0

Quite confused...

Apache Access Log is constanmtly showing spam URLs being called after a Wordpress website hack. I think I have removed the hacking, but something is still calling these spam URLs on the site very frequently and I am trying to block them.

I have a few questions/issues to resolve:

Why would they show as 302 headers when in fact they are 404's? I have a server firewall to block traffic with too many 404s in a certain time frame, and this wont work with so many 302s.

I have setup Cloudflare, so traffic comes through there, AND I have blocked access to the site unless its through Cloudflare IPs. Within Cloudflare I have enabled Under Attack mode, for the 5 second wait to access the site. This made no effect, the URLs keep coming!

So I am quite confused why so many 302s show and how they can access the site direct or through Cloudflare in under attack mode.

Thanks

162.158.159.136 - - [08/Jul/2022:11:14:03 +0100] "GET /injection-chyb6MR/b12-rapid-burner-9rV6kv-injection HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
162.158.159.10 - - [08/Jul/2022:11:14:04 +0100] "GET /MywTbl-loss/golo-weight-loss-0AqcQ-product-review-site-gov HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; DataForSeoBot/1.0; +https://dataforseo.com/dataforseo-bot)"
162.158.159.8 - - [08/Jul/2022:11:14:05 +0100] "GET /injection-chyb6MR/b12-rapid-burner-9rV6kv-injection/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
162.158.159.8 - - [08/Jul/2022:11:14:06 +0100] "GET /qcyvPfd-actually/best-weight-loss-pill/that-VNcLV6kv-actually-work HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; DataForSeoBot/1.0; +https://dataforseo.com/dataforseo-bot)"
162.158.159.8 - - [08/Jul/2022:11:14:07 +0100] "GET /54ijd-post/weight-loss-medication-post-bariatric-surgery-8qY62 HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; DataForSeoBot/1.0; +https://dataforseo.com/dataforseo-bot)"
141.101.107.138 - - [08/Jul/2022:11:14:09 +0100] "GET /canasa-Ai864ijX/SzIO8-canasa-erectile-dysfunction HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
2
  • Well, where do these redirect to? What makes you think Cloudflare could treat these bots any different from other visitors of your site? What do you mean by "removed the hacking"?
    – anx
    Commented Jul 9, 2022 at 2:36
  • They don't redirect for me, thats the thing. Browser shows the 404 not found page. The logs show. 404 when I visit it. I disabled the website 404, and use the browser default, so the website does not even serve a page template, its just nothing. Yet Apache shows a 302. We added Cloudflare hoping it could see the URLs being called from malicious user IPs and its firewall block them. Some files had some malicious code added so have removed it all. Commented Jul 11, 2022 at 9:39

0

You must log in to answer this question.

Browse other questions tagged .