Background: The person who wrote the text is facing a problem with their website, where malicious injections keep appearing despite their efforts to remove them. They have hired a sysadmin but are still struggling to find a solution. They are now seeking advice on what steps to take next and whom to approach for help.

History: Upon the request of an SEO expert, I installed WordPress on one of the domains and granted him access to the site. Everything was fine for a year until I noticed that mobile traffic was merging with the main domain. Upon investigation, I discovered that injections were being added to the .htaccess and index.php files.

For a while, I couldn't figure out where these injections were coming from. However, through analysis, I found out that they were exploiting a vulnerability in WordPress. I managed to locate and delete the malicious code, but the problem persisted as new injections appeared every other day in the index.php file. I diligently removed multiple instances of the code, but the situation remained unchanged. Faced with my limited expertise in setting up Unix-based distributions, I decided to seek help from an outsourced sysadmin. This temporarily halted the injections.

After around three months, I noticed search engine traffic for inappropriate queries related to "homemade (male/female genital organ)" and "cheating in (popular game)," among others. I investigated and discovered the responsible file, promptly deleting it. However, it reappeared shortly after. Feeling frustrated, I tried blocking access to the file through .htaccess, but it still persisted.

In my desperation to uncover the culprit, I confronted the admin who claimed there was no evidence in the server logs, leaving me unsure where to look. But somehow, I managed to obtain the IP address of the scoundrel. The server using this IP address is most likely located in the Netherlands, suggesting the individual may be using a proxy or even a backtrack installation. Despite searching public proxy lists, I couldn't find this specific server. This realization has left me at an impasse, unsure of the next steps to take. Should I contact the hosting company? What evidence will be necessary to persuade them to shut down the server? I am desperate for guidance on what actions to pursue next.

WordPress often falls victim to hacking, typically due to outdated add-ons that users fail to update. In December, a widely used module (possibly a text editor, but I can't recall the exact one) was discovered to contain a vulnerability that allowed bots to inject shells into servers.

To determine if the injections were a result of a WordPress or add-on vulnerability, you can conduct a file search using the "find" command. For example:

find /WWWDIR \( -name "*.php" -o -name "*.html" -o -name "*.htm" \) -exec egrep -Hni 'gzinflate\(base64_decode|eval\(base64_decodeshell_exece|doced_46esab|eval\(' {} \; | cut -c 1-150

Here, "WWWDIR" represents the directory where your website is located. It is also advisable to check the Apache settings (unless you have Nginx distributing static files in front of it) for any "x-httpd-php" Application Types associated with file extensions like *.png, *.html, etc. Additionally, you can search for such occurrences in .htaccess files using this command:

find /WWWDIR -name ".htaccess" -exec egrep -iHnr 'application\/x-httpd-php .*(gif|html|jpeg|jpg|doc|txt)' {} \;

If needed, you can perform a comprehensive scan of all files. If you have multiple sites on an Apache server, all operating under the same user, it's essential to scan all of them. If the attack was carried out via SSH, the investigation becomes more challenging, but it is crucial to examine the server logs to identify the last connection and its source.

It is highly recommended to have SSH access to the server for enhanced security measures.

If the server had a rootkit, the original poster wouldn't have discovered anything.

Based on external evidence, it appears that a non-root robot is operating. The most plausible scenario is that an automated scanner detected a vulnerable Wordpress, exploited it, and injected a typical set of files like an irc server thread. This would have been launched by the user under which the web server runs.

It is possible that there is an entry in the crontab associated with it.

Inspect all processes running under the user account of your web server. There is a good chance you will come across something suspicious, such as "apache3" or "crond".

I have personally encountered approximately twenty similar compromises before.

It is possible that your server is compromised by a rootkit, granting the attacker full administrator access and the ability to make changes at will. Dealing with rootkits typically requires a complete disk cleanup and reinstalling the operating system from scratch, which can be time-consuming and costly. Contacting your hosting provider for assistance is the recommended approach in such cases.

However, if there is no rootkit present, the situation is relatively better. There might be a backdoor left by the attacker, which does not grant administrator privileges. To address this, carefully examine all code files for any suspicious changes and remove them. Double-check all configurations for any unauthorized modifications. Additionally, review various logs, including those of the web server, auth.log, and cron logs, as the attacker may have planted a script in the crontab. This thorough investigation will require both time and resources.

Keep in mind that backdoors can sometimes be hidden within WordPress themes or plugins. So it is crucial to scrutinize these as well.

To mitigate vulnerabilities in web scripts, you can consider implementing additional security measures on the server, such as safe_mode and disable_functions. However, relying solely on these measures is not ideal. It is advisable to avoid installing questionable open-source scripts in publicly accessible folders to minimize potential risks.

Regarding the IP address of the server, which appears to be located in the Netherlands, it is likely that the attacker is using a proxy or some form of backtrack installation. Despite thorough searches, the server could not be found in public proxy lists, which suggests that it may be privately owned. At this point, you may feel stuck and unsure of the next steps to take.

While filing a complaint with the host in the Netherlands (including relevant logs showing connections from that server) is an option, be aware that they may be an abuse-resistant hosting provider associated with criminal activities. As a result, they might not cooperate with the investigation. In such cases, involving law enforcement agencies becomes necessary, although their willingness to assist may be uncertain.

Hackers frequently employ various tools and tactics during their attacks. Here are some common attack methods:

1. Denial of Service (DoS) attacks:
DoS and DDoS attacks aim to render a server inaccessible by overwhelming it with traffic or falsifying diagnostic data. These attacks exploit weaknesses in internet protocols such as TCP and ICMP. To defend against DoS attacks, routers can be configured with anti-spoofing and anti-DoS functionalities. Reducing the flow of non-critical traffic also helps increase network security.

2. Malware attacks:
Malicious programs, commonly referred to as viruses, pose significant threats to network security. They can infiltrate users' devices, potentially leading to the compromise of confidential information. Servers that operate in client/server mode with data authentication are particularly vulnerable. Regularly updating antivirus software, implementing data encryption, and deploying additional security measures like antisniffers and firewalls are effective countermeasures against malware attacks.

3. Routing attacks:
Routing attacks seek to disrupt networks by sending incorrect packets, poisoning routing tables, launching Hit-and-Run attacks, or using standard DoS techniques. Attackers may exploit routers to gain unauthorized access to specific information being transmitted. Filtering incoming and outgoing traffic, encrypting data, monitoring user activity, and updating firewalls are recommended practices for maintaining network security in the face of routing attacks.

4. Network intelligence:
Hackers often conduct network intelligence operations to gather information about a targeted network's architecture and characteristics. This typically involves DNS queries, echo testing (ping sweep), and port scanning. Implementing Intrusion Detection Systems (IDS) helps identify illegal intrusions and suspicious activities. However, disabling ICMP echo might impact network administration since some diagnostic data will be lost.

5. Man-in-the-Middle (MitM) attacks:
MitM attacks involve intercepting network packets transmitted between devices. Sniffers and routing protocols are commonly used for this purpose. The goal is to gain unauthorized network access to steal personal or corporate information. Implementing data encryption serves as a defense against MitM attacks.

6. XSS attack:
XSS attacks, or Cross-Site Scripting attacks, exploit vulnerabilities in web applications to inject malicious scripts into trusted websites. This allows attackers to compromise user data, spread malware, or perform unauthorized actions. Regularly updating and securing web applications, using input validation and output encoding, and implementing web application firewalls are effective defenses against XSS attacks.

I'm sorry to hear about the difficulties you've been facing with your website. Dealing with malicious injections and ongoing attacks can be frustrating and challenging. Here are some steps you can consider taking next:

1. Backup: Ensure you have proper backups of your website, including both database and file backups. This will help you restore your site if needed.

2. Update and Secure WordPress: Make sure you are using the latest version of WordPress and update all themes and plugins. Vulnerabilities in outdated software can be exploited by attackers. Additionally, implement strong security measures such as using secure passwords, limiting login attempts, and enabling two-factor authentication.

3. Malware Scans: Run malware scanning tools to thoroughly scan your website files and database for any remaining malicious code. There are several security plugins available for WordPress that can help with this.

4. Security Plugin: Consider using a reputable security plugin that specializes in protecting WordPress websites. These plugins can provide real-time monitoring, firewall protection, and other security features to help prevent future attacks.

5. Server Logs: Check your server logs for any suspicious activity or patterns that could help identify the source of the attacks. Look for any unusual IP addresses, unusual file access, or error messages that may indicate unauthorized activity.

6. Contact Hosting Company: If you have evidence of the attacker's IP address and suspect their server is located in the Netherlands, it may be worth contacting your hosting company or reporting the issue to them. Provide them with any evidence you have, such as logs or IP addresses, and explain the ongoing problems you are facing. They may be able to investigate further, take appropriate action, or provide guidance on how to proceed.

7. External Help: If the issue persists and you are unable to resolve it on your own, consider reaching out to professional security firms or consultants who specialize in website security. They can conduct a thorough investigation, provide expert advice, and help mitigate the attacks.