My server is being used to brute force hack another server
I have been forwarded the following complaint that our server is being used to attempt brute force hacking
* X.X.X.X tpc-030.machxxxxxxxxx.nl 20210522/20:16:24 X.X.X.X - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost:
-
Where you get this log? Imunify Incident log? 0 -
The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log). It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account. 0 -
The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log). It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account.
The domain nor the IP appear to show there. Would it show if the user was running a php script? I can't find any record of the domains/IPs in /var/log/ /usr/local/cpanel/logs /etc/apache2/ Maybe I can enable more extensive logging?0 -
HI please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server. REgards 0 -
HI please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server. REgards
I do not understand what you mean sorry. The log in my first post (www.domain.com) is an external domain that is reporting to use our server is being used to scan their server. It is taken from their server side logs they have forwarded to me.0 -
It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing. Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system. 0 -
It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing. Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system.
It is still ongoing yes. I understand this is not a cPanel issue directly but I am sure others have issues like this perhaps without even knowing. Thanks for the feedback I will look into those.0 -
That definitely looks odd. You may want to suspend that account and then contact the remote system to see if they are still experiencing that traffic. 0 -
first thing first ... scan whole system and change passwords and SSH port ... correct all folders and files permissions. Clamav, Maldet and imunify would help also tight little bit security using CSF. rkhunter can also be useful. 0
Please sign in to leave a comment.
Comments
14 comments