Question
Occasionally, server owners will receive reports from 3rd parties informing them that their server has been used as the vector for malicious activity on a remote server. A common source of these reports is BitNinja, which is a 3rd party company that specializes in security services.
What should I do if I receive a report from BitNinja that says they observed malicious behavior from my server?
Answer
Note: Determining the source of malicious activity on your server and identifying security vulnerabilities are tasks that should be completed by your system administrator or security expert.
To better understand the reports generated by BitNinja, it is best to first review their documentation on the subject. This will help you to understand the format and details they provide.
Note that the details BitNinja provides you will originate from the server that was on the receiving end of the incident. In some cases it can be difficult to correlate any of these details with the information that is logged on your own server.
Common sources of outbound web connections are PHP scripts. You can review the Apache access logs for the websites on your server to determine if there are any suspicious requests to PHP scripts. For example, this command will search for POST and GET requests for PHP scripts that returned a status code of '200 OK' (note, this command may provide a lot of results):
grep -P '(POST|GET).*.php.*200' /home/*/access-logs/*
If you find requests for PHP scripts with unusual names that appear to be randomly generated, those may be the source of the malicious activity.
However, it will not always be the case that a PHP script was responsible for generating malicious outbound connections. Another place to search for unusual activity is in your server's process list. You can view the process list using the ps command. For more details please see this article:
How to diagnose high load with the "ps" command
To identify unusual processes in the server's process list, you will need to have some familiarity with the processes that normally run on a cPanel server. If you are unsure what to look for, consult with your system administrator. You can also consider installing a system monitoring script that will keep track of the process list over a long period of time, such as the SysSnap script that is available from our GitHub:
How to install, start and stop the SysSnap script
Another common source of malicious activity with Wordpress sites is the xmlrpc.php script. You can find instructions for disabling XML-RPC support in Wordpress in the following article:
How to disable xmlrpc.php from .htaccess
For general security suggestions, please see this article:
Security Suggestions - How to make your server more secure
If you are still unable to identify the source of the problem, and you do not have a system administrator, you can refer to the following article to find list of unaffiliated administrators that advertise their services on our forums: