I’m running a wordpress blog on a Compute Engine VM on Google Cloud. A few days ago, I received an email from Google telling me that a potential violation of their Acceptable Use Policy has been detected:
We have recently detected that your Google Cloud Project wordpress-blog (id: xxxxxx) IP XX.XXX.XXX.XXX has been performing intrusion attempts against a third-party and appears to be violating our Terms of Service. You can fix the problem by ensuring that your project traffic directed at third-parties is expected, and that your project has not been compromised. Please check the traffic originating from all your instances and fix any other instances that may be impacted by this.
I submitted an appeal where I explained them that I was not aware of the situation and asked for more details. They gave me a log from BitNinja with the malicious attempts. Let me give a sample:
XXX.XXX.XXX.XXX – – [23/Aug/2020:15:20:43 +0200] “GET /wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
HTTP/1.0” 400 595 “-” “Mozilla” SenseLog id [80_1_013] Message
[ApacheWpConfig]]
Url:
[in###ar.ru/wp-content/plugins/seo-by-rank-math/assets/front/js/rank-math.js]
Remote connection: [XXX.XXX.XXX.XXX:59662] Headers: [array ( ‘Host’
=> ‘in###ar.ru’, ‘User-Agent’ => ‘Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125
Safari/537.36’, ‘Connection’ => ‘close’, ‘Content-Length’ => ‘0’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’, )]
I tried to see my own logs but didn’t find anything suspicious. Could you please give me some advice on what steps could I follow to disinfect my machine? I’m running Ubuntu 20.04 LTS.
EDIT
Montassar Billeh Hazgui was right. I indeed found a known threat with the GOTMLS plugin. I hope the issue is resolved.
1 Answer
Your website is infected by Malware.
Hackers are using your WordPress website for ‘spamvertising.’
This causes an insane traffic spike. Spam emails are sent from your server with links to existing or new pages that are created by the hacker.
Spamvertising can vandalize blogs, websites, forums, and comment sections with hyperlinks to get a higher search engine ranking for the hacker’s website.
In some cases, an attacker will decide to use your web server as a platform to launch attacks on other websites. This is relatively rare based on Wordfence respondents, who only reported this happening 0.7% of the time. (and it’s your case as I see)
The first thing to do is to install GOTMLS free plugin and scan your website, then check your database for admin users added by malware.
Please attach a screenshot of GOTMLS scan so I can tell you what you need to do exactly.
