The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Joomla / WordPress admin attack from my server to remote:

Discussion in 'Security' started by sreeninair, Feb 2, 2014.

  1. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    I have received a email from my dc that have received a complaint of mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting another service provider from my server.

    Code:
    ================================================================================
    Dc complaint:
    
    During the last 30 minutes we recorded 1307 attempts like this:
    
    x4.11x.xx4.1x0 domain.com - [02/Feb/2014:14:58:58 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:58:59 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:00 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:02 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:03 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
    ================================================================================
    I have blocked the remote server ip in iptables.


    Question:

    1. How can I find the culprit account in my server ?
    2. Is their anything else that I can do from my side ?
    3. Which are the logs to check this connection ?

    Thanks
    Sreeni
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Look for any outbound port 80 connections with:

    lsof -i :80

    You will see your own apache server in that list too, but keep an eye for other stuff.

    usually, attacks like this are very obvious in the output of:

    ps faux

    If you see suspiciously named user processes, use:

    lsof -p $PID

    on the process ID to see where it's working from. Even just an output of ps faux would probably be enough if you're familiar with what your process list should look like.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    In addition to the previous posts, it's likely also a good time to check the overall security of your system. The cPanel security advisor is a good place to start:

    "WHM Home » Security Center » Security Advisor"

    Thank you.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It's a good idea to check /tmp, if there's malware there and you're on a SuPHP system then the malware will be owned by the affected user.

    If you find shells don't just delete them right away. Before you change anything, run the 'stat' command on the malicious files. This gives you important information as to exactly WHEN that file was put there. With that information you can check the domain's access logs to see if the shells were uploaded using an exploit in the CMS, another shell, or the admin credentials for the CMS.
     
  6. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Guys,

    Thank you for your support. I will definitely check those areas.

    Thank
    Sreeni
     
Loading...

Share This Page