Abuse complaint regarding my server
-
SNIFFING OUTGOING TRAFFIC First, install tcpdump. Than try this: tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' (incoming and outgoing traffic alltogether) tcpdump -Q out -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' (outgoing traffic) tcpdump -Q in -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' (incoming traffic) top -n 50 -d 0.3 -b > /tmp/aaa15.txt (top info in a log file) Than try to examine the data that you receive via tcpdump. Try to disable all accounts and activate them again one by one. My problem was with one infected nulled Wordpress theme. I suspended that account and the problem was solved. Good luck 0 -
I'll check these out and get back with the findings. Thank you! 0 -
Hello @Georgios Efthymiou, Let us know how it goes. Thanks! 0 -
Hi, I have suspended an account that ? suspected it was the "evil" one, before installing tcpdump and informed the VPS provider. The provider told me that the server seemed to be OK then. However, I don't know the exact problem, I only know that there is some malware running deep inside a WordPress installation of this account. Furthermore, I have downloaded a backup of this account and now I'm trying to locate the malware localhost. I avoid unsuspending the account before I find something, because the problem will reoccur and the VPS provider will warn me about closing access again. In any case, I'll run some tcpdump commands and the let you know about the results in the next few days. Thank you for your interest, George 0
Please sign in to leave a comment.
Comments
6 comments