Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Joomla / WordPress admin attack from my server to remote:

Discussion in 'Security' started by sreeninair, Feb 2, 2014.

  1. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    I have received a email from my dc that have received a complaint of mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting another service provider from my server.

    Code:
    ================================================================================
    Dc complaint:
    
    During the last 30 minutes we recorded 1307 attempts like this:
    
    x4.11x.xx4.1x0 domain.com - [02/Feb/2014:14:58:58 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:58:59 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:00 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:02 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:03 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    ================================================================================
    I have blocked the remote server ip in iptables.


    Question:

    1. How can I find the culprit account in my server ?
    2. Is their anything else that I can do from my side ?
    3. Which are the logs to check this connection ?

    Thanks
    Sreeni
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Look for any outbound port 80 connections with:

    lsof -i :80

    You will see your own apache server in that list too, but keep an eye for other stuff.

    usually, attacks like this are very obvious in the output of:

    ps faux

    If you see suspiciously named user processes, use:

    lsof -p $PID

    on the process ID to see where it's working from. Even just an output of ps faux would probably be enough if you're familiar with what your process list should look like.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,834
    Likes Received:
    85
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    In addition to the previous posts, it's likely also a good time to check the overall security of your system. The cPanel security advisor is a good place to start:

    "WHM Home » Security Center » Security Advisor"

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It's a good idea to check /tmp, if there's malware there and you're on a SuPHP system then the malware will be owned by the affected user.

    If you find shells don't just delete them right away. Before you change anything, run the 'stat' command on the malicious files. This gives you important information as to exactly WHEN that file was put there. With that information you can check the domain's access logs to see if the shells were uploaded using an exploit in the CMS, another shell, or the admin credentials for the CMS.
     
  6. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Guys,

    Thank you for your support. I will definitely check those areas.

    Thank
    Sreeni
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice