Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Abuse coming from my server

Discussion in 'Security' started by webmasteryoda, Dec 20, 2016.

  1. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    I have just received email that my server is used for abusing. And my hosting provider gave me 24 hours to solve the problem, or they will disable my VPS.

    I am using Cent OS and Cpanel / WHM. Its a shared server with ~80 account/domains.

    Code:
    Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access
    >
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:37 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:38 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:39 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:40 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    > /furanet/sites/example.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:41 +0100] "POST /wp-login.php HTTP/1.1" 503 17257 "-" "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    xx.xx.xx.xx is my servers IP.

    How can I detect which one of my accounts is abusing?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    604
    Likes Received:
    42
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,
    IS your provider sent you any logs or details regarding the abusing ? If yes then let me know so that I can assist you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thank you for your answer.

    Yes. I have posted it. Look up please.

    I see that moderator deleted the domain name in the code I have posted (before the wp-login.php)
    But I know the name of the domain...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 webmasteryoda, Dec 20, 2016
    Last edited by a moderator: Dec 20, 2016
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There should never be a need for the actual domain name in your posts. Those logs don't show any details of abuse, did they provide you with any other logs?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes. I understand that.

    Nope. Thats all what they have sent to me.
    No other data.

    I am checking raw apache logs... one by one.
    Dont know how to do it faster...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious enough to ask, whats the deal with this path shown in that snip you posted?
    /furanet/sites/example.com/web/htdocs/logs/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    I really dont know. Its all thay have sent to me. You think its not an abuse ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    It does seem strange that your hosting provider is unwilling (unable?) to provide you with sufficient information to help you rectify the alleged incident. Are you absolutely sure the communications you received were actually from your hosting provider ?

    Since the logs snippet you provided show no evidence of abuse from your server (unless there is something contained in the log elsewhere we have not seen), I would advise you to take complete and up-to-date backups of all the accounts, database, file-sets etc that you may loose access to if they block access to your VPS.

    Worst case scenario; at least with suitable backups, you can transfer the sites to a hosting platform that is prepared to work with you and help you with your issues.


    Update:

    I just found an interesting post Abuse Message: Network attack received from an IP | Web Hosting Talk

    Might be worth a read and try some of the recommendations.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 rpvw, Dec 20, 2016
    Last edited: Dec 20, 2016
  9. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Again.

    Is this abuse or not? Please help me guys.

    Code:
    Hi, We have detected a network attack from an IP ( xx.xx.xx.xx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.
    >
    >  /
    >
    > Saludos, Hemos detectado un ataque desde una ip ( xx.xx.xx.xx ) de su red, probablemente el equipo este infectado y este dentro de una botnet. Porfavor revisenlo y solucionenlo en la mayor brevedad posible. Muchas gracias.
    >
    > The IP xx.xx.xx.xx has just been banned by Fail2Ban after
    > 6 attempts against apache-attack.
    >
    >
    > Domain: domainname.com (yy.yy.yy.yy)
    >
    >
    > Here are more information about xx.xx.xx.xx:
    > Lines containing IP:xx.xx.xx.xx in /furanet/sites/*/web/htdocs/logs/access
    >
    > /furanet/sites/domainname.com/web/htdocs/logs/access:xx.xx.xx.xx - - [20/Dec/2016:06:26:36 +0100] "POST /wp-login.php HTTP/1.1" 503 17258 "-" "http://domainnae.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36"
    Note: domanin names are hidden. IP adresses too are hidden.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is this a cPanel server?

    You should get back in touch with your Hosting Provider if there is one and ask for more details.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rpvw likes this.
  11. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes it is cPanel.

    Hosting provider is Contabo. And I am the root administrator of that VPS.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to consider hiring someone to help you with this. There's a link at top of the forums to a list of Resources for this.

    Assuming you've got access, have you taken a closer look at those logs here?
    /furanet/sites/example.com/web/htdocs/logs/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks infopro.

    Assuming its a path on the server. But no such path on my VPS.
    no furanet directory in root or in home folder.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Based on the information you have given us, it is unlikely that anyone will be able to give you a definite answer.

    - probably the best advice anyone can give you :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes, but its much cheaper to change the hosting provider than to hire skilled proffesional for this problem.
    But, I really think that this is a false alarm... I am checking all of the raw decembar logs now...
    If there is no domaniname or IP that I am "abusing", than its not the problem with my VPS.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice