My Server is Being Used in a BruteForce Attack

iPlex

Member
Feb 2, 2015
7
0
1
cPanel Access Level
Root Administrator
I have a rather strange problem.....

it would seem that my server is being used to bruteforce in to a CMS on another server because of abuse complaints going to my dedicate server provider that then get forwarded to me!

and the odd thing is that the domain the attacks are coming from is the hostname for the Box itself..... blah.example.com

So I backed up all the website data and then completly reinstalled the server and then put the backups of the website data back on (I also put TweakSettings, Exim and EasyApache config files)

and the server is still being used to bruteforce into other websites and they are still coming from the machine's hostname.

so i ran ClamAV in the /home directory and it found nothing!

I am currently running a maldet scan of /home/*/public_html folder.

Am I right to assume that A. an Email has malicious code in it or B. something with in cPanel/WHM does since it is using the server's hostname?

As a side note the IP that blah.example.com (the server's hostname) is also used by a nameserver and a one of my websites (the websites address is example.com.

Any help you guys can provide will be extremely helpful!
 

24x7server

Well-Known Member
Apr 17, 2013
1,913
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Have you found any thing in your maldet scan report ? Also I will suggest you please try to use ConfigServer eXploit Scanner (cxs) on your server OR contact your system admin to check your server.
 

iPlex

Member
Feb 2, 2015
7
0
1
cPanel Access Level
Root Administrator
Sounds to me like the site you backed up and restored is compromised. You might want to suspend that account until you've had a chance to hire a security professional to assist you with this.
but the domain being used is the servers Hostname not a website's domain.

Hello,

Have you found any thing in your maldet scan report ? Also I will suggest you please try to use ConfigServer eXploit Scanner (cxs) on your server OR contact your system admin to check your server.
Maldet found nothing in public_html