The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Abuse coming from my server

Discussion in 'Security' started by webmasteryoda, Dec 20, 2016.

  1. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    I have just received email that my server is used for abusing. And my hosting provider gave me 24 hours to solve the problem, or they will disable my VPS.

    I am using Cent OS and Cpanel / WHM. Its a shared server with ~80 account/domains.

    Code:
    Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access
    >
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:37 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:38 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:40 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:41 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    xx.xx.xx.xx is my servers IP.

    How can I detect which one of my accounts is abusing?
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    429
    Likes Received:
    32
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,
    IS your provider sent you any logs or details regarding the abusing ? If yes then let me know so that I can assist you.
     
  3. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thank you for your answer.

    Yes. I have posted it. Look up please.

    I see that moderator deleted the domain name in the code I have posted (before the wp-login.php)
    But I know the name of the domain...
     
    #3 webmasteryoda, Dec 20, 2016
    Last edited by a moderator: Dec 20, 2016
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,872
    Likes Received:
    234
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There should never be a need for the actual domain name in your posts. Those logs don't show any details of abuse, did they provide you with any other logs?
     
  5. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes. I understand that.

    Nope. Thats all what they have sent to me.
    No other data.

    I am checking raw apache logs... one by one.
    Dont know how to do it faster...
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,872
    Likes Received:
    234
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious enough to ask, whats the deal with this path shown in that snip you posted?
    /furanet/sites/example.com/web/htdocs/logs/
     
  7. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    I really dont know. Its all thay have sent to me. You think its not an abuse ?
     
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    147
    Likes Received:
    41
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    It does seem strange that your hosting provider is unwilling (unable?) to provide you with sufficient information to help you rectify the alleged incident. Are you absolutely sure the communications you received were actually from your hosting provider ?

    Since the logs snippet you provided show no evidence of abuse from your server (unless there is something contained in the log elsewhere we have not seen), I would advise you to take complete and up-to-date backups of all the accounts, database, file-sets etc that you may loose access to if they block access to your VPS.

    Worst case scenario; at least with suitable backups, you can transfer the sites to a hosting platform that is prepared to work with you and help you with your issues.


    Update:

    I just found an interesting post Abuse Message: Network attack received from an IP | Web Hosting Talk

    Might be worth a read and try some of the recommendations.
     
    #8 rpvw, Dec 20, 2016
    Last edited: Dec 20, 2016
  9. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Again.

    Is this abuse or not? Please help me guys.

    Code:
    Hi, We have detected a network attack from an IP ( xx.xx.xx.xx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.
    >
    >  /
    >
    > Saludos, Hemos detectado un ataque desde una ip ( xx.xx.xx.xx ) de su red, probablemente el equipo este infectado y este dentro de una botnet. Porfavor revisenlo y solucionenlo en la mayor brevedad posible. Muchas gracias.
    >
    > The IP xx.xx.xx.xx has just been banned by Fail2Ban after
    > 6 attempts against apache-attack.
    >
    >
    > Domain: domainname.com (yy.yy.yy.yy)
    >
    >
    > Here are more information about xx.xx.xx.xx:
    > Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access
    >
    > /furanet/sites/domainname.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://domainnae.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    Note: domanin names are hidden. IP adresses too are hidden.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,872
    Likes Received:
    234
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is this a cPanel server?

    You should get back in touch with your Hosting Provider if there is one and ask for more details.
     
    rpvw likes this.
  11. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes it is cPanel.

    Hosting provider is Contabo. And I am the root administrator of that VPS.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,872
    Likes Received:
    234
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to consider hiring someone to help you with this. There's a link at top of the forums to a list of Resources for this.

    Assuming you've got access, have you taken a closer look at those logs here?
    /furanet/sites/example.com/web/htdocs/logs/
     
  13. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks infopro.

    Assuming its a path on the server. But no such path on my VPS.
    no furanet directory in root or in home folder.
     
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    147
    Likes Received:
    41
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Based on the information you have given us, it is unlikely that anyone will be able to give you a definite answer.

    - probably the best advice anyone can give you :)
     
  15. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes, but its much cheaper to change the hosting provider than to hire skilled proffesional for this problem.
    But, I really think that this is a false alarm... I am checking all of the raw decembar logs now...
    If there is no domaniname or IP that I am "abusing", than its not the problem with my VPS.
     
Loading...

Share This Page