Joomla / WordPress admin attack from my server to remote:

sreeninair

Well-Known Member
Dec 23, 2013
100
0
16
cPanel Access Level
Root Administrator
Hello,

I have received a email from my dc that have received a complaint of mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting another service provider from my server.

Code:
================================================================================
Dc complaint:

During the last 30 minutes we recorded 1307 attempts like this:

x4.11x.xx4.1x0 domain.com - [02/Feb/2014:14:58:58 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:58:59 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:00 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:02 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:03 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
================================================================================
I have blocked the remote server ip in iptables.


Question:

1. How can I find the culprit account in my server ?
2. Is their anything else that I can do from my side ?
3. Which are the logs to check this connection ?

Thanks
Sreeni
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Look for any outbound port 80 connections with:

lsof -i :80

You will see your own apache server in that list too, but keep an eye for other stuff.

usually, attacks like this are very obvious in the output of:

ps faux

If you see suspiciously named user processes, use:

lsof -p $PID

on the process ID to see where it's working from. Even just an output of ps faux would probably be enough if you're familiar with what your process list should look like.
 

24x7server

Well-Known Member
Apr 17, 2013
1,907
95
78
India
cPanel Access Level
Root Administrator
Hello,

Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

In addition to the previous posts, it's likely also a good time to check the overall security of your system. The cPanel security advisor is a good place to start:

"WHM Home » Security Center » Security Advisor"

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Hello,

Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.
It's a good idea to check /tmp, if there's malware there and you're on a SuPHP system then the malware will be owned by the affected user.

If you find shells don't just delete them right away. Before you change anything, run the 'stat' command on the malicious files. This gives you important information as to exactly WHEN that file was put there. With that information you can check the domain's access logs to see if the shells were uploaded using an exploit in the CMS, another shell, or the admin credentials for the CMS.