Abuse coming from my server
I have just received email that my server is used for abusing. And my hosting provider gave me 24 hours to solve the problem, or they will disable my VPS.
I am using Cent OS and Cpanel / WHM. Its a shared server with ~80 account/domains.
xx.xx.xx.xx is my servers IP. How can I detect which one of my accounts is abusing?
Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access
>
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:37 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:38 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:40 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
> /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:41 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"xx.xx.xx.xx is my servers IP. How can I detect which one of my accounts is abusing?
-
Hello, I have just received email that my server is used for abusing
IS your provider sent you any logs or details regarding the abusing ? If yes then let me know so that I can assist you.0 -
Thank you for your answer. Yes. I have posted it. Look up please. I see that moderator deleted the domain name in the code I have posted (before the wp-login.php) But I know the name of the domain... 0 -
There should never be a need for the actual domain name in your posts. Those logs don't show any details of abuse, did they provide you with any other logs? 0 -
Yes. I understand that. Nope. Thats all what they have sent to me. No other data. I am checking raw apache logs... one by one. Dont know how to do it faster... 0 -
I'm curious enough to ask, whats the deal with this path shown in that snip you posted? /furanet/sites/example.com/web/htdocs/logs/ 0 -
I really dont know. Its all thay have sent to me. You think its not an abuse ? 0 -
It does seem strange that your hosting provider is unwilling (unable?) to provide you with sufficient information to help you rectify the alleged incident. Are you absolutely sure the communications you received were actually from your hosting provider ? Since the logs snippet you provided show no evidence of abuse from your server (unless there is something contained in the log elsewhere we have not seen), I would advise you to take complete and up-to-date backups of all the accounts, database, file-sets etc that you may loose access to if they block access to your VPS. Worst case scenario; at least with suitable backups, you can transfer the sites to a hosting platform that is prepared to work with you and help you with your issues. Update: I just found an interesting post Abuse Message: Network attack received from an IP | Web Hosting Talk Might be worth a read and try some of the recommendations. 0 -
Again. Is this abuse or not? Please help me guys. Hi, We have detected a network attack from an IP ( xx.xx.xx.xx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you. > > / > > Saludos, Hemos detectado un ataque desde una ip ( xx.xx.xx.xx ) de su red, probablemente el equipo este infectado y este dentro de una botnet. Porfavor revisenlo y solucionenlo en la mayor brevedad posible. Muchas gracias. > > The IP xx.xx.xx.xx has just been banned by Fail2Ban after > 6 attempts against apache-attack. > > > Domain: domainname.com (yy.yy.yy.yy) > > > Here are more information about xx.xx.xx.xx: > Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access > > /furanet/sites/domainname.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://domainnae.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
Note: domanin names are hidden. IP adresses too are hidden.0 -
Is this a cPanel server? You should get back in touch with your Hosting Provider if there is one and ask for more details. 0 -
Yes it is cPanel. Hosting provider is Contabo. And I am the root administrator of that VPS. 0 -
You might want to consider hiring someone to help you with this. There's a link at top of the forums to a list of Resources for this. Assuming you've got access, have you taken a closer look at those logs here? /furanet/sites/example.com/web/htdocs/logs/ 0 -
Thanks infopro. Assuming its a path on the server. But no such path on my VPS. no furanet directory in root or in home folder. 0 -
Based on the information you have given us, it is unlikely that anyone will be able to give you a definite answer. You might want to consider hiring someone to help you with this. There's a link at top of the forums to a list of Resources for this.
- probably the best advice anyone can give you :)0 -
Yes, but its much cheaper to change the hosting provider than to hire skilled proffesional for this problem. But, I really think that this is a false alarm... I am checking all of the raw decembar logs now... If there is no domaniname or IP that I am "abusing", than its not the problem with my VPS. 0 -
Hello, You may also find these threads helpful: Prevent wordpress Brute Force Attacks Outbound wp-login.php brute force attack from my cpanel server Thank you. 0 -
"Hola! tengo archivos infectados en mi Cpanel, como puedo limpiar o localizar esos archivos? Bastaria con eliminarlos? Mis pag web empiezan a tener problemas.... ayuda por favor!!! 0
Please sign in to leave a comment.
Comments
16 comments