My WordPress Blog sends malicious traffic to other sites [closed]

106 13/11/2020 Stackoverflow Wordpress

Đã có trọn bộ đề thi thử THPT Quốc Gia 2022 các môn: vip.dethihsg247.com
QUẢNG CÁO: Đổi thẻ cào thành tiền mặt min rút 10k tại đây

Want to improve this question? Update the question so it’s on-topic for WordPress Development Stack Exchange.

Closed 24 days ago.

I’m running a wordpress blog on a Compute Engine VM on Google Cloud. A few days ago, I received an email from Google telling me that a potential violation of their Acceptable Use Policy has been detected:

We have recently detected that your Google Cloud Project wordpress-blog (id: xxxxxx) IP XX.XXX.XXX.XXX has been performing intrusion attempts against a third-party and appears to be violating our Terms of Service. You can fix the problem by ensuring that your project traffic directed at third-parties is expected, and that your project has not been compromised. Please check the traffic originating from all your instances and fix any other instances that may be impacted by this.

I submitted an appeal where I explained them that I was not aware of the situation and asked for more details. They gave me a log from BitNinja with the malicious attempts. Let me give a sample:

XXX.XXX.XXX.XXX – – [23/Aug/2020:15:20:43 +0200] “GET /wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
HTTP/1.0” 400 595 “-” “Mozilla” SenseLog id [80_1_013] Message
[ApacheWpConfig]]

Url:
[in###ar.ru/wp-content/plugins/seo-by-rank-math/assets/front/js/rank-math.js]
Remote connection: [XXX.XXX.XXX.XXX:59662] Headers: [array ( ‘Host’
=> ‘in###ar.ru’, ‘User-Agent’ => ‘Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125
Safari/537.36’, ‘Connection’ => ‘close’, ‘Content-Length’ => ‘0’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’, )]

I tried to see my own logs but didn’t find anything suspicious. Could you please give me some advice on what steps could I follow to disinfect my machine? I’m running Ubuntu 20.04 LTS.

EDIT

Montassar Billeh Hazgui was right. I indeed found a known threat with the GOTMLS plugin. I hope the issue is resolved.

Xin chào các bạn và quý Thầy Cô. Hãy nhập từ khóa mình muốn vào ô tìm kiếm trên Website để tìm kiếm mọi thứ hoặc trên google các bạn hãy nhập từ khóa + dethihsg247.com để tìm kiếm các bài viết của chúng tôi nhé.
  • Hiện tại chúng tôi có hơn 25 nghìn bài văn mẫu các thể loại.
  • Kho tài liệu, đề thi học sinh giỏi các lớp vô cùng phong phú.
  • Mỗi ngày cập nhật hơn 100 đề thi chất lượng từ các website bán tài liệu lớn.

Tải đề thi VIP với giá siêu rẻ tại Vip.Dethihsg247.Com

Tải tài liệu về máy

Bài viết liên quan