Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

How to deal with Abuse request ?

yatinthakur
Hello, I have received below email from my provider.. We have detected abuse from the IP address xx.xx.xx.xx, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate. Log lines are given below, but please ask if you require any further information. Server IP address is: 86.109.162.78 (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated automatically.) Note: Local timezone is +0200 (CEST) xx.xx.xx.xx- - [13/Aug/2014:19:30:54 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:54 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:55 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:55 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:56 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:56 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:57 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" xx.xx.xx.xx- - [13/Aug/2014:19:30:57 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-" How can I deal with this issue ? will you please help me ?

Comments

2 comments

Date Votes
  • cPanelMichael
    Hello :) Are you able to determine the full path to the wp-login.php file in question to review it's contents and see if it's being used maliciously? Thank you.
    0
  • quizknows
    Michael, these are usually sent to people who are brute forcing remote wp-login pages, the access logs come from the person being attacked, not the person getting the notice. Typically these notifications indicate a hacked site on your server running a process that is trying to access wp-login on remote servers. Your server itself may not be hacked, but at least one site is. Most likely you will find suspicious processes in the output of "ps faux" on a root prompt. If you do not know how to fix this, ask your host for help, or hire a qualified administrator that specializes in fixing hacked sites on cPanel servers. Do not just kill the processes; if you do not identify and secure the hacked site, the abuse will continue.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post