The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

exploit alert from wordpress ipaddress

Discussion in 'Security' started by santenkelapa, Sep 2, 2014.

  1. santenkelapa

    santenkelapa Registered

    Joined:
    Sep 2, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bekasi, Indonesia
    cPanel Access Level:
    Root Administrator
    Dear

    Please help me , i always got warning from my csf firewall , warning alert say some user make exploit with ipaddress 192.0.76.2:80 , i check this ipaddress from en.wordpress.com but every day i have this notification, i already try to block outgoing and incoming this ipaddress but no impact i still got this warning. please help me , alert like a below :

    Executable:
    /usr/bin/php
    Command Line (often faked in exploits):
    /usr/bin/php /home/myuser/public_html/index.php
    Network connections by the process (if any):
    tcp: x.x.x.x:57484 -> 192.0.76.2:80

    thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you sure it's not a WordPress installation that's attempting to update or download a theme/plugin from the Wordpress servers? Do any cron jobs exist under that account? Have you consulted with the account owner to determine if it's an intentional action? You may want to consult with a qualified system administrator if you are concerned the request is malicious.

    Thank you.
     
  3. santenkelapa

    santenkelapa Registered

    Joined:
    Sep 2, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bekasi, Indonesia
    cPanel Access Level:
    Root Administrator
    Hi Mr.Michael Thanks

    i already ask to my client but they don't know about this, because after this i have alert from csf "Possible root compromise: User account dongs is a superuser (UID 0)" and i check it's true some people already create user with name "dongs" with UID 0, for antisipation i only delete this user from /etc/passwd.

    please help me dongs-user.png
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I suggest consulting with a qualified system administrator if you are concerned your server has been rooted. You can find a list of some system admin companies here:

    System Admin Services

    Thank you.
     
Loading...

Share This Page