exploit alert from wordpress ipaddress

santenkelapa

• September 02, 2014 16:55

Dear Please help me, i always got warning from my csf firewall, warning alert say some user make exploit with ipaddress 192.0.76.2:80, i check this ipaddress from en.wordpress.com but every day i have this notification, i already try to block outgoing and incoming this ipaddress but no impact i still got this warning. please help me, alert like a below : Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php /home/myuser/public_html/index.php Network connections by the process (if any): tcp: x.x.x.x:57484 -> 192.0.76.2:80 thanks

• 

  cPanelMichael

  • September 03, 2014 16:07

  Hello :) Are you sure it's not a WordPress installation that's attempting to update or download a theme/plugin from the Wordpress servers? Do any cron jobs exist under that account? Have you consulted with the account owner to determine if it's an intentional action? You may want to consult with a qualified system administrator if you are concerned the request is malicious. Thank you.

  0
• 

  santenkelapa

  • September 06, 2014 13:11

  Hi Mr.Michael Thanks i already ask to my client but they don't know about this, because after this i have alert from csf "Possible root compromise: User account dongs is a superuser (UID 0)" and i check it's true some people already create user with name "dongs" with UID 0, for antisipation i only delete this user from /etc/passwd. please help me .vB

  0
• 

  cPanelMichael

  • September 08, 2014 18:06

  I suggest consulting with a qualified system administrator if you are concerned your server has been rooted. You can find a list of some system admin companies here: System Admin Services Thank you.

  0

Please sign in to leave a comment.