My Server is Being Used in a BruteForce Attack

iPlex

• September 09, 2015 05:02

I have a rather strange problem..... it would seem that my server is being used to bruteforce in to a CMS on another server because of abuse complaints going to my dedicate server provider that then get forwarded to me! and the odd thing is that the domain the attacks are coming from is the hostname for the Box itself..... blah.example.com So I backed up all the website data and then completly reinstalled the server and then put the backups of the website data back on (I also put TweakSettings, Exim and EasyApache config files) and the server is still being used to bruteforce into other websites and they are still coming from the machine's hostname. so i ran ClamAV in the /home directory and it found nothing! I am currently running a maldet scan of /home/*/public_html folder. Am I right to assume that A. an Email has malicious code in it or B. something with in cPanel/WHM does since it is using the server's hostname? As a side note the IP that blah.example.com (the server's hostname) is also used by a nameserver and a one of my websites (the websites address is example.com. Any help you guys can provide will be extremely helpful!

• 

  Infopro

  • September 09, 2015 10:11

  Sounds to me like the site you backed up and restored is compromised. You might want to suspend that account until you've had a chance to hire a security professional to assist you with this.

  0
• 

  24x7server

  • September 09, 2015 11:25

  Hello, Have you found any thing in your maldet scan report ? Also I will suggest you please try to use ConfigServer eXploit Scanner (cxs) on your server OR contact your system admin to check your server.

  0
• 

  iPlex

  • September 09, 2015 21:10

  Sounds to me like the site you backed up and restored is compromised. You might want to suspend that account until you've had a chance to hire a security professional to assist you with this.

  
  but the domain being used is the servers Hostname not a website's domain.

  Hello, Have you found any thing in your maldet scan report ? Also I will suggest you please try to use ConfigServer eXploit Scanner (cxs) on your server OR contact your system admin to check your server.

  
  Maldet found nothing in public_html

  0
• 

  Infopro

  • September 10, 2015 00:02

  Suspend the account and hire someone to look into it for you. Here's a few suggestions for that: System Administration Services Forum

  0
• 

  iPlex

  • September 10, 2015 03:54

  Suspend the account and hire someone to look into it for you. Here's a few suggestions for that: System Administration Services Forum

  
  How can I suspend the hostname of the server? (they are multiple accounts on this server with multiple IPs...

  0
• 

  Infopro

  • September 10, 2015 09:03

  Have you looked into hiring someone to assist you with this yet? You should. I'm not sure we have the full story just yet. cPanel cannot assist you with a compromised server.

  0
• 

  Axell35

  • September 15, 2015 16:53

  can you please check my thread over

  0

Please sign in to leave a comment.