Outgoing attack from my server
Hello, I have this report from my data center:
Starting on April 16th at approximately 9:17pm EST, there was a constant string of repetitive attempts to login to our VPN appliance. These attempts are originating from a single IP address from withing the network(s) that you operate. All of these attempts are coming from XXX.XXX.XXX.XXX (my server ip).
I have attached some logs showing 1202 attempts to guess username and passwords within the span of about 2 minutes
And the log lines are all the same:
YYYY-MM-DDT21:17:39.368Z Horner_ASA AAA user authentication Rejected : reason = AAA failure : server = Domain_Controller : user = ***** : user IP = XXX.XXX.XXX.XXX (my server ip).
We have no idea how to deal with this, how can I prevent or block this?
Any help is appreciated.
Kind Regards
-
Hey there! This wouldn't be related to cPanel so our advice is a bit limited, but it sounds like some account or user on the server is compromised in some way. It may be a good idea to review our guide here for more details:
https://support.cpanel.net/hc/en-us/articles/1500000479142-How-Site-Compromises-Happen
You could try reviewing the domlogs on the server to see if you can correlate a specific users' action with the timestamp the provider gave you of the attack. If the issue is ongoing you could use networking tools like tcpdump (https://www.tcpdump.org/) to watch network traffic and see if that provides more information about where the connection is coming from.
0 -
Hello @cPRex, thank you, we will be following you recommendations and give feedback, regards.
0
Please sign in to leave a comment.
Comments
2 comments