My Web Site Was Hacked?

If someone may be using your site to participate in a DDoS attack, it may be due to a configuration error. You may want to see what ports you have open.

Is someone using you to perform a denial of service attack on someone else? It is not just an annoyance to someone else, it also uses bandwidth that costs you money.

Test for misconfigured NTP server (UDP port 123)

Test for open recursive DNS resolver (UDP port 53)

If chargen (port 19) is found, disable it. This antiquated service is of no use to you and can be used to attack others.

If LDAP (port 389) is found, determine if exposing your email server is necessary. Best practices say it is not. If your mail server must be exposed to the Internet, make sure UDP port 389 (connectionless LDAP or CLDAP) is not exposed to the Internet. This service can be used to attack others.

That list is UDP ports 19, 53, 123 and 389.

About participating in WordPress Pingback DDoS attacks

Is someone using you to send spam? Test for an open SMTP mail relay (port 25)

The above attacks (NTP, DNS, Chargen, and WordPress Pingback DDoS attacks, as well as using you to send spam) do not indicate that you have lost information or that a virus has infected your system. They indicate that someone is taking advantage of a misconfiguration to use your site for their own purposes and make it look like you are responsible.

On the other hand, you can loose information and host viruses through other misconfiguration choices. PHP-based web sites (using Joomla, WordPress or Drupal for example) are often compromised through vulnerable plugins. For examples and corrective measures, see C99Shell not dead.

WordPress best practices

WordPress Security Scan‍
Web Shell Detector

Comments are closed.