rid of it and get it back up and running. You’ll have loads of users signing up and it sets the default role to admin as well

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.