0

My website has been hacked or attempted to be hack. I can see malicious uploaded files on my website server is there any way I can reveal the IP address of who has uploaded the file?

Also my website is on WordPress and there are lots of changes and malicious code so is there any way i can see who has modified those files? I checked Awstats, webalizer but I cannot get much information.

GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
user153388
  • 1
  • 1
  • Just read the canonical answer https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server . And honestly, don't worry cleaning it up. Just nuke it and start over, remember to keep your system updated and follow the wordpress hardening best practices there are tons of guides on how to do it – Mr. E Jul 15 '17 at 03:12
  • 2
    Given that you don't know __how__ the malware was added to your system in the first place it is impossible to know __who__ did it. Once you've figured out the first you might find enough information in your logs to find at least the originating IP address of the attacker. Or you might be not, depending on how the attacker worked. – Steffen Ullrich Jul 15 '17 at 05:31
  • Better to deal how someone hacked you instead of who hacked you. – Mirsad Jul 16 '17 at 02:12

1 Answers1

0

Two possibilities, with a few Ifs.

Possibility #1:

  1. Take a look at the created timestamps on the malicious files (assuming they're separate files); or last-modified timestamps (if malware was injected into one of your files).

If you have access to your web server access logs (depending on your hosting plan and service provider, the location, name and method of getting them would be different); and

If you have those logs for the time-range when those files were created/modified; then

  1. Search through those logs for PUT or POST messages targeting those files.

Since you already mentioned webalyzer - you probably did some form this already. Hopefully the narrowing down that I mentioned might help; or use of another tool (even a manual search through the logs) might identify what is being missed.

Possibility #2:

Some wordpress security plugins (not all) do create separate logs that you can dig into. I know that Sucuri's service does this; and probably WordFence too. I have a product that does this (ActiFend) too, though the logs are stored on our servers.

If you were using any such plugin -or- any other remote logging solution, either you or any security analyst would be able to dig through them to get some idea of the IP address (that is not the same as who did it, but it is still something).

For the future: Being prepared is the key. If you accept that you will be hacked at some time or the other, then you'd setup both remote monitoring and recovery.

Sas3
  • 2,638
  • 9
  • 20