abuse report received, but do not know how to address
Hi!
I received abuse report looking like this:
Source IP / Targeted host / Issue processed @ / Log entry
MYIPADDRESS tpc-017.mach3builders.nl 2024-05-27T21:01:45+02:00 MYIPADDRESS -
- [27/May/2024:21:01:39 +0200] "HEAD /wordpress/ HTTP/1.1" 301 226 "-" "-"
[VirtualHost: www.faberoptiek.nl]<http://www.faberoptiek.nl]>
I am using CSF firewall and of course I have access logs for all my sites, but in this case this is an external request originating from one of my account, but I do not know how to tell which one.
Also the report had this (I have a public IP etc):
If MYIPADDRESS is a (CG)NAT gateway, use the following packet data.
Time stamps are in NTP-synced Unix seconds, time zone UTC (GMT, +0000);
convert to regular date and your time zone at https://www.epochconverter.com/
Only the 25 most recent connections are shown per connected host.
-----------------------------------------------------------------------------
1713640791.968643 IP MYIPADDRESS.52988 > 91.190.98.54.80: Flags [S], seq
1730028053, win 29200, options [mss 1460,sackOK,TS val 1305059722 ecr 0,nop,wscale
7], length 0
What are my options to find out which account is causing the trouble? I guess I can log with iptables for requests targetin the IP of www.faberoptiek.nl, but that seems pretty much crazy. And what do I do if I find it in the log? How can I tell which account? The same thing is with tcpdump I guess.
Can you give me some help?
Thanks, Dan
-
Hey there! This wouldn't be related to any of the cPanel tools on the system, and I don't have any one-size-fits-all recommendations to track down the offending account. tcpdump or iptables both sound like good options to me if you know the IP being targeted.
0 -
Thanks @cPRex!
Just for reference I received a good tip from my colocation-provider and I was able to find out who causes it.
This is the command that helped me out (with extra filters of course):
iptables -A OUTPUT -m state --state NEW -j LOG --log-uid
If using csf, I first disable it, then run the command and then enable it and this way the logging starts...
0 -
Nice - thanks for sharing that!
0
Please sign in to leave a comment.
Comments
3 comments