Joomla / WordPress admin attack from my server to remote:

[sreeninair]

Hello,

I have received a email from my dc that have received a complaint of mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting another service provider from my server.

================================================================================
Dc complaint:

During the last 30 minutes we recorded 1307 attempts like this:

x4.11x.xx4.1x0 domain.com - [02/Feb/2014:14:58:58 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:58:59 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:00 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:02 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
x4.11x.xx4.1x0  domain.com - [02/Feb/2014:14:59:03 +0400] "POST /administrator/index.php HTTP/1.0" 200 7242 "-" "-"
================================================================================

I have blocked the remote server ip in iptables.


Question:

1. How can I find the culprit account in my server ?
2. Is their anything else that I can do from my side ?
3. Which are the logs to check this connection ?

Thanks
Sreeni

 

[quizknows]

Look for any outbound port 80 connections with:

lsof -i :80

You will see your own apache server in that list too, but keep an eye for other stuff.

usually, attacks like this are very obvious in the output of:

ps faux

If you see suspiciously named user processes, use:

lsof -p $PID

on the process ID to see where it's working from. Even just an output of ps faux would probably be enough if you're familiar with what your process list should look like.

 

[24x7server]

Hello,

Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.

 

[cPanelMichael]

Hello

In addition to the previous posts, it's likely also a good time to check the overall security of your system. The cPanel security advisor is a good place to start:

"WHM Home » Security Center » Security Advisor"

Thank you.

 

[quizknows]

Hello,

Also I will suggest you to check your /tmp directory, May be any suspicious files is present in your /tmp directory and scan your whole server through LMD (Linux Malware Detect) OR CXS (ConfigServer eXploit Scanner) and delete all php shell scripts if any found in your scan report.

It's a good idea to check /tmp, if there's malware there and you're on a SuPHP system then the malware will be owned by the affected user.

If you find shells don't just delete them right away. Before you change anything, run the 'stat' command on the malicious files. This gives you important information as to exactly WHEN that file was put there. With that information you can check the domain's access logs to see if the shells were uploaded using an exploit in the CMS, another shell, or the admin credentials for the CMS.

 

[sreeninair]

Hello Guys,

Thank you for your support. I will definitely check those areas.

Thank
Sreeni