The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to deal with Abuse request ?

Discussion in 'Security' started by yatinthakur, Aug 15, 2014.

  1. yatinthakur

    yatinthakur Member

    Joined:
    Mar 27, 2014
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I have received below email from my provider..

    We have detected abuse from the IP address xx.xx.xx.xx, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

    Log lines are given below, but please ask if you require any further information.

    Server IP address is: 86.109.162.78

    (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated automatically.)

    Note: Local timezone is +0200 (CEST)
    xx.xx.xx.xx- - [13/Aug/2014:19:30:54 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:54 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:55 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:55 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:56 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:56 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:57 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"
    xx.xx.xx.xx- - [13/Aug/2014:19:30:57 +0200] "POST /wp-login.php HTTP/1.0" 200 3047 "-" "-"


    How can I deal with this issue ? will you please help me ?
     
    #1 yatinthakur, Aug 15, 2014
    Last edited: Aug 15, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you able to determine the full path to the wp-login.php file in question to review it's contents and see if it's being used maliciously?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Michael, these are usually sent to people who are brute forcing remote wp-login pages, the access logs come from the person being attacked, not the person getting the notice.

    Typically these notifications indicate a hacked site on your server running a process that is trying to access wp-login on remote servers. Your server itself may not be hacked, but at least one site is.

    Most likely you will find suspicious processes in the output of "ps faux" on a root prompt. If you do not know how to fix this, ask your host for help, or hire a qualified administrator that specializes in fixing hacked sites on cPanel servers. Do not just kill the processes; if you do not identify and secure the hacked site, the abuse will continue.
     
Loading...
Similar Threads - deal Abuse request
  1. benito
    Replies:
    5
    Views:
    726

Share This Page