XF 2.0 company closed because my site is attacking

[Siraç]

the firm has shut down because it was attacked from my website
how can i solve this problem
If I apply the security fix here, will the troubleshooting be removed?

XenForo 2.0.11 Released (Security Fix)

Today, we are releasing XenForo 2.0.11 to address a potential security vulnerability. We recommend that all customers running XenForo 2.0 upgrade to 2.0.11 or use the attached patch file as soon as possible. The issue is a XSS vulnerability. XSS (Cross Site Scripting) issues allow scripts and...

xenforo.com

BitNinja.io - Incident report

bitninja.io

Url: [ma###ba.com/wp-content/plugins/woocommerce/includes/gwoozlmk.php]
Remote connection: [89.252.164.2:32794]
Headers: [array (
  'Host' => 'ma###ba.com',
  'Connection' => 'close',
  'Referer' => 'http://ma###ba.com/wp-content/plugins/woocommerce/includes/gwoozlmk.php',
  'Content-Length' => '155',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'Accept-Language' => 'en-US,en;q=0.8',
  'User-Agent' => 'Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13C75',
)]
Post data: [Array
(
    [nehlqazxjjnbyurd] => h/.%3Pt%7R9%3N%3N%279jqz%60fz%7Shrlgl%7Spfb%22%2Pb%222%22/%3Qdb%7P%7O%7Ohjdperoj%7O%7Ox%24%27c
)
]

 

[Siraç]

Malicious requests received from your server

Url: [###.os###ti.com/popup/popres/minyaturb_1.jpg]
Remote connection: [89.252.164.2:55546]
Headers: [array (
  'Host' => '###.os###ti.com',
  'Accept-Encoding' => 'identity',
  'Accept' => 'image/*,*/*;q=0.8',
  'User-Agent' => 'XenForo/2.x (https://www.example.com)',
)]

Url: [RATANJHADIGITAL.COM/2019/xmlrpc.php]
Remote connection: [89.252.164.2:54572]
Headers: [array (
  'Host' => 'RATANJHADIGITAL.COM',
  'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
  'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
  'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
  'Content-Length' => '342',
  'Content-Type' => 'application/x-www-form-urlencoded',
)]
Post data: [Array
(
    [<?xml version] => '1.0'?>
        <methodCall>
         <methodName>wp.getProfile</methodName>
         <params>
          <param><value><int>0</int></value></param>
          <param><value><string>admin</string></value></param>
          <param><value><string>1q2w3e4r5t</string></value></param>
         </params>
        </methodCall>
        
)
]

 

[TheGreek]

Your question or topic needs to be in English, or provide an English translation.

 

[Siraç]

the firm has shut down because it was attacked from my website
how can i solve this problem

 

[Chris D]

In what way was it attacked? Your examples in code blocks aren't particularly clear.

I only see one that looks like it was triggered by XF and that's this one:

Url: [###.os###ti.com/popup/popres/minyaturb_1.jpg]
Remote connection: [89.252.164.2:55546]
Headers: [array (
  'Host' => '###.os###ti.com',
  'Accept-Encoding' => 'identity',
  'Accept' => 'image/*,*/*;q=0.8',
  'User-Agent' => 'XenForo/2.x (https://www.example.com)',
)]

But this looks like it could just be downloading an image via the image proxy system.

 

[Siraç]

How can I solve this problem?

 

[Joeychgo]

the firm has shut down because it was attacked from my website
how can i solve this problem

what do you mean the firm has shut down?

 

[Joeychgo]

How can I solve this problem?

I use and recommend using Sucuri for these things -- See: https://bit.ly/32rrvIv

 

[Siraç]

hosting company closed my website

 

[andybond]

Looks more like a woocommerce exploit to me!

Code:
Url: [ma###ba.com/wp-content/plugins/woocommerce/includes/gwoozlmk.php]

 

[Joe Kuhn]

Browser Search: woocommerce exploit. (not here)

Yikes.