My server is being used to brute force hack another server

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
I have been forwarded the following complaint that our server is being used to attempt brute force hacking

* X.X.X.X tpc-030.machxxxxxxxxx.nl 20210522/20:16:24 X.X.X.X - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.domain.com]

However the IP (X.X.X.X) is our servers main IP allocated to no account. How am I able to detect which user is doing this? I have ImunifyAV but I can't detect any issues manually.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,915
910
313
cPanel Access Level
Root Administrator
The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log).

It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account.
 

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log).

It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account.
The domain nor the IP appear to show there.

Would it show if the user was running a php script? I can't find any record of the domains/IPs in

/var/log/
/usr/local/cpanel/logs
/etc/apache2/

Maybe I can enable more extensive logging?
 
Last edited:

HostNoc

Well-Known Member
Feb 20, 2020
83
12
8
Ontario
cPanel Access Level
Root Administrator
HI
please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server.
REgards
 

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
HI
please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server.
REgards
I do not understand what you mean sorry.

The log in my first post (www.domain.com) is an external domain that is reporting to use our server is being used to scan their server. It is taken from their server side logs they have forwarded to me.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,915
910
313
cPanel Access Level
Root Administrator
It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing.

Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system.
 

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing.

Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system.
It is still ongoing yes. I understand this is not a cPanel issue directly but I am sure others have issues like this perhaps without even knowing.

Thanks for the feedback I will look into those.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,915
910
313
cPanel Access Level
Root Administrator
So I was thinking a tool like tcpdump, which may already even be installed on your server:


It's a very powerful tool and can capture traffic for you to analyze, so if the connection is leaving over port 80 you should be able to see that.
 

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
So I was thinking a tool like tcpdump, which may already even be installed on your server:


It's a very powerful tool and can capture traffic for you to analyze, so if the connection is leaving over port 80 you should be able to see that.
That does seem powerful and a bit complex will have a fiddle with it.

I was hoping to enable some logging and just monitor that for a bit. The scans seem to be to basic wordpress file checks which I am hoping to monitor easily enough through advanced logging. Here are some more logs forwarded to me

Code:
* x.x.x.x tpc-033.xxxxx.com 20210708/00:58:17 x.x.x.x - - [08/Jul/2021:00:58:15 +0200] "GET /wordpress/wp-admin/ HTTP/1.1" 301 524 "hxxp : / /xxxxx [.] nl/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-013.xxxxx.com 20210702/21:45:51 x.x.x.x - - [02/Jul/2021:21:45:19 +0200] "GET /wp-admin/ HTTP/1.1" 301 496 "hxxp : / /xxxxx [.] de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" [VirtualHost: www.xxxxx.de]
* x.x.x.x tpc-006.xxxxx.com 20210522/23:15:28 x.x.x.x - - [22/May/2021:23:15:14 +0200] "GET /wp-login.php HTTP/1.1" 301 529 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.com]
* x.x.x.x tpc-030.xxxxx.com 20210522/23:07:00 x.x.x.x - - [22/May/2021:23:06:44 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-015.xxxxx.com 20210522/21:18:33 x.x.x.x - - [22/May/2021:21:18:26 +0200] "GET /wp-login.php HTTP/1.1" 301 515 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.com]
* x.x.x.x tpc-017.xxxxx.com 20210522/20:39:43 x.x.x.x - - [22/May/2021:20:39:18 +0200] "GET /wp-login.php HTTP/1.1" 301 519 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-030.xxxxx.com 20210522/20:16:24 x.x.x.x - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,915
910
313
cPanel Access Level
Root Administrator
I wish there were easier ways too. Although this is from several years ago, this user also had good luck with tcpdump:


I'm not aware of any logs that would track that traffic, as that wouldn't be sent from Apache on your side.
 

harmonypersechino5348

Active Member
Dec 6, 2020
32
3
8
NA
cPanel Access Level
Website Owner
I wish there were easier ways too. Although this is from several years ago, this user also had good luck with tcpdump:


I'm not aware of any logs that would track that traffic, as that wouldn't be sent from Apache on your side.
Excellent thanks I think I found the issue but tcpdump seems to show a lot of junk maybe due to the php file being encoded?

The following shows only one user appears to do this. There are over 50 of these active connections

lsof -i :80
Code:
lsphp     12950 redradaw    9u  IPv4 651827861      0t0  TCP mycpanel.server.com:52774->156.254.202.6:http (ESTABLISHED)
lsphp     13604 redradaw    9u  IPv4 651638398      0t0  TCP mycpanel.server.com:52066->a23-206-20-132.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
lsphp     19505 redradaw    9u  IPv4 651612535      0t0  TCP mycpanel.server.com:59892->164.88.17.28:http (ESTABLISHED)
lsphp     24515 redradaw    9u  IPv6 651741162      0t0  TCP mycpanel.server.com:40348->g2a02-26f0-9100-0004-0000-0000-1748-f8d8.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
lsphp     31670 redradaw    9u  IPv4 651670965      0t0  TCP mycpanel.server.com:52256->a23-206-20-132.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
lsof -i :443
Code:
lsphp     20814 redradaw   10u  IPv4 651892578      0t0  TCP mycpanel.server.com:43330->192.0.78.131:https (ESTABLISHED)
lsphp     20814 redradaw   11u  IPv4 651891434      0t0  TCP mycpanel.server.com:45998->192.0.78.25:https (ESTABLISHED)
lsphp     20814 redradaw   12u  IPv4 651892644      0t0  TCP mycpanel.server.com:45800->192.0.78.9:https (ESTABLISHED)
lsof -p 13604

Shows this directory seems to possibly be the issue. There are some weird PHP scripts encoded but I can't seem to decode them

https://i.gyazo.com/b386b39074666cb9d938b0dc22c0fe55.png
https://i.gyazo.com/a3047f462304716bba806fcfedfc2227.png - Wordpress index.php file but modified?

I feel like this is enough to presume this is the culprit? Anything else can I check to confirm?
 

HostNoc

Well-Known Member
Feb 20, 2020
83
12
8
Ontario
cPanel Access Level
Root Administrator
first thing first ... scan whole system and change passwords and SSH port ... correct all folders and files permissions. Clamav, Maldet and imunify would help also tight little bit security using CSF. rkhunter can also be useful.